The majority of account compromises exploit exactly the same configuration gaps. Weak authentication, reused passwords, no session monitoring, overly permissive third-party app access — these aren't exotic attack vectors. They're defaults that never got changed, and changing them takes minutes, not months.
Here's the configuration guidance that actually moves the needle, with the reasoning behind each item.
Authentication Strength: The Foundation
Use a Unique, Strong Password
Password reuse is the root cause of most credential-stuffing attacks. When a service gets breached and its password database is leaked, attackers immediately test those credentials across banking, email, cloud storage, and every other major platform. A unique password per service means a breach on one service doesn't cascade into a compromise of everything else.
A password manager is not optional at this point — it's the only practical way to maintain unique, strong credentials across the dozens of accounts a typical person maintains. The security model shifts from "remember many passwords" to "protect one master password well."
Enable MFA on Every Account That Offers It
Multi-factor authentication requires a second verification step after the password — typically a time-based code from an authenticator app, a push notification, or a hardware token. Even if an attacker obtains a valid password, they cannot authenticate without the second factor.
Priority order for MFA method strength:
- Hardware security key (FIDO2/WebAuthn) — phishing-resistant
- Authenticator app (TOTP) — strong
- Push notification — strong but vulnerable to push fatigue attacks
- SMS one-time code — better than nothing, vulnerable to SIM swapping
Apply MFA to email accounts first. Email is the recovery method for virtually everything else — whoever controls the email account controls the ability to reset every other password.
Session Management
Review Active Sessions Regularly
Most major services show all currently active sessions — device type, location, last access time. A session from a device or location you don't recognize is a high-confidence indicator of compromise. Terminate unrecognized sessions immediately.
Make this a regular habit, not just an emergency response. Quarterly is a reasonable cadence for most accounts; monthly for accounts with access to sensitive data.
Set Appropriate Session Timeouts
Extended session durations are a convenience–security tradeoff. A session that stays active indefinitely on a device that gets lost, stolen, or compromised provides an attacker with long-term access even after a password change. For accounts on shared, public, or infrequently used devices, explicit logout is important.
Third-Party Application Permissions
Audit OAuth-Connected Applications
OAuth allows third-party apps to access your account data without requiring your password. Every "Sign in with Google" or "Connect to your calendar" authorization creates an access grant that persists indefinitely unless explicitly revoked.
The practical problem: people accumulate these authorizations over years, often for apps they no longer use, which may no longer be actively maintained or may have been acquired by parties with different privacy practices. An OAuth token provides access to whatever permissions were granted at authorization time, and it survives password changes.
Quarterly review of authorized applications — revoking anything unused or unrecognized — is a meaningful security practice that most people never do.
Monitoring and Alerting
Configure Login Notifications
Most platforms offer email or push notifications for account login events — new device logins, logins from new locations, or all logins if you prefer maximum visibility. This is an effective early warning system: if an attacker accesses your account, you find out within minutes rather than days.
Enable these for all accounts where the option is available, at minimum for email, financial accounts, and primary identity providers.
Know Where to Find the Activity Log
When an incident occurs, the activity log is your primary evidence source. Before something goes wrong, locate where to find it in each of your critical accounts. For Google accounts, it's myaccount.google.com/device-activity. For Microsoft accounts, it's the security tab in account settings. Knowing where to look before you need it saves time when you need it most.
Common Misconfiguration Patterns
| Configuration Gap | Attack It Enables |
|---|---|
| Password reused across services | Credential stuffing from unrelated breaches |
| No MFA on email account | Complete account ecosystem compromise via password reset |
| Unreviewed OAuth authorizations | Persistent access through legitimate-looking tokens |
| No login notifications | Undetected, prolonged access to the account |
| Recovery phone/email not current | Lockout from own account, undelivered security alerts |
| Security questions with guessable answers | Account recovery bypass |
Running through this list for your critical accounts — email, financial services, primary social media, cloud storage — takes less than an hour. It closes the gaps that enable the vast majority of account compromises.