Perhaps you’re worried about being hacked or phished, perhaps you’ve received some specific threats, maybe you just want to increase your security. No matter the reason, this article is for you! Below I will list a collection of good practices to keep you and your accounts safe online. I fully expect to update this post as things change in the future.
This guide is written in (what I hope) is in order from less complicated steps that will protect against less sophisticated/motivated attackers with more complicated (and secure) steps towards the end. Additionally, some “controversial” steps can be found towards the end of this document.
This post was last updated on Sep 9th, 2025.
Passwords
Let’s start with passwords. I shouldn’t have to say this, but I will do so anyway: do not reuse passwords. Reusing passwords means that if a single account provider is breached and your plaintext password is recovered, you now have additional accounts at risk of compromise. This has happened before.
NOT to be trusted.
I recommend using a password manager such as 1Password to keep track of your passwords. While having your passwords stored in an app that uploads them somewhere increases your risk slightly, I feel it is outweighed by using a different password for each service. For passwords themselves, you can use random characters or a system such as Diceware to create long passwords that are easier to remember. While the latter is slightly less secure, a password that can be remembered is one less password to store into a password manager.
Change Default Passwords
This one is mainly for devices. Many devices ship with default passwords, which can be easily found via an online search. If malware has infiltrated a device on your home network, it could then attempt what is called “lateral movement” to other devices on the same network, which increases the chances of data exfiltration.
I recommend you change the default passwords to a different password on devices such as the following:
- Cable modems
- Routers
- Wireless access points
- Disk arrays
- Security cameras
- Doorbells
- Appliances
- …and anything else I didn’t mention here. If it ships with a password, change that password!
Password Protect Your Phone
Starting with the iPhone 5S, Apple included a chip in their phones called “The Secure Enclave”. This is a chip which Apple created from the ground up, obtained a patent for, and handles all encryption and decryption of user data on the iPhone, along with storing/validating the phone password, TouchID verification, and FaceID verification.
In short, an iPhone with a password set has its data encrypted and protected against all but perhaps nation-state level attackers. You should absolutely positively set a password on your iPhone, and share it with no one.
For Android users, this is phone-dependent. The Google Pixels has the Titan M2 security chip.
Turn on Two-Factor Auth (2FA)
Two factor authentication in its current incarnation is where your use your phone or a hardware device to generate a 6 or 8-digit number to use when logging into your accounts. That number is good for only 30–60 seconds and then it changes to something else, based on a shared secret. The advantage of this is that even if an attacker gets your password, they will need to get your phone as well. And if you password protected your phone, that’s another hurdle for them…
Here is how to turn on 2FA for your Gmail account.
I do NOT recommend SMS as the second factor for reasons I will go into later in this article, instead consider a software app and/or a hardware key for that purpose.
For Software-based 2FA, I can recommend:
Both of those apps back up their data into each company’s respective cloud, which means if you get a new device, you won’t have to re-add every service to the 2FA app.
Or, if you’d prefer a hardware device, check out YubiKey. Their devices can either be plugged into a USB-A or USB-C port, or used with your phone via NFC.
While you’re adding 2FA to your accounts, don’t stop with just Gmail — do you use BlueSky and Facebook? Turn on 2FA there, too!
What About Passkeys?
Passkeys are a new way to log into websites. They don’t require passwords. Instead, you download a private key which is stored to your device and never ever leaves it. When you want to log into a website, that website sends you a challenge, and the challenge can only be “solved” with your specific passkey. They’re stronger than regular passwords, cannot be phished, and can sync across your devices via iCloud’s keychain, Google Password Manager, or similar.
The security of your passkey is handled by your device, which means you use the password the same way you use your device: by using your fingerprint (Touch ID), your face (Face ID), or your device’s PIN. And if you lose your device? Once you log in to your cloud account with a new device, you’ll have all of your Passkeys back.
There is an important consideration here: your passkeys are only as strong as your device. That means if you have a weak password on your device, or let someone else use your device, your passkeys are now at risk. Never EVER give out your device PIN or password for that reason.
