If you’ve been using Facebook for a few years, then you know your account contains a veritable treasure trove of information that thieves would just love to mine. It may go without saying, but firmly securing your Facebook account is going to go a long way towards protecting you from exposing a big chunk of your personal life to unsavory elements.
Thankfully, Facebook has a lot of tools for securing your account. Here’s what you should do.
Choose a Strong Password
Let’s start with one of the most important things: choosing a strong password. Your password is the first and often best security mechanism for keeping invaders at bay, so take care here. Make sure it is long (12 to 14 characters or longer), a mix of characters, and contains no personal information, since those can be easily can be socially engineered.
Most importantly, though, don’t use this password anywhere else on the internet. You should use a different password for every single account you have, and ideally, they’d all be random strings of characters. That’s why using a password generator and manager like LastPass is, by far, the best way to secure all your accounts.
Lastly, beware of attempts by others to obtain your password through nefarious methods. Don’t follow untrusted links, such as those sent in e-mails, that ask you to enter your password.
Got all that? Good. Let’s change your password to something more secure. All the settings we’ll refer to in this article can be accessed using a web browser by clicking the little arrow in the upper right corner and choosing “Settings” from the drop-down menu, so do that now.
In the mobile app, tap the “More” button in the lower-right corner, then scroll to and tap on “Settings”. From the resulting pop up, choose “Account Settings”.
(Throughout this article, we’ll use screenshots from the web browser. You should find no essential differences between it and the mobile app, though we’ll note them where applicable.)
You can change your Facebook password from the Password section in the Privacy settings. Use your password generator and password manager to store the password in a safe place, and you’re good to go.
Use Login Approvals
Believe it or not, a strong password is not enough to really secure your account. These days, it’s just as important to turn on a security feature known as two-factor authentication—which Facebook calls “Login Approvals”.
The principle behind it is simple: You sign in with something you know (your password), and something you have—which is usually your phone. After entering your password, Facebook will send a code to your phone that you type in on the site, to confirm that you are who you say you are. That way, if someone found out your password, they still wouldn’t be able to log in without also having your phone. You can get this code as a text message, or through an authentication app on your phone like Google Authenticator or Authy. You can read more about two-factor authentication, and why it’s so important, here.
This feature—again, called “Login Approvals” on Facebook—can be enabled from Settings > Security > Login Approvals. Check the box next to “Require a login code to access my account from unknown browsers”.
Next time you log in, you’ll be prompted for your approval code, which should be sent to your phone.
After entering your code, you will be asked if you want to store that browser so you don’t have to enter an approval code next time you log into Facebook using that browser.
This feature can be disabled at any time in the Login Approvals settings. We recommend, however, that you leave them on and get used to using them. It’s an essential security feature of just about every service these days.
Note: if you’re trying to log into another app with your Facebook account, but it doesn’t support Login Approval codes, you can use a one-time app password from the “App Passwords” option in Facebook’s security settings.
Enable Login Alerts and See Who’s Logged Into Your Account
Strong passwords and Login Approvals are the two best ways to truly secure your Facebook account, but there are other methods you can employ to give you peace of mind. Login Alerts are one such tool. You’ll find them under Settings > Security > Login Alerts.
You can either choose to get a notification on Facebook, over email, or as a text message. The next time anyone logs in from an unrecognized device or browser, you’ll be notified.
This is also a good time to see what machines are logged into your Facebook account. If there are any you don’t recognize, you can log them out remotely. (Chances are, you’ll only see your own machines here, but you can never be too careful).
Head to Settings > Security > Where You’re Logged In, and click “End Activity” for any unfamiliar devices or locations. If you don’t want to go through and review every session on the list, click “End All Activity” to log out from all devices on the list.
You don’t need to save any changes with this step, once you end activity for a session, it’s done.
Note: if you log out from a session, you’ll still be able to log in on that machine without entering a Login Approval code. You can revoke access for any Login Approvals—say, if your laptop or phone gets stolen—from “Recognized Devices” in the Security settings. Just Remove any browser or device that you’ve previously approved, then click “Save Changes”. The next time that device tries to log in, they’ll need a Login Approval code again.
