Not Just Passwords: The 4 Security Steps I Take Now to Keep My Accounts Safe

Published
Category
Financial Security
Not Just Passwords: The 4 Security Steps I Take Now to Keep My Accounts Safe
Written by
Madison Cross profile picture

Madison Cross, Financial Wellness Expert

Madison writes about money the way people actually live it—with bills, goals, and a million tabs open. She’s worked in financial education for years, helping everyday earners figure out what’s really worth stressing about (and what’s not). Her stories turn financial “shoulds” into clear, doable steps—the kind you might actually enjoy checking off.

Here’s something that’s shifted dramatically in how I think about protecting my finances: it’s not just about having “strong passwords” anymore.

That’s the absolute floor of online security. A starting point, not a strategy.

In the same way that real financial planning goes beyond budgeting apps and savings calculators, real digital protection means understanding the layers that keep your accounts—and your identity—secure in a time when breaches, leaks, and scams are more common than ever.

I’ve worked in financial strategy long enough to know that most people think of security as something for IT professionals, not regular people. But here’s the truth: a single compromised account can unravel years of careful planning. And you don’t have to be careless to get caught off guard.

Over the past few years, I’ve built a simple but powerful personal framework to keep my financial life safe. It’s not overly technical. It doesn’t require a cybersecurity degree. But it does require intention and follow-through.

Why This Matters More Than Ever

There’s a growing disconnect between how much we’re exposed digitally and how casually we protect ourselves. Consider this:

  • A record-breaking 3,205 data breaches were reported in the U.S. in 2023, according to the Identity Theft Resource Center.
  • Financial accounts were involved in over 1 in 3 breach incidents, with credentials often the first point of compromise.
  • Credential-stuffing attacks—where hackers reuse passwords stolen from other sites—are now more common than phishing in targeting financial platforms.

And still, most people use the same email-password combo across multiple accounts.

But it’s not about fear—it’s about foresight. You don’t need to become paranoid to become protected.

Notes 1 (56).png

Here’s how I do it.

1. Device First, Not Password First

Most people start with password managers (and we’ll get to that), but the real starting point is your device. Because even the strongest password in the world can’t protect you if your phone or laptop is compromised.

So I flipped the order: I now prioritize securing my access points—my devices—before I worry about the logins they manage.

Here’s what that looks like in practice:

I use hardware-based security for unlocking my devices.

  • My phone and laptop use biometric security (fingerprint or facial recognition) and are set to auto-lock after 30 seconds.
  • My laptop requires a passcode and a physical security key (a YubiKey) to unlock after sleep. Yes, it’s a bit more effort. But so is dealing with fraud.

My devices are encrypted and remotely wipeable.

  • Full disk encryption is turned on, which means if someone steals my device, they can’t access my data without the decryption key.
  • I’ve enabled “Find My Device” functionality and remote wipe options through Apple and Google.

I separate my personal and financial digital activity.

  • My browser for banking and financial tools is different from the one I use for general browsing. This reduces cookie-based tracking and phishing exposure.

Why this matters: 93% of successful cyberattacks begin with access to an endpoint device. If your device isn’t secure, neither is anything you access from it.

2. I Use a Password Manager—But I Don’t Stop There

You’ve probably heard this one before: use a password manager. And yes, I do. But most advice stops there. What matters is how you use it.

A password manager is like a vault—it’s only secure if your door (aka your master password and authentication) is locked tightly.

Here’s how I’ve built a password strategy that works:

I use a locally encrypted, zero-knowledge password manager.

This means even the company behind the app can’t access my data. Options like Bitwarden and 1Password offer open-source or audited platforms with end-to-end encryption, not just cloud convenience.

I rotate key financial passwords on a set schedule.

For my investment, banking, and credit-related accounts, I manually rotate passwords every 6 months, even if there’s no known breach. I log the dates in a secure file and stick to it.

I never reuse passwords, period.

Even with throwaway accounts, I use unique logins. Password re-use is the #1 factor in credential-stuffing attacks, where one leak becomes a dozen.

