How Can I Protect My X Account? 12 Simple Rules

How can I protect my X account? There are a lot of guides on the internet, many of them are written in such a way that the average person will have a hard time understanding what they are talking about.

So, a list of simple tips from me:

  1. First of all, if you are not using this functionality, turn off delegation!

  2. Turn on password reset protect, it's very important.

  3. Install 2FA via Authy or any other service like Aegis. Google Authenticator is generally not recommended anymore in order to stay out of the Google ecosystem, and Authy offers more robust account recovery options (Aegis does not offer the same level of account recovery options). Keep in mind that the codes generated by 2FA apps are device specific. If your account is not manually backed up to Google cloud or iCloud and you lose your phone, you’ll need to spend some time proving your identity to restore your 2FA. The added security is worth the hassle! Hardware-based 2FA options are regarded as more secure than phone-based OTP options since the keys are stored on the YubiKey device itself, not on your phone, or in the cloud, or on your computer. Aegis Authenticator is open source (licensed under GPL v3) and the source code can be found here. The issue with Authy is that it depends on a phone number which can be changed through an email request, allowing anyone access to HOTP/TOTP after an approximate 4-day wait period. To avoid that, disable multi-device function in Authy's settings!

  4. Make sure that the email you use for registration does not match your nickname and does not contain a username. You can use Alias (I will write below how to do it) to hide your email from those who can potentially reset your password in your account.

  5. Gmail ignores everything after “+”, so “yourgmailusername+telegram@gmail.com” works! iCloud also has this feature: privacy emails. You can also use this trick to know where his email got leaked from so he would add like name+service@. Periods also do the same thing with gmail addresses (but less descriptive than +'s xd).

  6. To lock down your SIM, contact your mobile phone carrier. That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and China - also check out this tweet and this article. You just need to insist on it or visit the head office, and I’m sure that the support manager on the phone mayn’t know about it! Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a new phone. Instead, require staff to verify via phone call to a secondary number because show ID is compromised or just use something like Efani. Or tend to use E-sim only!

  7. I won't ask you to remove your phone number from your settings (as other guides may recommend you to do). However, you must remember that you definitely have 2FA by SMS turned off. Once again, having a phone (even on a regular sim card) on your account is not in itself a problem, but if you have other things set up incorrectly or have 2FA by SMS turned on, it can be potentially dangerous!

  8. Use passwords that are at least 8 characters in length, but a minimum of 12 is generally recommended for memorization. Along with that, if using memorization, ensure that a minimum complexity requirement is met: which means having an uppercase character, a lowercase character, a digit, and a non-alphabetic character. For a perfect-level privacy, always generate complex passwords and write them down on a notebook. It takes time but saves headache. Somewhere along the line, the 'stop writing passwords on sticky notes' narrative got misinterpreted as 'never write them down'. There's nuance to it! Using a string of unrelated words while still meeting the dictionary requirement makes it easy to have an extremely secure password while still being able to remember it. If fully relying on a password manager, a password of 20+ characters in length that is randomly generated can be used.

  9. If you see suspicious password activity or failed log-ins on any of your accounts, change all of your passwords, starting with sensitive and authorization accounts, such as your primary email and bank/crypto accounts. KeePass or Keepassx or KeePassDX or KeePassXC or BitWarden are good options for passwords management. I also found this tutorial for integrity check (and other checks) very helpful, be sure to check it out as well: link.

  10. You might have connected X to a variety of apps. Remove access from unneeded apps.

  11. De-authorize inactive or unrecognized sessions!

  12. Never do anything you do not understand. Always check link you are using - be extremely accurate while making any sensitive operation (changing password, signing-in). Keep in mind that one of possible attack vectors is to put you in a situation that will encourage you to do something (login under a fake link or anything like that).

More Spy-Level Tips:


If you want to support my work, please, consider donating me:

Thank you!

Subscribe to Officer's Blog
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.