December 31, 2025 By Mark Computer Techs

Fortress Inbox: The 4 Pillars of Securing Your Email Account

Your email is the “master key” to your digital life. It’s where you receive sign-in codes and password resets for your bank, social media, healthcare portals and even other email accounts that you likely have. If a hacker gets into your email, they can get into most everything else.

Securing it doesn’t have to be complicated. By implementing these four layers of defense—unique passwords, passkeys, 2FA, and recovery info—you can make your account virtually impossible to breach.

1. The Foundation: A Unique, Strong Password

The most common way hackers break into accounts is “credential stuffing.” This happens when you reuse a password (like Fido123!) on an insecure website that gets hacked. Attackers then take that email/password combo and try it on major services like Gmail, Yahoo, Outlook, Amazon and PayPal.

The Rule: Your email password must be unique. It should never be used anywhere else.

  • How to do it: Stop relying on your memory. Use a Password Manager (like the built-in managers in Apple/Google/Microsoft devices or browsers, or a 3rd party multi-platform password manager). These tools can generate long, complex, random passwords (e.g., Xy9#mP2$LqNr5z!) and remember them for you.
  • Alternative: If you must memorize it or write-it down, use a password system. Otherwise a passphrase of random words (e.g., Correct-Horse-Battery-Staple or 2175-Cherry-Street-Roseville) is good. These are hard for computers to guess but easier for humans to remember.

2. The Upgrade: Create a Passkey

Passkeys are the future of authentication and are significantly more secure than passwords. They are virtually immune to phishing attacks.

  • What is it? A passkey is a digital cryptographic key stored on your device (phone or computer). Unlike a password, which is a “shared secret” you type in, a passkey proves you have your physical device in hand. When a passkey is saved, there’s nothing about it to save or write-down, other than optionally you could note where it’s saved (which device or browser’s password manager stored the key).
  • How it works: When you sign in, after entering your username the website sends a challenge to your device. You simply unlock your phone with your face, fingerprint, or PIN/password to approve the login.
  • Why use it? If a hacker creates a fake login page to trick you, your passkey won’t work on the fake site. It only communicates with the legitimate service, making phishing impossible.

For more information about passkeys, check out “How to use a passkey on your smartphone to sign in on a computer“.

3. The Gatekeeper: Two-Factor Authentication (2FA)

If a hacker somehow guesses your password, 2FA is the door that stops them. It requires a second form of proof that you are you.

Hierarchy of 2FA Methods (from Good to Best):

  • Good (Email Codes): Better than nothing, but vulnerable if the secondary email account where you receive the codes is hacked; vulnerable to phishing.
  • Good (SMS/Text): Better than nothing, but vulnerable to “SIM swapping” (where a hacker tricks your carrier into transferring your phone number to their SIM card).
  • Better (Authenticator Apps): Apps like Google Authenticator, 2FAS or Apple Passwords generate a code that changes every 30 seconds. These are not linked to your phone number and work offline.
  • Even Better (Device Prompts): This uses a different device that you possess and are already signed in to (e.g., Google Prompt, Apple Trusted Device). Ties the login to your specific physical device. Harder to phish, especially with number matching.
  • Best (Hardware Key): A physical USB device (like a YubiKey) that you plug into your computer or tap on your phone. This is the gold standard used by government officials and high-risk targets.

4. The Safety Net: Up-to-Date Recovery Information

You can have the best security in the world, but it’s useless if you lock yourself out. Recovery information is your “break glass in case of emergency” tool.

  • Audit your recovery email: Ensure the “backup email” listed is one you actually still check. If your backup is an old university or work email you no longer access, you could be permanently locked out.
  • Update your phone number: If you change phone numbers or a have a non-mobile phone number, update your email security settings immediately.
  • Download Backup Codes: Most email providers let you generate a set of 10 printable “backup codes.” Do this. Print them out and put them in a fireproof safe. If you lose your phone and can’t use your 2FA app, these codes are the only way back in.

Summary Checklist

  • [ ] Change password: Ensure it is unique and not used on any other site.
  • [ ] Enable 2FA: Set up an Authenticator App or signed in second device (avoid SMS if possible).
  • [ ] Create a Passkey: Enable this in your account settings for easier, safer logins.
  • [ ] Verify Recovery: Check that your backup email and phone number are current.

The information and instructions above may seem very complex. You’re not alone. In today’s interconnected world where hackers and scammers can be anywhere and are looking for easy targets, securing your accounts is a high-priority. If you need help, we can come to your home to help you secure your email account(s) – and other important accounts too. Contacts Computer Techs today!

Filed Under: Blog Tagged With: , ,
Next Page »