I keep my master password out of the password manager.

It’s stored offline—securely—and known only to me and my spouse. Think of it like the key to the vault. You don’t keep the key inside the vault.

3. I Rely on Hardware-Based 2FA (Not Just SMS Codes)

Two-factor authentication (2FA) has been widely adopted—and that’s a good thing. But not all 2FA is equally secure.

Most people still rely on text message codes, which are vulnerable to SIM swap attacks and phishing. Instead, I’ve moved to more secure 2FA options for anything financial, identity-based, or data-sensitive.

Here’s what I use:

  • Authenticator apps like Authy and Aegis (for Android) that store codes locally, not in the cloud
  • Hardware security keys (again, like YubiKey), which plug into my device and provide physical verification
  • Push-based authentication with approval prompts (like Duo or Okta), which are safer than SMS

Whenever possible, I disable SMS 2FA entirely—especially for investment platforms, email providers, and cloud storage.

Why I prioritize this:

In 2022 alone, the FBI reported over $72 million lost to SIM swap fraud, a number that’s expected to keep rising. If someone gets access to your phone number, they can intercept your SMS 2FA and gain entry to your accounts.

With a hardware key or local authenticator, that door stays closed—even if your phone number is compromised.

4. I Separate Critical Identities to Minimize the Blast Radius

One of the simplest, most overlooked protective measures I use is account compartmentalization. It’s not a tech solution—it’s a behavior strategy.

Here’s the concept: not all email addresses should have access to all accounts.

I keep three distinct identities:

1. A public email for newsletters, shopping, general logins

This is my "burner inbox." I expect spam, marketing, and occasional breaches here.

2. A private email used only for financial accounts and identity-based services

This email is never shared publicly, is not linked to social media, and has zero exposure to third-party apps. It’s protected with strong 2FA and hardware keys.

3. A recovery email that exists solely to reset credentials

This account is locked down, used nowhere else, and only accessible via 2FA and encrypted devices.

Why this works: If one identity gets compromised—say, your public Gmail tied to newsletters and food delivery—it won’t lead directly to your investment or retirement accounts.

This separation dramatically reduces your exposure radius in the event of a breach. It’s a quiet but powerful strategy for digital hygiene.

Why I Don’t Rely on Alerts Alone

Many people assume that if something goes wrong, they’ll just get a notification and fix it. But alerts are reactionary. By the time you’ve been alerted to fraud, it may be hours—or days—too late.

That’s why everything I’ve outlined above is proactive by design. The goal isn’t to detect damage—it’s to make damage less likely in the first place.

Your Money Anchor

These are the five most impactful security actions I’ve taken—and recommend for anyone serious about protecting their financial life:

  1. Secure the device before the account—enable encryption and strong biometric access.
  2. Use a password manager intentionally—rotate financial logins and keep master keys offline.
  3. Swap SMS 2FA for authenticator apps or hardware-based security.
  4. Separate your digital identities to isolate risk and contain breaches.
  5. Don’t wait for alerts—build a system that prevents them from being needed.

Protect First. Then Grow.

Security doesn’t need to feel technical or tedious. It just needs to feel intentional.

The same way you create an emergency fund or diversify investments to protect against risk, digital safety is about protecting the system that holds your financial life together.

You don’t need to become a cybersecurity expert. You just need to set up a few guardrails that do the heavy lifting for you—so your money stays yours, and your energy stays focused on what really matters.

The best part? Once these systems are in place, they mostly run in the background. Quietly, calmly, and powerfully.

That’s what real financial protection looks like.

Was this article helpful? Let us know!

Read more

Financial Security

The 90-Day Financial Reset: How to Bulletproof Your Budget After a Financial Shock

Life has a way of throwing us curveballs when we least expect them. Whether it's an unexpected job loss, a medical emergency, or a sudden economic downturn, a financial shock can be a daunting experience. Yet, just as sailors brace themselves against the tempest, we can anchor ourselves with a robust financial plan. Over the next 90 days, we can set the groundwork to weather any storm and emerge more resilient and better prepared for the future.

Show more