Privacy is not about hiding something shameful. It is about deciding who gets access to your time, attention, and personal information — and on what terms. The internet is engineered to collect data about you, and by default those settings are almost always configured in favor of the companies that built the services, not you. The good news: most of what matters comes down to habits and settings, not expensive tools or technical skill.

Work through these steps at whatever pace suits you. Even completing four or five will meaningfully reduce your exposure.

1. Use a Strong, Unique Password for Every Account

Reusing passwords is the single biggest password mistake people make. When a company suffers a data breach — and breaches happen constantly — the leaked email-and-password combinations get sold and fed into automated tools that try them across hundreds of other services. This is called credential stuffing. If your password for a forum is the same as your email account, one small breach can cascade into a very large problem.

A strong password has three qualities: it is long (at least 14 characters), random (not a word or phrase from your life), and unique (never reused anywhere else). A passphrase built from four or five unrelated words — something like "apple-frost-narrow-quilt-7" — is both strong and memorable if you need it to be. For everything else, let a password manager generate and store it for you.

Why length beats complexity

A 16-character password made of lowercase letters has more possible combinations than an 8-character password with mixed case, numbers, and symbols. Adding length is the single most effective thing you can do to a password.

2. Use a Password Manager

A password manager is a secure, encrypted vault that stores all your passwords behind one strong master password. You only ever need to remember one credential; the manager remembers the rest and can generate long random passwords for every new account you create.

How to get started: Choose a reputable manager — several well-regarded options are available, both free and paid. Install the browser extension and the mobile app. Import any passwords your browser already has saved. Then work through your most important accounts (email, banking, shopping) and replace weak or reused passwords with new, randomly generated ones from the manager. This process takes a few evenings and pays dividends for years.

Most managers also include a breach alert feature that notifies you when a site you use appears in a known data breach, so you know exactly which password needs changing.

3. Enable Two-Factor Authentication (2FA)

Two-factor authentication adds a second verification step beyond your password. Even if an attacker obtains your password, they cannot access your account without also having this second factor. Think of it as a deadbolt on top of a standard lock.

The hierarchy of 2FA methods, from best to acceptable:

  1. Hardware security key — a physical device you plug in or tap; the most phishing-resistant option available.
  2. Authenticator app (generates time-limited codes) — excellent protection, works without a signal, and is not vulnerable to SIM-swapping attacks.
  3. SMS codes — better than no 2FA at all, but phone numbers can be hijacked via SIM-swap fraud, so upgrade to an authenticator app where possible.

Enable 2FA first on your email account (which can be used to reset every other password), then your financial accounts, and then everything else. Most services walk you through setup in under three minutes.

4. Adjust Your Browser's Privacy Settings

Browsers ship with settings that favor convenience over privacy, and a few minutes of configuration makes a noticeable difference.

Settings worth changing

  • Block third-party cookies. These are the primary tool that advertising networks use to track you across websites you have never visited. Every major browser now offers this setting.
  • Enable "Do Not Track" and "Global Privacy Control." While not legally enforced everywhere, more sites are beginning to honor these signals.
  • Set your default search engine to a privacy-respecting option. Several search engines do not build a profile of your searches or link them to an identity.
  • Review and limit browser extensions. Extensions can read every page you visit. Remove any you do not actively use. For each one you keep, check what permissions it requests.
  • Consider a privacy-focused browser for general browsing. Some browsers are built from the ground up to block trackers and fingerprinting attempts. Using one for non-logged-in browsing is a practical upgrade.

Practical tip

Browser fingerprinting — identifying you by the unique combination of your browser version, screen resolution, installed fonts, and other attributes — works even when cookies are blocked. Keeping your browser updated and using a common configuration (not unusual fonts or window sizes) reduces your fingerprint's uniqueness.

5. Recognize and Resist Phishing

Phishing is the practice of tricking you into revealing credentials or clicking malicious links, usually through email but increasingly through text messages ("smishing") and phone calls ("vishing"). It remains the most common way people lose access to accounts because it targets human instincts — urgency, curiosity, and trust — rather than software vulnerabilities.

Red flags to watch for

  • The message creates artificial urgency: "Your account will be suspended in 24 hours."
  • The sender address does not match the organization — hover over the sender name to see the actual address.
  • Links in the message go to an unexpected domain — hover before clicking; the destination appears in your browser's status bar.
  • The greeting is generic ("Dear Customer") rather than your actual name.
  • There are requests for personal data, passwords, or payment that seem out of place.

When in doubt, go directly to the organization's website by typing the address yourself, or call a number you found independently. Never call the number provided in a suspicious message.

6. Audit App Permissions on Your Phone

Smartphone apps regularly request permissions that have no obvious relationship to their function — a flashlight app that wants your contact list, a game that wants your microphone. These permissions provide a continuous stream of data about your life, location, and relationships.

Both major mobile operating systems now make it straightforward to review and revoke permissions. Go to your phone's Settings, then Privacy or Permissions, and work through location, microphone, camera, contacts, and photo library access app by app.

A useful rule: if you cannot immediately explain why an app needs a particular permission, revoke it. Most apps continue to function perfectly well with fewer permissions than they initially requested. Also consider turning on the setting that requires apps to request permission each time rather than granting permanent "always on" access.

7. Understand and Use a VPN Appropriately

A Virtual Private Network (VPN) creates an encrypted tunnel between your device and the VPN provider's server. Traffic leaving the tunnel looks like it originates from the provider's server rather than your device, masking your IP address from the sites you visit and encrypting your activity from anyone on the same local network.

