Password hygiene & managers
Passwords remain an important control. Use a password manager (desktop + mobile) to generate strong, unique passwords for each service. Aim for length and randomness rather than predictable words. Avoid re-using passwords across financial services.
Backup & recovery planning
When enabling 2FA, safely store any provided backup codes offline. Consider physical backups (paper in a safe, or metal backups for extreme durability). Test recovery procedures for non-critical accounts before relying on them.
Phishing resistance
Phishing is the most common vector for account takeover. Never log in via links in unsolicited emails. Bookmark the official site and use that to access the platform. For high-value accounts, use hardware-backed authentication to stop credential-capturing pages from gaining access.
Periodic audits
Quarterly, review active sessions, registered devices, API keys, and notification settings. Rotate long-lived secrets and remove unused integrations to reduce attack surface.