How to Protect Your Privacy Online - A Practical Safety Guide for Every Level
Passwords, two-factor auth, VPNs, and browser habits — what actually matters, what's overkill, and how to protect yourself without overhauling your whole setup.
Worth knowing upfront
- You don't need to do everything here at once. Start with passwords and 2FA — those two alone cover most of the real risk
- About 80% of people reuse passwords across accounts. One breach then opens everything else — a password manager fixes this completely
- Two-factor authentication blocks over 99.9% of account compromise attacks, even when your password has already been leaked
- Most people don't need a VPN for day-to-day browsing — but public Wi-Fi is a real exception worth knowing about
- Firefox and Brave block hidden trackers by default. Chrome doesn't — and the main tool people used to fix that was disabled in 2025
What actually gets people.
Data Breaches
Companies get hacked and your email, password, and personal details end up for sale. Over 17.5 billion accounts are already in breach databases.
Phishing
Fake emails and links that look real enough to fool you into handing over your login details. Behind 14% of all data breaches.
Weak & Reused Passwords
48% of passwords can be cracked in under a minute. And roughly four in five people reuse the same ones — so one breach opens everything.
Oversharing Online
Public posts, profiles, and social media give attackers the answers to your security questions before they've even tried to get in.
Your data is probably already out there
Over 17.5 billion accounts have been exposed in known data breaches. Most people's email addresses show up in at least one. This guide isn't about preventing that from ever happening — it's about making sure it doesn't cost you anything when it does.
The next section takes ten minutes and shows you exactly what's already out there about you.
Check what's already exposed — takes ten minutes.
- Go to haveibeenpwned.com — free, takes about 30 seconds
- Enter every email address you use — not just your main one
- It tells you exactly which services were involved and what data was exposed
Don't panic if your email shows up in several breaches. Most people's do. The point is knowing which passwords to change — not feeling alarmed.
Found breaches? That's normal.
Most people do. It doesn't mean your accounts are actively compromised right now — it means you know which passwords to change. That's exactly what the next section covers.
What this actually feels like day to day
Once a password manager is set up, you log in faster than before — it fills everything in automatically. Two-factor auth adds about 10 seconds per login. The initial setup takes an afternoon. After that, you don't really think about it. Most of the tools in this guide are free and run in the background.
Passwords — fix this first.
A password manager fixes this completely: it generates a unique, random password for every site, stores it encrypted, and fills it in automatically. You only remember one master password.
Bitwarden
Low
1Password
Medium
Apple Keychain
High
Google Passwords
Medium-High
| Tool | Free plan | Paid price | Open source | Export data | Lock-in risk |
|---|---|---|---|---|---|
Bitwarden | Unlimited passwords, unlimited devices, notes & cards | Free / paid available | Yes | Yes (encrypted) | Low |
1Password | No free plan — 14-day trial only | $3.99/mo (billed annually) | No | Yes | Medium |
Apple Keychain | Free on Apple devices | iCloud+ from $0.99/mo | No | Yes (iPhone + Mac) | High |
Google Passwords | Free — Chrome & Android | No paid plan | No | Yes (Chrome) | Medium-High |
Dashlane is not included — its free plan was removed and there's no compelling reason to pay for it over Bitwarden or 1Password.
Best pick for most people: Bitwarden
Free plan covers unlimited passwords on unlimited devices — the same features most paid managers charge for. The codebase is open source and it's passed multiple independent security audits including five separate 2023 reviews. If you're starting from zero, start here. 1Password is the pick if you want a more polished interface and don't mind $3.99/month.
Common concerns — answered honestly
What if the password manager gets hacked?
Password managers encrypt your vault locally before it ever leaves your device — so even if their servers were breached, attackers get encrypted data they can't read without your master password. Bitwarden has passed five independent security audits in 2023 alone. A breach of their servers doesn't mean a breach of your passwords.
What if I forget my master password?
Set up an emergency kit or recovery code the day you create your account — not later. 1Password calls this an Emergency Kit: a printed PDF you store somewhere safe.
