If you are like many people, you might sign up for an online account at your gym, download the local movie theater’s app and share a cat video on Twitter all before 9 a.m. — and all without thinking twice. But when navigating the internet, security experts say, a little bit of deliberation often pays off by keeping your data more secure.

This National Cybersecurity Awareness Month, here are four routine things to stop doing online — and a few alternatives from cybersecurity experts.

1. Recycling passwords. Study after study shows that a majority of people reuse passwords across sites. This lets a hacker who uncovers your password in a data breach of one site easily use it elsewhere.

But what to do when everyone from your dog groomer to your grocery store wants you to create a login? Doug Jacobson, director of Iowa State University’s Information Assurance Center, recommends separating accounts into security tiers. The most sensitive — such as your financial accounts — should all get a unique, robust password. Slightly less sensitive accounts can share a set of strong passwords.

2. Granting all the permissions apps request. Many apps ask for access to certain aspects of your phone’s data when you download them. And while it is understandable that Google Maps wants to know your location, said Kurt Rohloff, director of the Cybersecurity Research Center at the New Jersey Institute of Technology, other apps have less transparent intentions when collecting your data.

Apps should have “the bare minimum [information] they need to provide services,” Rohloff said.

If you have already given an app too much access, try adjusting its permissions in your phone’s settings.

3. Oversharing on online account applications. You probably know the pitfalls of posting vacation updates — hello, burglars — or giving your Social Security number just because a form has a blank for it. Any personally identifying information you disclose that falls into the wrong hands can “[give] hackers a pathway into your life,” says Adam Levin, founder of CyberScout, which helps individuals and businesses deal with cybersecurity threats.

When creating an online account, Jacobson said, “Give them only the information that has the star by it,” indicating a required field. “You don’t need to fill out your full profile.”

And you need not always be truthful, either. For example, you can supply a fake mother’s maiden name or high school mascot for security questions.

4. Trusting appearances. Scam e-mails don’t always come complete with typos and graphics from 1997 to tip you off. In fact, Jacobson said, he recently received an e-mail from a hacker masquerading as his boss, asking for money.

“Always independently confirm who that company is or who that individual is through another source,” Levin said. That might involve calling the supposed sender to confirm the request.

And if you are ever entering payment information, look for the padlock symbol on your browser window. “What the padlock ensures is that the website you typed in is the one you went to … and the communication is encrypted,” Jacobson said.


Alice Holbrook is a writer at NerdWallet. E-mail: alice.holbrook@nerdwallet.com.