_posts/2019-08-15-keeping-your-accounts-secure.md
---
title: "Keeping your accounts secure"
date: 2019-08-15
authors:
- laura-gerhardt
- alex-dalessio
- andy-brody
tags:
- security
- login.gov
- best practices
excerpt: "login.gov helps over 15 million people keep their information safe
across dozens of government applications online. Over the past few
years, we’ve learned a lot about keeping information safe. Here are a
few ways you can make sure your online interactions stay secure."
image: /assets/blog/login-gov/login-gov-logo.png
---
login.gov helps over 15 million people keep their information safe
across dozens of government applications online. Over the past few
years, we’ve learned a lot about keeping information safe. Here are a
few ways you can make sure your online interactions stay secure.
## Set up two-factor authentication (2FA)
Two-factor authentication helps an application know it’s you when you
sign in, not just someone who picked up your password during a breach. Also referred to as a second step or second factor, two-factor authentication ensures you have something (like your phone or a security key or your fingerprint) physically on you when you sign in. Fraudsters impersonating you are considerably less likely to also have your phone or access to your fingers!
login.gov allows you to use **a variety of 2FA methods**, including
PIV/CAC cards for federal employees and contractors, so you can be sure
that only *you* are able to sign into your account.
## Don’t reuse passwords
Reusing passwords means all of your accounts are only as protected as
the weakest among them; i.e. as strong as the weakest link. By using
unique passwords for each website, you can protect yourself from a chain
of breaches if one of your passwords is hacked. **Use a password
manager** to keep track of all your different passwords so you only need
to remember one master password. A password manager keeps your passwords
in an encrypted (and password-protected) vault. It generates strong
passwords for you and may fill them in for sites and apps when you want
to sign in. That means you don't have to remember all the different
passwords for different sites since the password manager takes care of
that.
login.gov helps protect you against the risk of reusing passwords by
implementing a second factor, ensuring that you have something
physically with you to sign in. For example, if a fraudster grabs a
password from another site, that alone will not allow them to sign in to
your account.
## Avoid weak passwords or guessable passwords
While password123 might be easy to remember, it will be the first
thing that hackers try when attempting to break into a system. In fact,
there are even tools that guess predictable passwords. Use a long and
memorable password instead, which will be much harder to hack. Again,
using a password manager makes it easy to generate strong, random
passwords for each of your accounts.
In addition to using a second factor, at login.gov we don’t allow you to
use common passwords, and have an ever-growing list of **banned
passwords** used by malicious actors.
## Use unphishable 2FA methods
**Phishing** is when someone pretends to be a real service to collect
information from you using fake websites, phone calls, or fraudulent
emails. Phishing has become more sophisticated and tricky to spot and is
now a major driver of fraud on the internet. login.gov and many other
sites support newer 2FA methods that prevent phishing entirely.
While all second factors improve security, using text or SMS messages, a
common two-factor authentication method, does not prevent phishing.
Hackers have various methods to collect your six-digit code in the text
and use it to access your account.
To defend against this, login.gov supports several second factors that
are unphishable. We recommend using a FIDO-compliant physical security
key that must be connected to your phone or computer to sign in.
Additionally, phones and laptops have fingerprint readers that work the
same way and can be used as the second factor on login.gov if your
browser supports it, through something called **WebAuthn**. Federal
government employees and contractors can also use their CAC or PIV
cards. All of these methods are unphishable as they require a physical
factor - a device or a fingerprint - to authenticate.
Learn more about how to keep your information safe over at [login.gov](https://login.gov).