How to Protect Yourself Online (2026 Edition)

Every year I write an updated “How to protect yourself online” guide for friends and family who want a New Year’s Resolution that might actually stick. (Not my techno nerd friends. If you know what a Yubikey or an elliptic curve is, you can skip this one). Here’s my latest guide for New Year’s Eve 2026.

Most people think they’re “not important enough to hack.” This is backwards. Online attacks aren’t personal—they’re opportunistic. You’re not being targeted by some hoodie-wearing genius in a dark room. You’re being swept up by bots running leaked password lists against every login form they can find.

If you reuse passwords or skip two-factor authentication (2FA), it’s not a question of if, it’s when.

The attack pattern is depressingly simple: Your leaked Facebook password unlocks your email. Your email resets your bank password. Now someone in Belarus is buying AirPods on your dime, and you’re spending Tuesday morning on hold with fraud departments. That’s the good outcome. The bad one involves identity theft, ransomware, or your ex finding out what you really think about their new partner.

All of it’s preventable with about an hour of setup.

The Old Way (That Puts You at Risk)

You know how you do it:

Reuse the same 1–3 passwords everywhere.
Add a number or symbol when a site forces you. (Password1 becomes Password1!)
Write them down on a Post-it under your keyboard, or trust browser autofill.
Use SMS text codes for 2FA, if you’re feeling fancy.

It feels safe enough until it isn’t. One breach compromises a dozen accounts. I’ve seen this happen to smart people—professors, lawyers, that friend who swears they’re “careful online.” Nobody thinks it’ll be them until their Instagram is DMing crypto scams to their mom.

The Better Way (That’s Actually Easier)

We’re going to make your digital life both more secure and less annoying by letting trusted tools remember everything for you.

1. Use a Password Manager

Let a tool remember everything. Your brain has better things to do.

Recommended: Bitwarden—free, open source, secure
Alternative: 1Password—paid, polished, excellent if you value hand-holding
Not Recommended: LastPass—suffered more breaches than a medieval castle

Your vault’s secured by one strong master password. A long phrase works great: correct horse battery staple beats P@ssw0rd! every time. The manager auto-fills logins across all your devices. You’ll never type a password again, which means you’ll never fat-finger one at 11 PM trying to order Thai food.

2. Turn on 2FA for Critical Accounts

That’s email, bank, social media, health portals—anything that would ruin your week if compromised. Skip SMS when possible and use an authenticator app instead:

Recommended: Authy—easy setup, cloud backup, doesn’t abandon you when you upgrade phones
Alternative: Google Authenticator—works fine if you enjoy living dangerously without backups

This adds a one-time code every time you log in from a new device. Think of it as your accounts checking IDs at the door. Annoying at the door, reassuring when someone else tries to get in.

“But I Already Have a Strong Password!”

Congratulations. That’s like having a really secure front door and leaving all the windows open.

Strong passwords don’t matter if you reuse them. When Adobe got breached in 2013, they leaked 153 million passwords. If yours was Tr0ub4dor&3 on Adobe and your bank, well, your strong password just became everyone’s password.

Unique passwords per site plus 2FA is the formula. There’s no shortcut, but there is an easy way: let the password manager generate and remember them for you.

Step-by-Step Onboarding Plan

Don’t try to fix everything tonight. Just follow this ramp:

Install Bitwarden (or 1Password) and create your vault.
Secure your email, bank, and Apple/Google accounts first. These are the crown jewels—everything else resets through them.
Turn on 2FA for those accounts using Authy.
Let Bitwarden start capturing passwords as you browse.
Each time you log into a site going forward:
- Save it in your vault.
- Generate a new, strong password (let it create something like X7$mK9#pL2@qN4—you’ll never see it again anyway).
- Turn on 2FA if it’s available.
Repeat. You’ll be fully migrated in a few weeks without stress or existential dread.

Handy Links

Summary

Digital security isn’t about paranoia. It’s about hygiene.

You lock your front door. You don’t reuse toothbrushes. Don’t reuse passwords or skip 2FA.

With the right tools, you can be way safer in under an hour and never have to memorize a password again. Your future self—the one not on hold with the bank—will thank you.