Security is for everyone
In 2026, the digital world is connected more than ever. Everybody has a computer; they are just not the traditional computer anymore.
Yes, your smartphone on which you are currently reading this counts as a computer. Maybe in a more stretched way, but still, your device computes.
You doomscroll on it, communicate with friends and family over it, and you do your daily business with it.
Security is not just that annoying thing big corpo wants you to follow, it’s more than this.
Security is not about being paranoid. It’s about reducing risk with small habits, so one bad day doesn’t turn into a disaster.
“I have nothing to hide!”
That’s the catchphrase a lot of people use when we try to teach them about Cyber Security at Work.
Well, I think times have changed.
Getting hacked doesn’t mean someone reads your diary. It usually means: account takeover, money gone, identity used, or your data sold in a bundle.
Most attacks are boring and automated. You’re not “targeted”, you’re just “available”.
You don’t run around with your deepest beliefs on a hat or t-shirt. Well, this one is rhetorical. But the following questions are not:
- The question is, would you also print your current balance on a shirt?
- Would you tell your whole friend group what your favourite categories are on TheHub?
- Would you share your credit card details with a moose online?
If you answered 2/3 with “HELL NO”, here are some ideas to stay more secure and private online.
Quick reality check:
What do you want to protect (money, accounts, photos)? From who (random bots, scammers, exes, coworkers)? And how much inconvenience can you tolerate? That’s your security level.
Basic Principles of staying secure online
The No-Money required options
- Do not share personal information online
- Name
- Last Name
- Address
- Phone Number
- Photos with Location Data (alt. EXIF)
- Photos of you or your loved ones
- Especially photos of minors
- Use different passwords for each service
- When data breaches occur and your e-mail and password get public, you want to have different passwords for each account.
- Once data is out there you won’t get it back. Never reuse a password for critical applications. Banking and PayPal should not share the same password.
- Once a combination is out there, you are out of luck.
- Monitor your e-mail address for data leaks. One of the biggest platforms that offer a free service is https://haveibeenpwned.com/
- Use different e-mail addresses
- Separate your gaming, banking, government, health data
- Many e-mail providers nowadays have the option for “plus addressing”
- This means your e-mail for example looks like “[email protected]”; to create a plus address you simply can add “[email protected]”
- This allows you to still have one inbox, but the e-mail & password combination will never be 100% the same for each service.
- While this is not the most secure way, there are some services out there that cost money that can make it more secure.
- Use MFA or Multi-Factor Authentication
- Get an MFA application and set it up. SMS tokens are very weak, especially in countries where SIM-swapping attacks are common (US as a prime example)
- Free options: Microsoft Authenticator, Authy, Google Authenticator, Yubico Authenticator.
- These are a great start. Make sure when setting them up, also screenshot the QR codes and store them to an external device like a USB stick that you store securely at home or other secure locations.
- Secure the device itself
- Updates on
- Screen lock on
- Find-My-Device enabled
- Full disk encryption (usually on by default, but check)
- Use Passkeys when possible
- If a service offers passkeys, use them.
- They’re harder to phish than passwords and often smoother than MFA.
Recovery is part of Security
- If you lose your phone and your MFA lives on it… you’re cooked.
- Store recovery codes offline.
- Have at least 2 ways back into your most important accounts.
The #1 Attack: Phishing (and it still works)
- If it’s urgent, it’s probably a scam.
- Don’t click login links. Open the website yourself.
- Check the sender address, not just the name.
- If someone asks for a code: it’s a scam. Always.
The 15-minute Starter Kit (do this today)
- Update your phone + apps (yes, right now).
- Turn on screen lock + auto lock.
- Enable MFA on your main e-mail account.
- Change your e-mail password to something long and unique.
- Save recovery codes somewhere offline (paper beats screenshots here).
The Small Investment options
Everything from above still applies to these options, they often have a better security score but mostly they have more comfort features.
Comfort features are not just “nice”. They reduce mistakes. And most security failures are human mistakes.
Password Manager
- Do not use your browser’s password manager
- They often lack security. They might work okay for a start but anyone that has access to your device can export them easily.
- Suggestions for Password Managers
- If you’re an Apple user, you can use the on-device Password App. Nowadays the usability is much better than before.
- Bitwarden - Self-Hosted or the Single-User for $10/year is one of the best password managers right now for the price you pay
- ProtonPass - Free Tier, if you want Account Monitoring, Privacy E-Mail and a good VPN you might want to look into the Proton Unlimited Tier.
- If you go for the full bundle, keep in mind, 1 password to ALL your Personal Life. I personally would split at least the password manager into another Service.
- Keeper - State of the Art Security. On-device encryption, easy time-based password sharing, that’s the Password Manager for you.
- Do not use your browser’s password manager
Privacy E-Mail Providers
- ProtonMail - Overall Best in Class, they offer a free tier to get you started with up to 1GB. Plus addressing is also working here.
- If you want to go to the max with plus addressing and privacy I would recommend SimpleLogin as an Add-On Service. SimpleLogin works with every mail provider btw. so even if you do not want to let Gmail go, you still can get a more privacy-focused mailbox with them. I would say you start a new mailbox anyway, so your old accounts, newsletters etc. do not flush into your new privacy-focused mail journey.
- Mailbox.org - Integrated cloud storage and document editing, German-based servers, eco friendly
- Runbox.com - Norwegian-based Servers, custom domains, eco friendly
- ProtonMail - Overall Best in Class, they offer a free tier to get you started with up to 1GB. Plus addressing is also working here.
MFA the Endgame
Important
Hardware tokens are one of the best ways to make sure it is actually you that wants access to YOUR Account and Data.
They are little USB sticks that have built-in secure storage to store your MFA Tokens, Certificates and Passkeys. I always recommend to get at least two of those tokens. One is your daily driver you may attach to your keychain and the other is stored securely at home.
The only tricky thing is, that when setting up a new MFA Account you need to configure both at the same time OR you store the information (the QR Code or Phrase) on a USB Device (encrypted SSDs, SanDisks Extreme Portable Devices come to mind with built-in Encryption) and add the accounts later to the second token.
- Yubico Yubikey 5c NFC - Hardware Tokens. Yes, the best way to ensure that only you have access to your most valuable accounts is a Hardware Token. Yubikeys are the most recognizable ones.
- Google Titan Security Key - A Hardware Token by Google. Yep, while Google still big bad corpo, hardware tokens are simply just that. They do not send your data across the pond and work like you want to.
- Feitian FIDO Tokens - Another reputable Token Vendor.
There are many more ways to increase your security and privacy.
This will probably become a series, so come back later for more.
Until then, stay safe, stay alerted
~ pabumake