Protect your passwords
Creating strong passwords and keeping them secret are the first steps. Follow this advice to help keep your passwords out of the wrong hands.
Secure your passwords
Don’t share your passwords with anyone, and don’t store them on the device they’re designed to protect. Never send a password in email or instant messages because they’re not reliably secure.
Use a unique password for each website. If someone steals a password that you use on many different sites, all the information it protects is at risk. Keep track of your passwords on a sheet of paper stored in a secret place.
Change your passwords regularly, particularly those that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data.
Whenever possible, change passwords immediately on accounts you suspect may have been compromised.
Tip: When you’re asked to give answers to security questions, give an unrelated answer. For instance, if the question is "Where were you born?," you might answer "Green." Answers like these can’t be found by trolling Twitter or Facebook. (Just be sure they make sense to you, so you'll remember them.)
Don’t be tricked into revealing your passwords
Criminals can try to break your password, but sometimes it’s easier to exploit human nature and trick you into revealing it.
You may get an email message pretending to be from an online store (like eBay or Amazon) or a phone call from your “bank,” that tries to convince you of the “legitimate” need for your password (or other sensitive information). It could be a phishing scam. (You may have heard these con games referred to as social engineering.)
You’re most vulnerable to scams that look genuine.
In general, be wary of the sender, even someone you know or a company you trust. (For example, a crook may have hijacked a friend’s account and sent email to everyone in the friend’s address book. Treat all unsolicited requests for sensitive information with caution.
Never share your password in response to an email or phone request—for example, to verify your identity—even if it appears to be from a trusted company or person.