Is it safe to have all passwords in one place?
Safer than the alternative. The real risk is one weak or reused password across twenty accounts — a well-audited password manager is far less likely to fail you than your memory is.
One thing worth doing today:
Go to passwords.google.com and run the password checkup. It shows you exactly which passwords have appeared in breaches and which ones you've reused. That list is your starting point. If you're on iPhone, the Passwords app has the same feature under Security Recommendations.
Two-factor authentication.
Not all 2FA is equal
Authenticator App
App generates a 6-digit code that changes every 30 seconds — you enter it after your password
SMS / Text Message
Code sent to your phone number via text
Email Code
Code sent to your email inbox
Hardware Key (YubiKey)
Physical USB or NFC key you plug in or tap
| Method | Security level | Our take |
|---|---|---|
Authenticator App App generates a 6-digit code that changes every 30 seconds — you enter it after your password | Strong | Best option — use this whenever it's available |
SMS / Text Message Code sent to your phone number via text | Weak | SMS works but authenticator apps are stronger |
Email Code Code sent to your email inbox | Weak | Only use if no app option exists |
Hardware Key (YubiKey) Physical USB or NFC key you plug in or tap | Strongest | Best for high-value accounts like banking or email |
Which authenticator app to use
All of these are free. The difference is in how they handle backups and which devices they support.
Ente Auth
Aegis
Apple Passwords
Google Authenticator
Microsoft Authenticator
| App | Multi-device sync | Encrypted backup | Open source | Platforms |
|---|---|---|---|---|
Ente Auth | Yes — cross-platform | Yes — E2EE cloud | Yes | Android, iOS, Windows, macOS, Linux, Web |
Aegis | No cloud sync | Yes — local encrypted vault | Yes | Android only |
Apple Passwords | Yes — iCloud Keychain | Yes — iCloud Keychain | No | Apple + Windows extension |
Google Authenticator | Yes — via Google Account | Partial | No | Android, iOS |
Microsoft Authenticator | Yes — cloud backup | Yes | No | Android, iOS |
Best picks: Ente Auth (most people) or Aegis (Android, offline preference)
Ente Auth is the strongest all-round option: end-to-end encrypted cloud backups, open source, works on every platform, and externally audited. If you want everything on-device with no cloud component, Aegis is the better fit — but it's Android only.
Where to enable 2FA first
Start with your email and bank. If someone gets into your email, they can reset the password on everything else — so that account matters more than any other.
These navigation paths can change when apps update. If you can't find 2FA where the table says, search '2FA' or 'two-factor' in the app's settings search bar.
Google / Gmail
Apple ID
Bank accounts
| Account | Where to find it | Best method |
|---|---|---|
Google / Gmail | myaccount.google.com → Security → 2-Step Verification | Authenticator app or passkey |
Apple ID | Settings → [your name] → Sign-In & Security → Two-Factor Authentication | Built-in Apple trusted device |
| Profile → Menu → Settings → Accounts Centre → Password and Security → Two-factor authentication | Authenticator app | |
| Settings & privacy → Settings → Accounts Centre → Password and Security → Two-factor authentication | Authenticator app | |
Bank accounts | Varies by bank — look under Security or Login settings | App-based or hardware key if available |
VPNs — what they actually do.
VPN marketing has done a good job of making people feel unsafe without one. The honest version: at home on your own Wi-Fi, you're probably fine without a VPN. HTTPS already encrypts your traffic between your browser and the sites you visit. Your ISP seeing which domains you visit is a real thing — but for most people it's a low-stakes risk.
🛜 Public Wi-Fi (airports, cafes, hotels)
Yes
🌐 Accessing geo-restricted content
Yes
🏠 General browsing at home
Probably not
| Situation | Do you need a VPN? | Why |
|---|---|---|
🛜 Public Wi-Fi (airports, cafes, hotels) | Yes | Others on the same network can read unencrypted traffic — a VPN blocks that |
🌐 Accessing geo-restricted content | Yes | Works well for streaming libraries and region-locked services |
🏠 General browsing at home | Probably not | HTTPS already handles encryption. The privacy gain is small for most people |
If you do want a VPN — pick carefully
The most important factor when picking a VPN isn't speed or price — it's whether the provider has been independently audited and what country they operate in.
