Account Security — SafeStep

🔑 How to create a strong password +

A strong password is your first line of defence. Most accounts are broken into because the password was easy to guess.

Passwords to avoid (very easy to guess):

Your name, husband's name, children's names, or pet's name
Your birthday, anniversary, or phone number
Simple words: password, 123456, india
The same password you use on another site

What makes a password strong?

At least 12 characters long
A mix of UPPERCASE letters, lowercase letters, numbers, and symbols (!@#)
Something random that has no connection to your life

✅ Easy trick: Take 3 random words you like and join them with numbers and symbols. For example: Mango!Rain7Bridge — this is long, random, and surprisingly easy to remember.

✅ Use a password manager like Bitwarden (free) to remember all your passwords. You only need to remember one master password.

⚠️ Never share your password — not with your partner, parent, or best friend. No legitimate service will ever ask for your password over call or message.

📱 What is Two-Factor Authentication (2FA)? How to turn it on. +

Two-Factor Authentication (2FA) is like having a second lock on your door. Even if someone knows your password, they still can't get in without a second code that only you receive.

When 2FA is on, every time you log in, you'll get a one-time code sent to your phone (by SMS or an app). You enter that code along with your password.

How to turn on 2FA for common apps:

Google / Gmail: myaccount.google.com → Security → 2-Step Verification → Turn On
Instagram: Profile → Menu (☰) → Settings → Security → Two-Factor Authentication → Turn On
WhatsApp: Settings → Account → Two-step verification → Enable
Facebook: Settings → Security and Login → Two-Factor Authentication → Edit

✅ Best option: Use an authenticator app like Google Authenticator or Authy instead of SMS codes. SMS codes can be intercepted; app codes cannot.

⚠️ Save your backup codes when you set up 2FA. If you lose your phone, these codes are the only way to recover access to your account. Write them down and keep them somewhere safe offline.

🎣 Recognising a phishing message or fake link +

Phishing is when someone sends you a fake message pretending to be a real company (your bank, Instagram, the government) to trick you into giving your password or OTP.

Signs that a message is fake:

It creates sudden urgency — "Your account will be deleted in 24 hours!"
It asks you to click a link and log in immediately
The link looks almost right but is slightly wrong — e.g., instagram-support.com instead of instagram.com
It asks for your OTP, password, or bank PIN — no legitimate company ever does this
It comes from a random mobile number or a Gmail address pretending to be official

🚨 NEVER share an OTP with anyone — not even someone claiming to be from your bank, Instagram support, or a government office. Sharing an OTP is handing them the key to your account.

✅ If unsure: Don't click the link. Open the official app or website by typing it yourself. Call the company's official helpline from their verified website.

📧 Securing your recovery email and phone number +

Your recovery email and recovery phone number are how you get back into your account if you forget your password. If someone else controls these, they can lock you out of everything.

What to check right now:

Open your Google Account → myaccount.google.com → Security → Ways we can verify it's you. Make sure the recovery phone and email belong to you — not to an ex-partner or family member who controls your phone.
Check your Instagram and Facebook recovery email and phone under Settings → Personal Information.
Make sure your recovery email account itself has a strong password and 2FA turned on — otherwise it becomes the weakest link.
If you share a phone number or email with a family member, create your own private email (e.g., a new Gmail) that only you control.

⚠️ Important: If a controlling partner knows your recovery email or phone, they can reset your passwords and take over your accounts — even without knowing your current password.

💬 Passphrases — stronger and easier than passwords +

A passphrase is a password made of multiple random words strung together. It's longer than a typical password, but much easier to remember — and much harder to crack.

Why passphrases are better:

A 4-word passphrase like "mango train purple river" is stronger than a complicated 8-character password like P@ssw0rd!
They're easier to type on a phone keyboard
They're easier to remember without writing down
Computer programs that guess passwords find long, word-based phrases very hard to crack

How to create a strong passphrase:

Choose 4 random, unrelated words — "monsoon elephant laptop jasmine" works well. Don't use quotes, song lyrics, or anything personally meaningful.
Optionally add a number and symbol between words: "monsoon7elephant!laptop"
Use a unique passphrase for each important account

✅ Can't remember many passphrases? Use one very strong passphrase as your master password for a password manager like Bitwarden (free). It will remember all other passwords for you.

⚡ 5-minute security upgrade — the essentials right now +

If you only have 5 minutes, do these four things. They make the biggest difference.

Enable 2FA on your Gmail — Go to myaccount.google.com/security → 2-Step Verification → Turn On. This protects your email, which is the key to everything else.
Enable 2FA on Instagram — Profile → ☰ → Settings → Security → Two-Factor Authentication → Turn On.
Enable WhatsApp two-step verification — Settings → Account → Two-step verification → Enable → set a 6-digit PIN.
Check your Google recovery info — myaccount.google.com → Security → "Ways we can verify it's you" → make sure the recovery phone and email are ones only you control.

✅ Done? Use our Safety Checklist to track what else you've completed.

⚠️ Check login sessions: While in your Google Security settings, also check "Your devices" and "Recent security activity". Remove any session or device you don't recognise.