Last year, a friend called me in a panic. Someone had gotten into her email, changed the password, and was trying to reset her bank accounts. The cause? She'd been using the same password for years across dozens of sites, and one of those sites got breached.
She's not careless - she's a smart person with a demanding job who just never got around to fixing her password situation. And that's the thing about online security: most people know they should do better, they just don't know where to start.
This guide is the practical minimum. Not paranoid-level security, not "delete all social media and use a flip phone" - just the basic habits that protect most people from most threats.
The One Thing That Actually Matters: Password Manager
If you do nothing else from this article, do this: get a password manager and start using it.
Here's the reality. You cannot remember unique, strong passwords for every service you use. You have dozens, maybe hundreds of accounts. The only way to have actually secure passwords is to not remember them at all.
What to do right now
Download Bitwarden (free) or 1Password (paid). Install the browser extension. Start saving your passwords as you log into sites. Gradually change old passwords to randomly generated ones.
Yes, you're putting all your eggs in one basket. But that basket is encrypted and protected by one very strong password that you actually can memorize. That's much better than using "fluffy123" everywhere.
The password manager also protects you from phishing: it won't autofill your password on fake sites because the URL is wrong. That's a security feature you get for free.
Two-Factor Authentication: Your Backup Lock
Two-factor authentication (2FA) means needing something beyond your password to log in - usually a code from your phone. If someone steals your password, they still can't get in without the second factor.
Enable 2FA on these accounts immediately:
- Your email (this is the master key to everything else)
- Your bank and financial accounts
- Social media you actually use
- Anywhere you store important data
Types of 2FA, ranked by security:
- Hardware key (YubiKey) - Best, but costs money
- Authenticator app (Google Authenticator, Authy) - Very good, free
- SMS codes - Better than nothing, but can be intercepted
Tip: Use an authenticator app, not SMS, when given the choice. SMS can be hijacked through SIM swapping. The app on your phone cannot.
Recognizing Phishing
Most hacks don't involve sophisticated techniques. They involve tricking you into giving away your credentials or clicking something you shouldn't.
Signs of a phishing attempt:
- Urgency: "Act now or lose access!" - Legitimate companies give you time.
- Wrong sender address: Look at the actual email address, not just the display name.
- Suspicious links: Hover over links before clicking. Does it actually go to amazon.com or arnazon.com?
- Requests for sensitive info: Your bank will never email asking for your password.
When in doubt: Don't click the link in the email. Instead, go directly to the service by typing the URL yourself or using a bookmark. If there's really an issue with your account, you'll see it there.
The Other Basics
Keep software updated. Those updates often patch security holes. Enable automatic updates where possible.
Use HTTPS. Look for the lock icon in your browser. Most sites use it now, but don't enter passwords on sites that don't.
Be careful on public WiFi. It's fine for browsing, but avoid logging into important accounts. If you need to, use a VPN.
Think before you share. Birthdates, mother's maiden name, first pet - these security questions are often guessable from social media. Consider using fake answers stored in your password manager.
When You've Been Breached
Data breaches happen constantly. Here's what to do when a service you use gets hacked:
- Change your password on that service immediately
- If you used that password anywhere else (why?), change it there too
- Check if your email appears on haveibeenpwned.com
- Watch for suspicious activity on related accounts
With a password manager and unique passwords, a breach on one site doesn't affect you anywhere else. That's the whole point.
The Bottom Line
You don't need to become a security expert. You need to:
- Use a password manager with unique passwords
- Enable 2FA on important accounts
- Think before clicking links in emails
- Keep your software updated
These four habits block the vast majority of common attacks. Perfect security doesn't exist, but "good enough" security is absolutely achievable.
Start today. Literally today. Download a password manager and set it up. It takes twenty minutes and it's the single best thing you can do for your online security.