Mullvad
No
Proton VPN
Yes — 100% free tier
NordVPN
No
ExpressVPN
No
Windscribe
Yes — 10 GB / mo
| VPN | No-logs audit | Jurisdiction | Free tier ✧ | Price | Owned by |
|---|---|---|---|---|---|
Mullvad | Yes — Assured AB (2022) | Sweden | No | €5/mo flat | Mullvad VPN AB (independent) |
Proton VPN | Yes — Securitum | Switzerland | Yes — 100% free tier | Free / paid (see site) | Proton AG / Proton Foundation |
NordVPN | Yes — Deloitte (2022, 2023, 2024) | Panama | No | $12.69/mo (1-month Basic) | Nord Security |
ExpressVPN | Yes — KPMG & Cure53 | British Virgin Islands | No | See site | Kape Technologies (⚠️) |
Windscribe | No verified third-party audit | Canada | Yes — 10 GB / mo | $9/mo or $5.75/mo yearly | Bootstrapped / founder-owned |
⚠️ ExpressVPN is owned by Kape Technologies, which also owns CyberGhost and several other privacy brands. Their audits are legitimate — but the ownership is worth knowing before you pay.
⚠️ Windscribe has no verified third-party audit. The free tier is useful for occasional use — but if you're paying for a VPN long-term, pick an audited provider.
Five Eyes countries (US, UK, Australia, Canada, New Zealand) have intelligence-sharing agreements — VPN providers based there may be required to hand over data. Switzerland and Sweden operate under different legal frameworks.
Best picks: Mullvad (paid) or Proton VPN (free tier available)
Mullvad is the most privacy-focused option: independently audited, no-logs, €5/mo flat, accepts anonymous payment, Sweden jurisdiction. If you want a free tier to try first, Proton VPN's free plan is the only genuinely usable free VPN on this list. Windscribe also has a 10 GB free tier but has no verified third-party audit — fine for occasional use, not ideal for long-term trust.
Browser and search privacy.
Firefox
Blocks trackers, fingerprinting, and cryptominers by default. Pair with uBlock Origin for full protection.
Brave
Strong built-in shields from the first launch. No setup required to get meaningful protection.
Safari
Solid anti-fingerprinting and cross-site tracking protection. Best choice if you're already on Apple devices.
Chrome
Still the most popular browser, but no native tracker blocking and no uBlock Origin since July 2025.
Four changes that make a real difference
- Both block trackers and fingerprinting out of the box — nothing to configure
- Both are faster than Chrome on most pages because they're not loading ad and tracking scripts
- On mobile: Firefox for Android supports uBlock Origin; Brave Mobile has shields built in
uBlock Origin was removed from the Chrome Web Store in late 2024 and Chrome disabled remaining extensions in July 2025. If you stay on Chrome, you're browsing without meaningful ad blocking. Read more at ublockorigin.com.
Email security and phishing.
- Check the sender's actual domain — not just the display name. 'PayPal Support <[email protected]>' is not PayPal
- Urgency is a red flag: 'Your account will be closed in 24 hours' is a pressure tactic, not a real policy
- Hover over links before clicking — the URL shown in the status bar often reveals the real destination
- Legitimate companies don't ask for your password, full card number, or PIN via email — ever
When in doubt: don't click the link. Open a new tab and go to the site directly by typing the address yourself. Takes ten extra seconds and eliminates the risk entirely.
Here's a better way to handle signups. Instead of giving a website your real email, you give them a fake one that forwards to you. If they start spamming or get hacked, you just delete that fake address — your real inbox never gets touched. That's what an email alias does. The table below covers both alias services and full private email providers, depending on how far you want to go.