Learn more about passkeys at https://safety.google/authentication/passkey/ and try a live demo at https://www.passkeys.io/ to see how they work!
Update Your Software and Devices
Computers, cellphones, appliances, and routers. If it runs software it needs to be kept up to date.
Run software updates regularly. 0-day vulnerabilities are a thing, and applying updates sooner rather than later limits your chances of getting hit with one.
If you run Windows, turn on Autoupdate so your machine updates in the wee hours of the morning. If you’re worried about an update bricking your machine, ask yourself: would you rather run into problems from an update (which can be fixed) or get hit with a ransomware attack (which is costly).
Remove Cellphone Numbers From Your Accounts
There is a type of attack called a “SIM Swapping attack” wherein the attacker ports your cellphone number to a new SIM, which is in a phone that they own. You’ll have no warning that this is about to happen, but will only learn when your phone suddenly loses cell service. From there, an attacker can use SMS to recover any passwords from your online accounts.
Such an attack sounds rather complicated, but in reality the going rate for SIM Swapping is about $100 per number. Seriously, if you have a cellphone number on an account that you control, remove it ASAP.
If you have an account where a cellphone number is required, my recommendation would be to get a Google Voice number, install the Google Voice app on your phone, and turn off SMS forwarding of messages. When a text comes in to the Google Voice number, you will get an alert on your phone with the contents of the text. (You did enable 2FA or set up a passkey for your Google Account, right?)
A benefit of this approach is that it also protects against your cellphone being stolen and the SIM put into a new phone to receive 2FA texts.
Put a PIN on Your Cellphone Account
Cellphone companies often allow you to set a PIN on your account, so that anyone attempting to change anything on your account has to supply the PIN that is in addition to the password. It varies by carrier, and it’s not perfect, but it’s one more layer of defense which can help against a persistent attacker.
Some cellphone companies like US Mobile will let you put actual 2FA on your account with them. Do it!
Turn Off Sharing On Your Computer
Go into the “Sharing” control panel on your computer and turn off anything you’re not using. Even if you are using it, carefully consider whether it’s something you really need, and if you really really need it to be turned on 100% of the time. If it is something used infrequently, consider turning it on only as-needed and turning it off afterwards. An attacker can’t break into a service that’s not running.
Set a Password in Telegram
Are you using Telegram? Telegram is a popular messaging platform with 700 million users worldwide. Telegram uses your phone number to log in by texting you a code, but recall what I said above about SIM Swapping attacks? Telegram will let you set up 2-step verification by adding a password. Do it.
Set Passwords in other Cellphone-based Apps
Seeing a trend yet? Any app that uses your cellphone number to “sign in” absolutely needs a second factor, because if your are hit with a SIM Swapping Attack, the attacker now has the skeleton key to all of those accounts. (I’m looking at you, Panera)
What if there’s no way to set a password in such an app? See if there is a way to add your email address in the app–that gives you another method of account recovery, should it be necessary.
Cover Your Laptop Cameras
One way to spy on a user would be to infect their laptop with malware and then make use of the laptop camera to watch them. While camera covers are a thing, I don’t recommend them because they sometimes cause damage to the underlying trackpad when the laptop is closed. Instead, just use a piece of masking tape or painters tap. A bonus to that approach is that if your camera has an LED, you’ll see the LED through the tape.
Yes, I had a number of calls where I thought there was something wrong, and realized I had the camera covered — switching to tape reduced the number of those incidents to zero. 🙂
Defense in Depth
If you’re made it this far, you’re probably wondering why I suggested disassociating your cellphone number with your accounts, but also adding a PIN on your cellphone account?
The reason for that is a concept called Defense in Depth. That is an approach where you have multiple layers of security, so if one element of security is breached, an attacker still cannot get in to your computer or your accounts. For example, Google says that successful phishing attacks against their employees dropped to zero after switching to hardware keys for 2FA.
Avoiding Phishing Attacks
Phishing attacks can be tricky — because the blackhats behind them tend to do a really good job of making their emails look both convincing and urgent. One way to defend against them is the following:
If you click a link and suddenly get a login screen, stop and close that tab. Then create a new tab and type the site into the address bar or use a pre-existing bookmark to log in.
