A password manager is a small piece of software that remembers your passwords for you. You set one strong master password — the only one you ever have to remember — and the manager handles the rest. It will also generate new passwords that no human being could guess and no computer could reasonably crack.

The reason this matters is simple. Most people, asked to invent and remember dozens of passwords, do the natural thing: they reuse one or two across many sites. When a single site is breached — and they are breached, constantly — the password from that site is then tried, automatically, against every bank, email provider, and pharmacy login the attackers can think of. That is how most ordinary account theft actually happens. A password manager ends it.

See https://www.eff.org/deeplinks/2026/02/how-pick-your-password-manager

See https://www.wired.com/story/best-password-managers/

A password, even a strong one, is a single wall. If someone gets over it, they are in. The fix is to require a second proof — something you have, in addition to something you know — before any account will open. This is called multifactor authentication, sometimes shortened to MFA. The names are interchangeable. The idea is the same.

In practice: you enter your password as usual, and the site then asks for a second thing — a six-digit code from an app on your phone, a tap on a notification, or a fingerprint. A criminal who steals your password in a data breach on the other side of the world cannot log in, because they do not have your phone in their hand.

Turn this on for your email first. Your email is the master key to everything else — every other account can be reset through it — and it deserves the strongest lock you can put on it. Then your bank, then anything financial, then everything else that offers it.

When given the choice, avoid text-message codes. Phone numbers can be stolen. Choose an authenticator app (Google Authenticator, Authy, and 1Password all do this) or, better, a passkey — the newest version of the idea, and the simplest. Instead of a password at all, your device proves who you are with a fingerprint, a face scan, or a PIN. Nothing to type, nothing to remember, nothing for a criminal to steal. Where a site offers one, take it.

Most password managers will store your codes and passkeys alongside your passwords. One app, one master password, and the rest handled quietly in the background.

Of everything on this page, a password manager plus two-factor authentication on your email is the highest-leverage thing you can do. An afternoon of setup buys you years of protection. Start there.

When you visit a website, that site — and dozens of companies you have never heard of, who have paid the site to be there — drop small files onto your computer called cookies. Some are harmless. Many are not. The ones that are not exist to follow you from site to site, building a profile of who you are, what you want, what you fear, and what you might be persuaded to buy or believe.

A free tool called Privacy Badger, made by the EFF itself, blocks the trackers automatically. You install it once, in your browser, and it works in the background for the rest of your life. There is nothing to configure.

https://privacybadger.org/

The browser you use is the window through which everything else happens. Most people use the one that came with their computer — Chrome on a PC, Safari on a Mac, Edge on a Windows machine — without ever choosing it. Those browsers are not bad, but most of them are made by the same companies whose business model depends on watching you. Asking Chrome to protect your privacy is a little like asking the fox to mind the henhouse.

There are alternatives, made by people who do not sell advertising.

Brave is the easiest switch for most readers. It looks and behaves almost exactly like Chrome — the same menus, the same bookmarks, the same extensions — but it blocks trackers and advertisements by default, without any setup. You install it, and the protection is simply on. https://brave.com/download/

Firefox, made by the nonprofit Mozilla Foundation, is the older and more established choice. It is not quite as locked-down as Brave out of the box, but it is highly configurable, and the organization behind it has no advertising business to compromise its decisions. https://www.mozilla.org/firefox/new/

DuckDuckGo also makes a browser, built around the same principles as their search engine: no tracking, no profile-building, no ads following you between sites. https://duckduckgo.com/browser

Any of the three is a meaningful upgrade over the default. If you would like a single recommendation, install Brave and use it for a week. If something does not work — occasionally a site will misbehave — you can always open the old browser for that one task. Most readers find, after a few days, that they simply stop going back.

The search engine you use sees more of you than almost any other tool on the internet. Every question you have ever been embarrassed to ask out loud, every symptom you have looked up at two in the morning, every name from your past you were curious about — your search engine has all of it. Google keeps that record. So does Bing. They use it to build a profile of who you are and to sell advertising against it.

DuckDuckGo does not. It returns search results without tracking who asked, without building a profile, and without following you around the web afterward. The results are good enough for nearly all everyday searches, and on the rare occasion they are not, you can always fall back to Google for that one query.

You can use DuckDuckGo in two ways: visit duckduckgo.com directly, or set it as the default search engine in whatever browser you use. Most browsers — including Brave, Firefox, Safari, and Chrome — let you change this in the settings. Once you do, every search you type into the address bar quietly goes to DuckDuckGo instead.

It is the smallest possible change. You will barely notice it. And one of the largest streams of data flowing out of your daily life will simply stop.

A VPN — a Virtual Private Network — creates an encrypted tunnel between your device and the internet. Without one, your internet provider can see every site you visit. So can the owner of the Wi-Fi network at the coffee shop, the airport, or the hotel. With a VPN, they cannot. Your traffic appears to come from somewhere else, scrambled in transit.

A VPN does not make you anonymous. It does not protect you from a website you have logged into. What it does is take your daily browsing out of the hands of people who have no business holding it.

See https://www.wired.com/gallery/best-vpn/

Enable automatic updates. Keep your operating system, browser, and apps set to update automatically. Patches close the very vulnerabilities attackers look to exploit, and timeliness matters more than ever.

Keep your browser current. Browsers have been a significant focus of recent vulnerability research. Restart yours regularly so pending updates install.

Remove unused apps and accounts. Every app and dormant account is a potential entry point. Periodically audit what's installed on your devices and close accounts you no longer use.

Stay alert to social engineering. Treat unexpected links, login alerts, calls, and urgent requests with skepticism. Verify through a separate channel before acting.

Back up important data. Maintain regular backups of essential files, ideally with one copy stored offline or in the cloud, so you can recover quickly from ransomware or device loss.

Secure your home network. Update your router’s firmware, change default admin credentials, and place smart-home devices (thermostats, cameras, appliances) on a guest network when possible. Many IoT devices receive infrequent security updates. Call your family help desk, if needed.