Posted on by Douglas Muth

Staying Safe Online: A Cybersecurity Guide For Everyone

Perhaps you’re worried about being hacked or phished, perhaps you’ve received some specific threats, maybe you just want to increase your security. No matter the reason, this article is for you! Below I will list a collection of good practices to keep you and your accounts safe online. I fully expect to update this post as things change in the future.

This guide is written in (what I hope) is in order from less complicated steps that will protect against less sophisticated/motivated attackers with more complicated (and secure) steps towards the end. Additionally, some “controversial” steps can be found towards the end of this document.

This post was last updated on Sep 28th, 2025.

Passwords

Let’s start with passwords. I shouldn’t have to say this, but I will do so anyway: do not reuse passwords. Reusing passwords means that if a single account provider is breached and your plaintext password is recovered, you now have additional accounts at risk of compromise. This has happened before.

Anyone in a hoodie is
NOT to be trusted.

I recommend using a password manager such as 1Password to keep track of your passwords. While having your passwords stored in an app that uploads them somewhere increases your risk slightly, I feel it is outweighed by using a different password for each service. For passwords themselves, you can use random characters or a system such as Diceware to create long passwords that are easier to remember. While the latter is slightly less secure, a password that can be remembered is one less password to store into a password manager.

I do not recommend letting your browser (such as Chrome) remember your passwords, because now you are tied specifically to that browser. Same for Apple’s Passwords app–there’s nothing wrong with it, but be aware that it requires you to use Apple products. You can read more reviews of password managers here.

Change Default Passwords

This one is mainly for devices. Many devices ship with default passwords, which can be easily found via an online search. If malware has infiltrated a device on your home network, it could then attempt what is called “lateral movement” to other devices on the same network, which increases the chances of data exfiltration.

I recommend you change the default passwords to a different password on devices such as the following:

  • Cable modems
  • Routers
  • Wireless access points
  • Disk arrays
  • Security cameras
  • Doorbells
  • Appliances
  • …and anything else I didn’t mention here. If it ships with a password, change that password!

Password Protect Your Phone

Starting with the iPhone 5S, Apple included a chip in their phones called “The Secure Enclave”. This is a chip which Apple created from the ground up, obtained a patent for, and handles all encryption and decryption of user data on the iPhone, along with storing/validating the phone password, TouchID verification, and FaceID verification.

In short, an iPhone with a password set has its data encrypted and protected against all but perhaps nation-state level attackers. You should absolutely positively set a password on your iPhone, and share it with no one.

For Android users, this is phone-dependent. The Google Pixels has the Titan M2 security chip.

Turn on Two-Factor Auth (2FA)

Two factor authentication in its current incarnation is where your use your phone or a hardware device to generate a 6 or 8-digit number to use when logging into your accounts. That number is good for only 30–60 seconds and then it changes to something else, based on a shared secret. The advantage of this is that even if an attacker gets your password, they will need to get your phone as well. And if you password protected your phone, that’s another hurdle for them…

Here is how to turn on 2FA for your Gmail account.

I do NOT recommend SMS as the second factor for reasons I will go into later in this article, instead consider a software app and/or a hardware key for that purpose.  Also, don’t have just a single hardware key!  You need a minimum of 2 (if not more) in case the first one gets lost or damaged.  You will need to add both separately to each account you use with it.

For Software-based 2FA, I can recommend:

Both of those apps back up their data into each company’s respective cloud, which means if you get a new device, you won’t have to re-add every service to the 2FA app.

Or, if you’d prefer a hardware device, check out YubiKey. Their devices can either be plugged into a USB-A or USB-C port, or used with your phone via NFC.

While you’re adding 2FA to your accounts, don’t stop with just Gmail — do you use BlueSky and Facebook? Turn on 2FA there, too!

Note that financial institutions are very slow to adopt better policies, so for the time being, you may be stuck with SMS 2FA and dumb password rules in those places.

What About Passkeys?

Passkeys are a new way to log into websites. They don’t require passwords. Instead, you download a private key which is stored to your device and never ever leaves it. When you want to log into a website, that website sends you a challenge, and the challenge can only be “solved” with your specific passkey. They’re stronger than regular passwords, cannot be phished, and can sync across your devices via iCloud’s keychain, Google Password Manager, or similar.

The security of your passkey is handled by your device, which means you use the password the same way you use your device: by using your fingerprint (Touch ID), your face (Face ID), or your device’s PIN. And if you lose your device? Once you log in to your cloud account with a new device, you’ll have all of your Passkeys back.

There is an important consideration here: your passkeys are only as strong as your device. That means if you have a weak password on your device, or let someone else use your device, your passkeys are now at risk. Never EVER give out your device PIN or password for that reason.