If you’re using a YubiKey or a passkey, there is an extra layer of defense called Origin Binding. That binds a user login to a specific site, which means that only the legitimate site can authenticate with that key. While you may be fooled, the YubiKey or passkey will not be. 🙂
Freeze Your Credit Reports
This is more for identity theft than overall security, but it’s still a very prudent move, especially in the wake of the Equifax data breach. In the US, there are 3 credit bureaus, and there is a different procedure for freezing your credit report on each of them:
The only time you will need to unfreeze your credit is for anything that requires a credit check, such as applying for a loan or getting a credit card. These events are so rare that the extra effort to (briefly) unfreeze your credit is worth the extra protection against identity theft that it provides.
Buy Google One, DropBox Plus, etc.
If you’re a Gmail user, I would recommend buying Google One, which is their paid offering. It starts at $1.99/mo for 100 GB of storage in Gmail and Google Drive. But the real benefit here is that if something goes wrong with your Google account (possibly in response to an attempted hacking), you will now have an official support channel that you can use to recover your account.
Same thing goes for your files in DropBox — their paid plans start at $9.99/mo which means that if something goes wrong, you are more likely to get a speedier resolution to your issue.
In a perfect world, neither of the above should be necessary. Sadly, we live in an imperfect world where leopards are confused with cheetahs daily.
Tor and VPNs
This section probably doesn’t apply to you unless you need to stay anonymous online because:
- A government is interested in what you may be doing, or
- You are visiting a website that tracks visitors, or
- Someone is trying to trick you into revealing your IP address and/or location (which isn’t that difficult to set up)
In addition to getting your IP address, an adversary might attempt browser fingerprinting, which would let them track you even if you are using different IP addresses. The way to deal with this is by one of two approaches.
The first approach would be to download the Tor Browser. This browser makes use of the Tor Network, so that your original IP hidden, and the browser itself is built so that all users look the same, making it difficult for browser fingerprinting to be affected. This option is free.
The second approach would be to use a VPN for your connection and then use a hardened version of FireFox for your browsing sessions. This option will cost money, because you absolutely positively should not use a “free” VPN. It will also be faster than Tor, but requires a little more setup and therefore is slightly more error prone.
Again, unless you have a specific reason to believe that someone is trying to track you, Tor or a VPN is probably overkill. I’d rather see you do everything else in this blog post, and leave Tor/VPN usage for the very last thing.
Increase Your Social Media Presence
This last one is a little controversial — I have friends who would rather not be on social media for a variety of reasons, and I understand that.
Say what you will about social media, sites like LinkedIn and YouTube, photo sharing sites like Flickr, etc. but one thing that those sites all have in common is this: they have a very high PageRank in Google. This means that if you create accounts on those sites, and use them semi-regularly, those are the websites that will show up when people Google for your real name. This is a good thing, because it means if someone tries using a link farm to spread lies or misinformation about you, they will have to work that much harder in order to bump you down from the top 5 results on Google for your real name.
The above approach is actually a simple form of reputation management, as low-key as may be.
But I understand that social media is not for everyone.
Additional Reading
Would you like to read more about computer and software security? Great! Here is a list of resources to check out:
About the author
I am a software engineer living in Philadelphia, PA. While not a security expert, my 20+ years of experience with technology and Internet infrastructure has helped me understand much of the computer and Internet ecosystem, and where the weak points are. Feel free to check out my GitHub at https://github.com/dmuth or hit me up on Bsky.
And a disclosure: the Diceware app mentioned above was written by me, but the Diceware approach has been around since 1995.
Final Thoughts
This is hardly meant to be an exhaustive guide to security — but since the topic of security and the fear of doxxing has come up among people I follow on Twitter recently, I felt it was a good time to take some of the things that I have learned over the years and put them into a guide that others may find useful.
If you have any thoughts on the topic of security, feel free to reach out or leave a comment!
Revision History
- 2 Jan 2020 – Initial creation
- 9 Sep 2025 – Added section on passkeys