Proton Mail
Private Email
Tuta (Tutanota)
Private Email
SimpleLogin
Email Alias
addy.io
Email Alias
Apple Hide My Email
Email Alias
| Service | Free tier | Open source | Custom domain | Price | Owned by |
|---|---|---|---|---|---|
Proton Mail Private Email | 500 MB mail storage (expandable) | Yes | Yes (paid) | Free / paid (see site) | Proton AG / Proton Foundation |
Tuta (Tutanota) Private Email | Yes — free plan available | Yes | Yes | Free / paid (see site) | Tuta GmbH |
SimpleLogin Email Alias | 10 aliases, 1 mailbox, unlimited bandwidth | Yes | Yes (paid — unlimited) | $4/mo or $36/yr | Proton AG (acquired 2022) |
addy.io Email Alias | Yes — free plan with self-hosting option | Yes | Yes | See site | Independent |
Apple Hide My Email Email Alias | Included with iCloud+ ($0.99/mo for 50 GB) | No | Yes (iCloud+ custom domain) | iCloud+ from $0.99/mo | Apple |
Best starting points: SimpleLogin (aliases) or Proton Mail (full switch)
SimpleLogin's free plan gives you 10 aliases — enough to try it on the services you trust least. It's owned by Proton, the same company behind Proton Mail. If you want to move away from Gmail entirely, Proton Mail's free tier is a usable starting point. Both are open source.
Your privacy stack by profile.
Quick decision — one sentence answers
Not sure where to start? Here's the short version.
You only want to do one thing today
Enable 2FA on your email account
You reuse passwords across sites
Bitwarden — free, unlimited, works everywhere
You want the best 2FA app
Ente Auth (cross-platform) or Aegis (Android, offline)
You're on Android and want private browsing
Firefox + uBlock Origin or Brave
You're on iPhone
Safari is solid — or use Firefox for extra control
You want a private email provider
Proton Mail — free tier is genuinely usable
You want email aliases for signups
SimpleLogin (owned by Proton) or addy.io
You travel frequently or use public Wi-Fi
Proton VPN free tier or Mullvad
You're a developer or journalist
Start with the EFF's ssd.eff.org after this guide
Casual User
Low effortYou want to be safer without changing much. These three things cover the majority of real-world risk and take less than an hour to set up.
Bitwarden
Free password manager. Unlimited passwords, unlimited devices. Takes about 20 minutes to set up and import your existing passwords.
Ente Auth
Enable 2FA on your email and bank first — those two accounts matter more than everything else combined. Ente Auth works on every platform and has encrypted backups.
Firefox + DuckDuckGo
Switch your default browser and search engine. Blocks hidden trackers automatically. No extensions needed to get basic protection.
Three changes. All free. That's a meaningfully safer setup for most people.
Privacy-Conscious User
Medium effortYou want proper protection — not paranoia, just a setup that doesn't leak data at every turn.
Bitwarden (paid) or 1Password
Unique passwords for every account, encrypted notes for sensitive information, shared vaults for family.
Ente Auth
Cross-platform 2FA with end-to-end encrypted backups. Open source, audited, and actually recoverable if you lose your phone.
Brave or Firefox + uBlock Origin
Brave for simplicity, Firefox + uBlock Origin for more control. Either blocks fingerprinting and trackers without configuration.
SimpleLogin or addy.io
Email aliases for signups and newsletters. Your real email stays clean and hidden from services you don't fully trust.
This stack takes a few hours to set up properly. It's worth the time.
High-Risk User
High effortJournalists, activists, executives, or anyone who might be a specific target rather than caught in a broad sweep. The basics still apply — they're just the floor, not the ceiling.
1Password with Travel Mode
Travel Mode removes vaults from your devices at borders — a real feature for anyone crossing jurisdictions with sensitive work.
Hardware Key (YubiKey)
Physical 2FA key for email, password manager, and critical accounts. Phishing-resistant in a way no app-based code can be.
Mullvad VPN
Independently audited no-logs VPN. Accepts anonymous payment. Sweden jurisdiction. €5/mo flat — no accounts, just a number.