Learn more about passkeys at https://safety.google/authentication/passkey/ and try a live demo at https://www.passkeys.io/ to see how they work!

Update Your Software and Devices

Computers, cellphones, appliances, and routers. If it runs software it needs to be kept up to date.

Run software updates regularly. 0-day vulnerabilities are a thing, and applying updates sooner rather than later limits your chances of getting hit with one.

If you run Windows, turn on Autoupdate so your machine updates in the wee hours of the morning. If you’re worried about an update bricking your machine, ask yourself: would you rather run into problems from an update (which can be fixed) or get hit with a ransomware attack (which is costly).

The Browser Is The OS…

We spend so much of our lives in web browsers–email, shopping, entering passwords, entering credit card numbers, and more.  That makes browsers a very attractive target for attackers.  It also means that you MUST keep your browsers updated, as new bugs are found all the time, and new attacks emerge.  I recommend that you set your browser to update automatically.  It’s the safest option.

If you have browser extensions, my advice is to use as few as possible, because most browser extensions can access data on ANY website you visit.  This means that a single malicious browser extension could be used to compromise your online presence.

…and Email is Your Skeleton Key!

If an attacker has control of your email account, they can can conceivably get in to any other account that you control by initiating a password reset for that service.  You absolutely need to have your email account locked down as tight as comfortably possible.

Remove Cellphone Numbers From Your Accounts

There is a type of attack called a “SIM Swapping attack” wherein the attacker ports your cellphone number to a new SIM, which is in a phone that they own. You’ll have no warning that this is about to happen, but will only learn when your phone suddenly loses cell service. From there, an attacker can use SMS to recover any passwords from your online accounts.

Such an attack sounds rather complicated, but in reality the going rate for SIM Swapping is about $100 per number. Seriously, if you have a cellphone number on an account that you control, remove it ASAP.

If you have an account where a cellphone number is required, my recommendation would be to get a Google Voice number, install the Google Voice app on your phone, and turn off SMS forwarding of messages. When a text comes in to the Google Voice number, you will get an alert on your phone with the contents of the text. (You did enable 2FA or set up a passkey for your Google Account, right?)

“But what if my cellphone is stolen?”, I hear you ask.  Be sure to turn on Stolen Device Protection if you have an iPhone.  That will limit the damage a thief can do if they get physical possession of your device.

Put a PIN on Your Cellphone Account

Cellphone companies often allow you to set a PIN on your account, so that anyone attempting to change anything on your account has to supply the PIN that is in addition to the password. It varies by carrier, and it’s not perfect, but it’s one more layer of defense which can help against a persistent attacker.

Some cellphone companies like US Mobile will let you put actual 2FA on your account with them. Do it!

Challenge Questions

You know what these are: “What is your mom’s maiden name?”, “What high school did you go to?”, etc.  These questions are inherently unsafe because of social media and data broker leakers, but MANY services require them.  So instead of providing true answers, provide FAKE answers, and record the answers in your password manager.  This will help stop social engineering attacks through customer service.

Turn Off Sharing On Your Computer

Oh dear god”

Go into the “Sharing” control panel on your computer and turn off anything you’re not using. Even if you are using it, carefully consider whether it’s something you really need, and if you really really need it to be turned on 100% of the time. If it is something used infrequently, consider turning it on only as-needed and turning it off afterwards. An attacker can’t break into a service that’s not running.

Set a Password in Telegram

Are you using Telegram? Telegram is a popular messaging platform with 700 million users worldwide. Telegram uses your phone number to log in by texting you a code, but recall what I said above about SIM Swapping attacks? Telegram will let you set up 2-step verification by adding a password. Do it.

Set Passwords in other Cellphone-based Apps

Seeing a trend yet? Any app that uses your cellphone number to “sign in” absolutely needs a second factor, because if your are hit with a SIM Swapping Attack, the attacker now has the skeleton key to all of those accounts. (I’m looking at you, Panera)

What if there’s no way to set a password in such an app? See if there is a way to add your email address in the app–that gives you another method of account recovery, should it be necessary.

Cover Your Laptop Cameras

One way to spy on a user would be to infect their laptop with malware and then make use of the laptop camera to watch them. While camera covers are a thing, I don’t recommend them because they sometimes cause damage to the underlying trackpad when the laptop is closed. Instead, just use a piece of masking tape or painters tap. A bonus to that approach is that if your camera has an LED, you’ll see the LED through the tape.

Yes, I had a number of calls where I thought there was something wrong, and realized I had the camera covered — switching to tape reduced the number of those incidents to zero. 🙂

Defense in Depth

If you’re made it this far, you’re probably wondering why I suggested disassociating your cellphone number with your accounts, but also adding a PIN on your cellphone account?