Audit the Apps that Have Permission to Access Your Facebook Account
Other apps can have access to your Facebook account, too. This is what allows you to use Facebook chat in your desktop chat app, or see Facebook posts in Flipboard. But these apps are like dust bunnies—they just seem to multiply in great numbers over time. Head to Settings > Apps and take some time to remove anything that looks suspicious or you no longer use.
To remove an app, just hover over it and click the “X” on the right-hand side.
Alternatively, you can click the “Edit” button (right next to the Remove button) to change what information you provide to an app.
At the bottom of the Apps Settings screen, you can change settings for a number of different items.
Here’s what each of these settings means.
Apps, Websites and Plugins
Turning this off will disable Facebook integration with third-party apps, websites, and plugins entirely. That means you won’t be able to do stuff like log in with your Facebook account from websites or applications, games, and other things.
Click the “Edit” button to learn more and to disable this feature.
Game App Notifications
Hate getting notifications from friends who play games and want you to play games too? Turn those off here.
Apps Others Use
When you connect an app to your account, it can sometimes see information about your friends. Thus, when your friends use apps, they can sometimes see information about you. Click Edit on this section to change what your friends’ apps can see about you.
These categories all appear to be an opt-in type of deal—so you can safely leave them unchecked—but it never hurts to know what’s what.
Old Versions of Facebook for Mobile
This setting controls the privacy of anything you post using old, outdated versions of the Facebook mobile app. Basically, if you’re not using a BlackBerry or some other dinosaur of a device, you don’t have to worry about this.
Peruse the Rest of the Security Settings
The settings we’ve highlighted so far are the most important settings everyone should use. The rest of the security settings are up to you, but it’s worth going through and checking out which might be useful for you.
Hopefully you’ll never get locked out of your Facebook account. If you’re using a password manager (like we recommended above—you set one up, right? Do it now!), you’ll never forget your password. And even if you do, you can always reset your password…as long as you have access to your email account.
If, for some reason, you lose access to all those things, Facebook’s “Trusted Contacts” feature can help, as long as you set it up ahead of time. Trusted Contacts allows you to pick three to five friends you can call if you can’t access your account. They then will give you the codes necessary to get back in.
Just head to “Your Trusted Contacts” on the security settings page to set this up.
Be sure to give your trusted contacts a heads up that you’re using them, and if anything ever goes down, they should make sure that it’s you calling before handing over the keys to your account.
Most users won’t use this, but if you’re interested in encrypting notification e-mails “end-to-end” from Facebook, you can add your OpenPGP public key with this option.
This may be a little advanced, and perhaps you don’t even receive notification e-mails, but if you do, and you want to encrypt them, then you can learn more about it.
Profile Picture Login
This is a newer feature that Facebook introduced, which lets you just click your profile picture in lieu of typing your password.
Thus, anyone with access to your browser can click on your picture and log into your account. This is probably a bad idea, so we don’t really recommend turning this on.
Ever wonder what happens to your Facebook when you die? That’s what Legacy Contacts are for. You set someone (like a spouse or family member) as your legacy contact, and if you die, they can do stuff like pin posts to your Timeline, respond to friend requests, and update your profile picture. They cannot post anything to your Timeline or view your messages.
The legacy contact option is important because once you’re gone, hackers can potentially access your account and you won’t be around to prevent or respond to intrusions.
Alternatively, you can choose to have your account deleted upon your demise.
Deactivate Your Account
This deactivate option is typically used to give you a break from Facebook, but is also useful if your account is hacked. It’s simple enough, just click “Deactivate”, enter your password, and read through the instructions to go through with it.
Lastly, don’t neglect basic, general security practices either. If you log into your account from a public computer or on someone else’s device, make sure you always log out and, if you can, clear the history when you’re done (or, better yet, use the browser’s private mode). Never leave yourself logged into your account, even if you walk away for just a few seconds. Make sure your computer and browser are always up to date, and have good virus and malware protection installed at all times.
Of course, this is all about keeping intruders out of your account. But if you’re also worried about your privacy on Facebook, that’s another topic entirely. Check out some of the stuff we’ve done in the past—you can rein in posts you’re tagged in, block people from posting on your timeline, and even make all your old Facebook posts more private. Want to clean up some embarrassing things from your Facebook past? Here’s a little trick for doing so. Be sure to peruse all of the “Privacy” options in Facebook’s settings to see everything you can do.