In short: Accounts are rarely lost to a movie-style hacker — they fall to three simple things: a weak or reused password, no second factor, and one careless click on a phishing link. Defense follows the same order: a unique password per service stored in a password manager, two-factor authentication (an authenticator app or hardware key, not SMS), and the habit of checking a site's address before you type. A VPN does not replace your password or 2FA, but it does close one real attack channel — login interception on open or untrusted networks. Here is exactly what to set up, and in what order.
Why accounts get hacked in the first place
Most break-ins are not hacking in the cinematic sense — they reuse data the user handed over one way or another. Logins and passwords leak in third-party breaches, land in public databases, and are then automatically tried against other sites. If the same password guards your email, a shopping account, and a social network, compromising one service opens all of them.
The second major channel is social engineering. A phishing email or message imitates your bank, a government portal, or support, adds urgency ("your account will be locked within an hour"), and leads to a fake login page. You enter your login, password, and even a one-time code — and all of it flows to the attacker in real time. According to Microsoft, enabling two-factor authentication blocks over 99% of automated attacks that reuse stolen credentials — which is exactly why attackers now hunt separately for one-time codes.
A separate risk is session interception on an untrusted network. On open airport or cafe Wi-Fi, a rogue access point (an "evil twin") can serve fake pages and capture unencrypted traffic. This is where a VPN helps — more on that below, and in our piece on what a VPN protects against.
- Reusing one password across many sites — one breach opens the rest.
- A weak password guessable from a dictionary in seconds.
- Phishing and fake login pages that steal both password and one-time code.
- Third-party database leaks from services where you signed up.
- Malicious apps and extensions that read your input and cookies.
- Login interception on an open or someone else's network.
Strong passwords and a password manager
The core mistake is keeping one or two "convenient" passwords in your head and reusing them everywhere. No one can memorize dozens of unique passwords, and that is fine — you are not supposed to. A password manager solves this: it generates long random passwords, stores them encrypted, and fills them in only on the service's real domain.
A good password today is about length, not a puzzle of special characters. A long random string or a passphrase of several unrelated words beats a short "P@ss1". The master password for the manager itself is the one thing you must remember: make it long and unique, and put a separate second factor on the vault.
- A unique password for every service — no exceptions for "unimportant" sites.
- At least 12–16 characters; a passphrase beats a short cluster of symbols.
- Keep every password in a manager (browser/OS built-in or standalone), not in notes or chats.
- The master password is never reused and is protected by a second factor.
- Periodically check whether your passwords have appeared in known leaks.
Check whether your address or password has surfaced in leaked databases ahead of time — see our guide on testing for leaks and fixing them for the mindset. If a password shows up, change it everywhere it was used.
Two-factor authentication: which second factor to pick
Two-factor authentication (2FA) requires more than a password at login — a code or confirmation from a device only you hold. Even if your password leaks, no one gets in without the second factor. But factors differ in phishing resistance: SMS can be intercepted or coaxed out of you, while a hardware key is nearly impossible to trick with a fake page.
| 2FA method | Convenience | Phishing resistance | Best for |
|---|---|---|---|
| SMS code | High | Low: the code can be phished or intercepted | A last resort when nothing else is offered |
| Authenticator app (TOTP) | High | Medium: generated offline, but still enterable on a fake page | Most people, as a baseline |
| Push confirmation in an app | Very high | Medium: risk of fatigue and accidental approval | Those who struggle with codes |
| Hardware key / passkey (FIDO2) | Medium | High: bound to the domain, won't fire on a fake site | Email, banks, critical accounts |
The practical takeaway: turn on an authenticator app (built into your password manager or a standalone one) at least for email, banking, social networks, and shopping. For your most important accounts — email and finances — add a hardware key or passkey: the FIDO2 standard resists phishing because the private key is bound to the real domain and simply won't work on a fake. Leave SMS only where nothing else is available.
How to spot phishing
Phishing runs on emotion: urgency, fear of losing access, the promise of a reward. Technically the goal is single — to make you type your data on someone else's page. So the main rule is simple: enter your login, password, and one-time code only on a site you opened yourself, never via a link from an email or messenger.