The reason for that is a concept called Defense in Depth. That is an approach where you have multiple layers of security, so if one element of security is breached, an attacker still cannot get in to your computer or your accounts. For example, Google says that successful phishing attacks against their employees dropped to zero after switching to hardware keys for 2FA.

This is NOT defense in depth!

Avoiding Phishing Attacks

Phishing attacks can be tricky — because the blackhats behind them tend to do a really good job of making their emails look both convincing and urgent. Money is the biggest way this is done–emails that threaten you jails/fines/losing money are HUGE red flags, and should be scrutinized extra closely.

If you do get an email that is threatening those things, here’s what to do: hang up/ignore the message, and call them or visit the website directly.  Don’t follow any links, don’t call any special phone numbers, stick to the ones you know.

If you’re using a YubiKey or a passkey, they provide an extra layer of defense called Origin Binding. That binds a user login to a specific site, which means that only the legitimate site can authenticate with that key. While you may be fooled, the YubiKey or passkey will not be. 🙂

Freeze Your Credit Reports

This is more for identity theft than overall security, but it’s still a very prudent move, especially in the wake of the Equifax data breach. In the US, there are 3 credit bureaus, and there is a different procedure for freezing your credit report on each of them:

The only time you will need to unfreeze your credit is for anything that requires a credit check, such as applying for a loan or getting a credit card. These events are so rare that the extra effort to (briefly) unfreeze your credit is worth the extra protection against identity theft that it provides.

Buy Google One, DropBox Plus, etc.

If you’re a Gmail user, I would recommend buying Google One, which is their paid offering. It starts at $1.99/mo for 100 GB of storage in Gmail and Google Drive. But the real benefit here is that if something goes wrong with your Google account (possibly in response to an attempted hacking), you will now have an official support channel that you can use to recover your account.

Same thing goes for your files in DropBox — their paid plans start at $9.99/mo which means that if something goes wrong, you are more likely to get a speedier resolution to your issue.

In a perfect world, neither of the above should be necessary. Sadly, we live in an imperfect world where leopards are confused with cheetahs daily.

Someone called him a cheetah and THEN hacked his Gmail account. Source

Tor and VPNs

Unless you have a very good reason to use Tor or a VPN and know exactly what you are doing, you should not.  Because things like quality of life browser extensions, other apps running while using a VPN (Gmail, etc.) or even resizing your browser window can erode anonymity very quickly.  

Now I know what you’re thinking: you’ve seen those ads for VPNs saying that your ISP might be spying on you.  First, if you’re using SSL (which many major sites do), the content of your messages are encrypted.  Second, and more importantly: using a VPN does not eliminate a threat actor–it merely exchanges one threat actor (your ISP) for another (the VPN provider).  And the VPN provide is likely far less regulated than your ISP is, and may not even be in the same country as you.

Increase Your Social Media Presence

This last one is a little controversial — I have friends who would rather not be on social media for a variety of reasons, and I understand that.

Say what you will about social media, sites like LinkedIn and YouTube, photo sharing sites like Flickr, etc. but one thing that those sites all have in common is this: they have a very high PageRank in Google. This means that if you create accounts on those sites, and use them semi-regularly, those are the websites that will show up when people Google for your real name. This is a good thing, because it means if someone tries using a link farm to spread lies or misinformation about you, they will have to work that much harder in order to bump you down from the top 5 results on Google for your real name.

The above approach is actually a simple form of reputation management, as low-key as may be.

But I understand that social media is not for everyone.

Additional Reading

Would you like to read more about computer and software security? Great! Here is a list of resources to check out:

About the author

I am a software engineer living in Philadelphia, PA. While not a security expert, my 20+ years of experience with technology and Internet infrastructure has helped me understand much of the computer and Internet ecosystem, and where the weak points are. Feel free to check out my GitHub at https://github.com/dmuth or hit me up on Bsky.

And a disclosure: the Diceware app mentioned above was written by me, but the Diceware approach has been around since 1995.

Final Thoughts

This is hardly meant to be an exhaustive guide to security — but since the topic of security and the fear of doxxing has come up among people I follow on Twitter recently, I felt it was a good time to take some of the things that I have learned over the years and put them into a guide that others may find useful.

If you have any thoughts on the topic of security, feel free to reach out or leave a comment!

Revision History

  • 2 Jan 2020 – Initial creation
  • 9 Sep 2025 – Added section on passkeys
  • 28 Sep 2025 – Added some sections on email, browsers, updated sections on phishing and VPNs.

(Mirror on Medium)