Proton Mail + SimpleLogin
End-to-end encrypted email via Proton, with SimpleLogin aliases for anything external. Proton is majority-owned by the Proton Foundation.
Where to go next:
The EFF's Surveillance Self-Defense guide (ssd.eff.org) is the right next stop after this guide for high-risk situations.
Common privacy mistakes — and why they matter.
Ignoring 2FA because it feels like extra effort
- It takes about 30 extra seconds per login — and that's only for accounts where you don't stay logged in.
- It blocks nearly all account takeovers, even when your password has already leaked.
- The effort-to-protection ratio here is the best of anything in this guide.
Using SMS codes and thinking you're fully protected
- SIM swapping lets attackers redirect your phone number to a SIM they control — then they receive your SMS codes instead of you.
- It's a real attack that has cost people significant money and account access.
- SMS 2FA is better than nothing. But switch to an authenticator app for email, banking, and your password manager when you can.
Running one password for everything 'because you'll remember it'
- Most people create passwords they can actually remember — which means short and predictable ones that are easy to crack.
- If one site leaks it, every account using that password is now open.
- A password manager removes the memory requirement entirely. You only need to remember one master password.
Installing a free VPN or browser extension without checking who made it
- Free browser VPN extensions are one of the most common data-harvesting tools available.
- Some extensions that claim to protect your privacy sell your browsing data to advertisers — the privacy promise is the product.
- Check who made it and read the permissions before installing anything that claims to protect you.
Paying for a VPN thinking it makes you anonymous online
- A VPN masks your IP and encrypts traffic between you and the VPN server. That's genuinely useful in specific situations.
- But the VPN provider can still see your traffic — you're shifting trust from your ISP to the VPN company, not removing it.
- For most home users on a private network, passwords and 2FA protect you from far more real-world attacks than a VPN does.
Setting up privacy tools once and never revisiting them
- Privacy isn't a one-time setup — it's a habit of checking in occasionally.
- App permissions accumulate over time. Check annually what still has access to your Google or Apple account.
- Old accounts you no longer use are still breach risks if they share a password with something active. Clean them up.
Final Thoughts on Protecting Your Privacy.
Most attacks aren't targeted at you specifically. They're broad sweeps — automated tools trying leaked passwords across thousands of sites, looking for anyone who reused the same one. Making yourself a harder target than the next person is genuinely enough.
The two things that matter most are at the start of this guide: a password manager and two-factor authentication. If you do nothing else, do those two. They're free, they take an afternoon, and they close off the most common ways accounts get taken over.
Everything else — VPNs, private browsers, email aliases — adds real value. But it's layering on top of a foundation. Build the foundation first. And honestly? Most people who set up a password manager and 2FA find it takes less effort than expected — and never go back.
Where to go after this guide.
EFF Surveillance Self-Defense
The right resource for high-risk situations — journalists, activists, and anyone who might be a specific target.
Setting Up Bitwarden
A step-by-step walkthrough for getting Bitwarden running and importing your existing passwords.
Passkeys Explained
Passwords are gradually being replaced by passkeys — cryptographic keys that can't be phished.
Switching to Proton Mail
How to set up Proton Mail, migrate from Gmail, and keep your real address off mailing lists.
No login required to share feedback
Frequently asked questions.
Yes — safer than the alternative. Password managers encrypt your vault locally before it ever reaches their servers, so a server breach doesn't expose your passwords. Set up an emergency kit or recovery code on day one — that's the only real risk to plan for.
Probably not for everyday home browsing. A VPN makes real sense on public Wi-Fi — airports, hotels, coffee shops — and for accessing geo-restricted content. If you do want one, Proton VPN's free tier is the easiest starting point.
They solve different problems. A password manager keeps every password unique and strong so one breach doesn't open everything. 2FA adds a second check after the password — so even if someone gets your password, they still can't get in without the second factor. You need both.
Better than no 2FA at all — don't let perfect be the enemy of good. That said, SIM swapping is a real attack that bypasses SMS codes entirely. Switch to an authenticator app for email, banking, and your password manager when you can.
