Locking the digital front door

From passwords and 2FA to removing unwanted access, this section walks through how to make your accounts yours again—quietly, calmly, and without tipping anyone off. Whether it’s email, social media, or banking, control starts here.

How to change your password safely

Changing your password is one of the simplest ways to stop someone poking around in your digital life. But if you suspect your accounts are being watched, it pays to be strategic, not sudden.

  1. Use a device they can’t access: If you think your regular phone or computer might be watched, try using a different one—like a trusted friend’s, or a public library machine. Quietly, of course.

  2. Start with the email account: Most other accounts—banking, social media, storage—are linked to your email. If someone has access to your inbox, they can often reset everything else.

  3. Use a long, unique password: Make it something no one could guess, even if they know your birthday, your pet’s name, or the name of your secondary school. Example: RainyTeacups!MarchingOtters2025

  4. Keep it somewhere safe—but not obvious: If you must write it down, hide it well. Not taped under your laptop, not in a notes app titled “Passwords”.

  5. Don’t do everything at once: If you’re worried someone might notice changes, take your time. Prioritise the most important accounts and space out the rest. It’s a marathon, not a password sprint.

  6. Check for alerts: Some accounts notify users when passwords are changed. If you think this could cause trouble, consider timing the change carefully—or doing it alongside other changes to reduce suspicion.


How to set up 2FA without using SMS

Two-factor authentication (2FA) is like adding a second lock to your digital front door. Unfortunately, some locks are made of papier-mâché. Text messages (SMS) can be intercepted. Let’s do better.

  1. Choose an authenticator app. These generate login codes directly on your device, no mobile signal required. Popular, privacy-friendly options include:
  1. Set it up on a safe device. Use a phone or tablet that’s not shared or previously handled by anyone else. If that’s not possible, do a device check first (see device control guides).

  2. Enable 2FA on key accounts. Usually under “Settings” → “Security” → “Two-factor authentication”. You’ll scan a QR code using your chosen app.

  3. Store backup codes offline. These are one-time emergency codes in case you lose your phone. Print them, or write them down and hide them securely—taped inside a novel works well.

  4. Disable SMS fallback (if possible). Once app-based 2FA is working, many platforms let you remove phone number recovery. This helps prevent sneaky password resets via intercepted texts.

  5. Bonus: set up a decoy account. If you’re in a situation where someone expects access to a certain account, you can set up a secondary email or social profile with harmless content.


How to remove an abuser’s access from your email or cloud account

They might still be logged in—on a shared device, a forgotten tablet, or through app permissions you don’t remember setting. It’s time to check the locks.

  1. Sign in on a safe device. Avoid using your usual laptop or phone if you think it might be watched. Public computers or newly set-up devices are ideal.

  2. Review logged-in sessions. Most accounts let you see where and when your account was accessed.

Remove any devices you don’t recognise—or that are still listed but no longer in your possession.

  1. Revoke connected apps. In account settings, you’ll often find a list of third-party apps or tools with access. Remove anything suspicious or unnecessary.

  2. Change your recovery email and phone. Check whether their email or number is still listed under “recovery” or “backup” settings. Replace it with one only you control—perhaps a new ProtonMail address (see below).

  3. Enable 2FA with an app. Once they’re out, keep them out. Add app-based 2FA and remove any SMS recovery options.

  4. Check auto-forwarding and filters. Some accounts allow messages to be secretly forwarded elsewhere. Look under your email settings and filters for anything you didn’t set up.


How to use a secure email for sensitive communication

If someone else has access to your regular email, it’s wise to set up a fresh one—just for things that matter.

  1. Choose a privacy-focused provider The big free email companies are… friendly with advertisers. Try these instead:
  • Proton Mail – strong encryption, based in Switzerland
  • Tuta – clean interface, based in Germany

Both let you sign up anonymously, and both have apps.

  1. Pick a low-profile email address. Use something neutral, without your full name or any personal hints. Example: paperlantern.mailbox@proton.me

  2. Avoid syncing to unsafe devices. Don’t add this account to a device that might be compromised. Stick to browser access, in incognito mode if possible.

  3. Turn off link previews and image loading. These can leak data or act as subtle trackers. Most secure email services disable them by default—but it’s worth double-checking.

  4. Be mindful of who you share it with. This account is for communication you want to keep private. Don’t link it to your usual accounts or use it to sign up for services that might raise flags.

  5. Use aliases if needed. Some email services let you create disposable addresses that still reach your inbox. Handy if you want to give an email out temporarily or keep your main one under wraps.