- Check the address bar character by character — fakes hide behind look-alike domains with extra letters and dashes.
- Don't follow login links from emails and messages — open the service manually or from bookmarks.
- Real support never asks you to read out a password or an SMS code — that is always fraud.
- Urgency and threats ("your account will be deleted in an hour") are a classic pressure tactic.
- A one-time code is a key to logging in right now; never share it with anyone.
Even the most careful person can misclick one day, especially on a phone. That is why you layer defenses: a password manager won't autofill on the wrong domain, and a hardware key won't fire on a fake. A separate danger is apps that steal input themselves; how to tell a safe service from a fake is shown in our breakdown of choosing a trustworthy VPN.
Does a VPN protect your account
Honestly: a VPN is not a silver bullet for accounts. It won't invent a strong password for you, won't turn on 2FA, and won't stop phishing if you type your data into a fake page yourself. A VPN solves a different but real problem — it protects the connection channel. On an open or untrusted network it encrypts traffic between your device and the server, so a rogue access point or a Wi-Fi neighbor can't intercept what isn't protected at the site level or feed you a fake response through their DNS.
In plain terms, a VPN closes the "interception on an untrusted network" channel but leaves passwords, the second factor, and link-checking on you. It is a complementary layer, not a replacement for basic hygiene. What a VPN does and does not cover is detailed in what a VPN protects against. If you often sign in from cafes, airports, hotels, and coworking spaces, keeping the connection under a VPN is a sensible habit; you can review plans on the LiMP pricing page.
- What a VPN covers: traffic and login interception on open/untrusted networks, tampering via a rogue DNS, tying your activity to your IP.
- What stays on you: strong passwords, enabled 2FA, checking the address before you type.
What to do if your account is already hacked
If you notice a login you didn't make, password-change emails you never requested, or lost access — act fast and in order. Speed beats calm here: the sooner you kill the intruder's session and change the password, the smaller the damage.
- Change the password on the breached service, then on every site where it was reused.
- End all active sessions in account settings ("log out of all devices").
- Enable or reissue 2FA, and check the linked phone and email.
- Review email forwarding rules and trusted devices — attackers often leave "back doors".
- Warn your contacts if messages could have been sent from your account in your name.
- For banking and finance, contact support immediately and watch your transactions.
Checklist: secure your accounts in one evening
- Install a password manager and set a long, unique master password.
- Replace reused passwords on email, banking, social, and shopping with unique ones.
- Turn on 2FA wherever possible; swap SMS for an authenticator app.
- Add a hardware key or passkey (FIDO2) to email and finances.
- Check your address against leak databases and update any exposed passwords.
- Make it a rule to open services manually, not via email links.
- Set up a VPN for logins on public and untrusted networks.
- Store your recovery backup codes somewhere safe and offline.
Frequently asked questions
Is one long, complex password enough?
No. Even a perfect password is useless if it leaks in a third-party breach or you type it into a fake page. Uniqueness per site and a second factor matter more than the "complexity" of a single password.
Which is safer — an SMS code or an authenticator app?
The authenticator app. Its codes are generated offline on the device and don't depend on the cellular network, whereas SMS can be intercepted, phished, or hijacked via a SIM swap. For critical accounts, a hardware key or passkey is safer still.
Can a VPN protect me from phishing?
Not directly. If you type your password and code into a fake site yourself, a VPN won't stop it. It protects the connection from interception on an untrusted network, but it doesn't verify whether the site in front of you is real or a fake.
Should I rotate passwords on a schedule every few months?
Rotating for its own sake isn't needed — it usually leads to weak, predictable passwords. Change a password when there's a reason: the service was breached, you entered it on a suspicious site, or you spotted unfamiliar activity.
Does a passkey fully replace a password?
On many services, yes: a passkey is bound to your device and the real domain, so it can't be phished. But support isn't universal yet, so for now passkeys are paired with a strong password and backup codes.
Where should I store recovery backup codes?
Offline: in a password manager as a protected entry, or on paper in a safe place. Don't keep them in open notes, gallery screenshots, or chats — those are the first places found if your device is compromised.
