Intro
If you use the internet, your accounts are being attacked all the time. Not because anyone is specifically interested in you, but because data breaches happen constantly and the leftover usernames and passwords get tried against every site by automated tools. The fix isn't to be paranoid — it's to set up three things, once, and then forget about them.
This lesson is the practical one. By the end of it, you'll have done the actual work.
Step 1: Set up a password manager
Real password rules: every account gets a unique, long password. Nobody can do that by memory. Password managers do it for you.
A password manager is an app that creates strong passwords automatically, stores them, and fills them in when you log into a site. You remember one main password — for the manager itself — and the manager does everything else.
Recommended free options: Bitwarden (open source, free forever for personal use), 1Password (free trial, paid plan), or the password manager built into your phone (iCloud Keychain on iPhone, Google Password Manager on Android). Any of these is dramatically safer than reusing the same three passwords across forty sites.
Setting up a password manager takes about 15 minutes. You install the app, you create your one main password (make it long — three or four random words is great), and you let it import or create passwords for your existing accounts as you log in.
Pro tip: write your main password down on paper and put it somewhere safe at home. This is the one password you cannot lose, and it's the only one where paper is the right answer.
Step 2: Turn on two-factor authentication
Two-factor authentication (often shortened to 2FA) means that even if someone has your password, they need a second thing to log in — usually a code from your phone.
Why this matters: 2FA blocks more than 99% of automated account takeover attempts. It is the single biggest security upgrade you can make. It's also free.
How to turn it on. Go to the security or login settings of each account and look for “Two-step verification,” “2FA,” “Two-factor authentication,” or “Login codes.” The setup usually takes two minutes per account.
Two-factor methods, ranked from worst to best:
- Text message (SMS) — better than nothing, but text codes can be intercepted. Use only if no other option is available.
- Authenticator app — Google Authenticator, Microsoft Authenticator, Authy, or 1Password's built-in option. Much safer than text. This is the right default.
- Physical security key (YubiKey, etc.) — the gold standard. Probably overkill until you have an account that really matters, but worth knowing about.
Start with your three most important accounts: your email, your main social media account, and your bank or payment app. Email first — if a scammer gets your email, they can reset every other account. Lock that one down today.
Step 3: Privacy settings on the platforms you use
Every platform has privacy settings, and most of them are buried. The PDF that goes with this lesson is a one-page checklist for the most-used platforms. Here are the highest-impact ones:
Instagram. Set your account to private if it isn't already. Turn off “Show activity status.” Turn off “Allow others to share your story.” Review “Tagged photos” — pre-approve before someone can tag you.
Snapchat. Set “Who can contact me” and “Who can view my story” to “My Friends” instead of “Everyone.” Turn off “See me in Quick Add.” Turn Snap Map off, or set it to Ghost Mode.
TikTok. Set your account to private. Turn off Suggest Your Account to Others. Restrict Direct Messages to people you follow. Turn off Allow Your Videos to Be Downloaded.
Discord. In Privacy and Safety, turn off “Allow direct messages from server members.” In each server's notification settings, decide whether to share your activity. Use friend-of-friend or friend-only DM filters wherever possible.
Bonus: clean up old accounts
Most people have ten to twenty old accounts they don't use anymore — apps from middle school, games they don't play, services they signed up for once. Each of those accounts is a place your password can leak from. About once a year, look through your password manager (or your email for old confirmation emails) and delete any account you don't use. Most sites have a “Delete account” option in settings.
Recap
Three things, in order: password manager (one main password, the rest auto-generated and unique), two-factor authentication on email/main social/banking (authenticator app is the right default), and privacy settings tightened on the platforms you actually use. The PDF for this lesson is a one-page version of all three so you can knock them out in an evening.
Turn on two-factor authentication on your email account right now. The other accounts can wait until tomorrow. Email first. Tonight.
Try this today
Pick the platform you use most. Open its privacy settings. Spend five minutes there. You'll be safer than 90% of people on that platform by the time you're done.
That's the CyberSmart Teens track. Four lessons, real tools, no lectures. Tell a friend who needs it.