Firefox and Brave are the top picks for most people — both block trackers and fingerprinting out of the box. Brave is the easiest switch from Chrome — same interface, stronger defaults, nothing to configure. The main reason to move off Chrome is that uBlock Origin was effectively disabled there in July 2025.
An email alias is a fake address that forwards to your real inbox — services only ever see the alias, not your actual email. If they get breached or start spamming, you delete the alias and the problem disappears. SimpleLogin's free plan gives you 10 aliases — enough to try it properly.
Go to haveibeenpwned.com and enter your email address — it checks against 17.5 billion breached accounts and tells you exactly which services were involved. Check every address you use, not just your main one. Don't panic if several come back — most people's do.
Three things, in order. Check your email at haveibeenpwned.com — 30 seconds, shows you what's already exposed. Turn on 2FA for your email account — that single account is the key to everything else. Then set up Bitwarden and start moving your passwords into it.
Sources & further reading.
Have I Been Pwned
Have I Been Pwned: Check if your email has been compromised
17.5 billion pwned accounts across 994 breaches — current figures from the public site
NordPass
Password reuse: our survey findings
Roughly four in five users reuse similar credentials across platforms — 2025 survey
TechRadar / Kaspersky
Nearly half of the world's passwords can be cracked in under a minute
48% of passwords crackable under a minute; 60% within an hour — 2025 Kaspersky benchmark via TechRadar
Microsoft Security
One simple action to prevent 99.9% of attacks
MFA blocks over 99.9% of account compromise attacks — Microsoft Security research
Verizon
2025 Data Breach Investigations Report
Phishing involved in 14% of breaches — Verizon DBIR 2025
FBI IC3
2025 IC3 Annual Report
$6.74 million in reported SIM swap losses — FBI IC3 2025 annual report
CISA
Project Upskill Glossary — SIM Swapping
SIM swapping definition — Cybersecurity & Infrastructure Security Agency
Bitwarden
Compliance, Audits, and Certifications
Multiple 2023 independent audits — Web App, Desktop, Browser Extension, Core, Network Security
Mullvad VPN
VPN server audit found no information leakage or logging
Mullvad infrastructure audit by Assured AB 2022 — no logging confirmed
ExpressVPN
ExpressVPN Officially Joins Kape Technologies
ExpressVPN Kape Technologies acquisition — ownership context for VPN trust section
Proton
Proton and SimpleLogin are joining forces
SimpleLogin acquired by Proton in 2022 — ownership note in email section
uBlock Origin
uBlock Origin — Manifest V3 impact
Full uBlock Origin removed from Chrome Web Store late 2024; MV2 extensions disabled July 2025
Wired
Data Brokers' Opt-Out Forms Are Built to Fail
Data broker opt-out processes are intentionally difficult — Wired investigation
EFF
Surveillance Self-Defense — Choosing a VPN
VPN definition: routes traffic through encrypted tunnel; provider still sees traffic
Ente
Ente Auth — Open source 2FA authenticator with E2EE backups
Ente Auth feature set: E2EE backups, cross-platform, open source AGPL-3.0, externally audited
Twilio
End of Life (EOL) of Twilio Authy Desktop Apps
Authy Desktop EOL date: March 19, 2024 — reason Authy is not recommended in this guide
Federal Trade Commission
Security questions and answers — FTC guidance
Mother's maiden name and pet-name style security questions flagged as poor practice
Found an outdated stat or broken link? Let us know.
Start now
Pick one thing and do it today
Start with your email account — check it at haveibeenpwned.com, then turn on 2FA. That's ten minutes and it's the highest-impact thing on this list.
Social media and oversharing.
Fix these two first — both take about ten minutes.
Posting your birthday, location, and employer publicly
Leaving accounts on 'Public' by default
Worth knowing
Using social login ('Continue with Google/Facebook') everywhere
Posting location check-ins in real time
Not checking which apps have access to your accounts
Assuming deleted means gone
Changing your settings today is worth it.
It stops new exposure immediately. Anything already public will stay that way — but the sooner you lock it down, the less there is to worry about going forward.