Skip to content

Account Security

🎯 Quick Purpose

Your account is the key to multiple services. This page gives you a practical setup order and security habits that prevent lockouts and account takeover.

Recommended order

  1. Create a strong, unique password and save it in a password manager.
  2. Enable TOTP two-factor authentication.
  3. Add at least one passkey on a device you control.
  4. Save recovery codes in a safe place.
  5. Review active sessions regularly and sign out old devices.

🛡️ Security Basics

1. Use a Strong, Unique Password

  • Never reuse a password from another website.
  • Use at least 16 characters when possible.
  • Prefer random passwords generated by your password manager.
  • Change the password immediately if you suspect it was exposed.

Password reuse is high risk

Reusing passwords means one unrelated breach can expose this account too.

2. Use a Password Manager

A password manager helps you generate and store unique credentials safely.

Good practice: - Let the manager generate random passwords for you. - Store recovery codes in a secure note or encrypted vault entry. - Turn on sync only for devices you trust. - Protect the manager itself with a strong master password and device lock.

🔐 Two-Factor Authentication (TOTP)

TOTP adds a rotating 6-digit code from an authenticator app (for example, 1Password, Bitwarden, Aegis, Authy, or Google Authenticator).

Why TOTP Matters

  • A stolen password alone is not enough to sign in.
  • Codes expire quickly, reducing replay risk.
  • It works even when passkeys are not available on a specific device.

Setup Checklist

  1. Sign in at auth.cashewmade.com and open account security settings.
  2. Choose to enable two-factor authentication (TOTP).
  3. Scan the QR code with your authenticator app.
  4. Enter the current 6-digit code to confirm setup.
  5. Save recovery codes before leaving the page.

Do not skip recovery codes

If your phone is lost, reset, or unavailable, recovery codes may be the fastest way back in.

🔑 Passkeys

Passkeys use device-backed cryptography (Face ID, Touch ID, Windows Hello, or security keys) and are highly resistant to phishing.

Why Add a Passkey

  • No shared secret is sent like a traditional password login.
  • Strong resistance to fake login pages.
  • Faster login on your trusted devices.

Passkey Best Practices

  • Register at least two passkeys if possible (for example, phone plus laptop, or a hardware key backup).
  • Keep one backup sign-in method (TOTP or recovery code).
  • Remove passkeys from devices you no longer own.

Strongest everyday setup

Use passkey for daily sign-in, and keep TOTP plus recovery codes as backup.

🖥️ Public Computers and Shared Devices

When asked "Stay logged in?" on a public or shared computer, always choose No.

Safe Behavior on Public Devices

  • Never allow browser "remember me" or saved-password prompts.
  • Use a private/incognito window when possible.
  • Sign out fully before leaving.
  • Close all tabs and browser windows after logout.
  • Avoid sensitive account changes on devices you do not control.

Treat shared devices as untrusted

Internet cafes, school labs, hotel kiosks, and borrowed computers should always be considered unsafe for persistent login sessions.

📱 Session and Device Hygiene

  • Review active sessions in your account settings.
  • Revoke sessions you do not recognize.
  • Sign out old devices you no longer use.
  • Re-check security settings after password changes.

If anything looks suspicious, change your password immediately and contact support.

✅ Quick Security Checklist

  • I use a unique password that is not reused anywhere else.
  • My password is stored in a password manager, not plain text notes.
  • TOTP is enabled and tested.
  • At least one passkey is registered on a trusted device.
  • Recovery codes are saved safely.
  • I always choose No for "Stay logged in?" on public/shared devices.
  • I periodically review and revoke old sessions.

🧭 Need Help?

Comments