When a VPN helps — and when it does not
Situation VPN Benefit Limitation
Public Wi-Fi (café, airport, hotel) Encrypts traffic from others on same network Does not protect against malicious sites
Home internet Hides browsing from your internet provider VPN provider can now see your traffic instead
Bypassing geographic content blocks Makes you appear to browse from another region Some services actively block VPN IP ranges
Logged in to services (email, bank) Minimal — the service already knows who you are Your identity is not hidden once you log in

When choosing a VPN, prioritize providers that have independently audited no-logs policies — meaning they are verified not to retain records of which sites you visited. The price of a VPN subscription is not a reliable quality indicator. Read the privacy policy carefully and look for published audit results.

8. Tighten Your Social Media Privacy Settings

Social media platforms are designed to encourage sharing, and their default settings reflect that. A few configuration changes significantly limit who can see what you post and how your data is used for advertising.

  • Set your profile and posts to friends only rather than public — this limits what data brokers and strangers can scrape directly.
  • Review which third-party apps have been granted access to your account and revoke those you no longer use.
  • Opt out of interest-based advertising in each platform's settings (often buried under "Ads" or "Data permissions").
  • Disable location tagging on posts and in the app's permissions.
  • Think carefully before including your real birthdate, phone number, and workplace in your public profile — this information is useful to identity thieves.

9. Opt Out of Data Broker Databases

Data brokers are companies whose entire business model is collecting and selling personal information — your name, home address, phone number, relatives, estimated income, and purchase history — to anyone who wants to pay for it. They gather this from public records, loyalty programs, and other brokers. Most people have no idea these profiles exist.

You have the right to request removal from most of these databases, though the process is deliberately tedious: each broker requires a separate opt-out, often involving email verification or a form submission.

Where to start: Search for your full name plus your city in a search engine and note which people-finder sites show your information. Visit each site's removal page — usually found under "Privacy" or "Do Not Sell My Information." Expect the process to take a few hours the first time, with periodic re-checking because brokers re-add information from new sources.

The long-term approach

Some opt-out services can handle the repetitive broker removal process on your behalf. If you find the manual process overwhelming, this is a worthwhile consideration. Priority targets are the large aggregators: removing your information from three or four major brokers eliminates the source data that dozens of smaller sites scrape from them.

10. Keep Your Software Updated

Software updates are the least glamorous privacy step on this list and one of the most important. The vast majority of successful attacks against ordinary users exploit known vulnerabilities — security flaws that have already been patched, but not by users who postponed the update notification.

Enable automatic updates for your operating system, browser, and apps. This is not about getting new features; it is about closing the doors that attackers are actively trying to push open. When a security patch is released, it is effectively a public announcement that a vulnerability exists — and attackers immediately begin targeting unpatched systems.

Pay particular attention to: your operating system, your browser, your email client, any PDF reader, and any video conferencing software — these are the most frequent targets.

11. Create Secure, Encrypted Backups

A backup protects you against a specific and underappreciated privacy threat: ransomware. Ransomware is malicious software that encrypts your files and demands payment for the decryption key. The only reliable defense is a backup that the ransomware cannot reach.

The 3-2-1 rule is the standard recommendation: keep three copies of important data, on two different types of storage, with one copy stored off-site (or in the cloud). Practically, this means your computer plus an external drive plus an encrypted cloud backup.

The "encrypted" part matters: if your backup service stores your files in a readable form on their servers, a breach at that service exposes your data. Look for services that offer zero-knowledge encryption, where your files are encrypted before they leave your device using a key only you hold. The trade-off is that if you lose that key, so does the service — so store your encryption key and backup recovery codes somewhere physically secure.

12. Practice Email Hygiene and Use Aliases

Your email address is the master key to your online identity: reset links for every account go there, and every service you sign up for adds it to their mailing list and, often, their marketing database. Protecting it has compounding benefits.

Practical habits

  • Use a dedicated email address for important accounts (banking, email-based 2FA, government) and a separate address for forums, newsletters, and retail signups.
  • Email aliasing services let you create unlimited unique addresses that forward to your real inbox. When a site sells its mailing list or suffers a breach, you can delete the alias without changing your real address — and you know exactly which service leaked your contact.
  • Be selective about confirmations. "Unsubscribe" links in unsolicited email confirm that your address is active. For spam from unknown senders, delete rather than unsubscribe.
  • Enable spam filtering at the server level if your provider offers it, rather than just at the client level — this prevents phishing emails from even reaching your inbox.

Get More Guides Like This

The A2Z eZine Weekly delivers practical, well-researched articles on technology, privacy, science, and more — straight to your inbox, every week. Join thousands of curious readers.

Free forever. No spam. Unsubscribe in one click.

Quick Reference: All 12 Steps

# Step Effort Impact
1Unique passwords for every accountLow once you use #2Very High
2Password managerMedium (one-time setup)Very High
3Two-factor authenticationLowVery High
4Browser privacy settingsLowHigh
5Phishing awarenessOngoing habitVery High
6App permission auditLow (periodic)Medium–High
7VPN on public Wi-FiLow once installedMedium
8Social media settingsLow (one-time)Medium–High
9Data broker opt-outsHigh (first time)Medium
10Software updatesVery Low (automatic)Very High
11Encrypted backupsMedium (one-time setup)High
12Email hygiene and aliasesLow–MediumMedium–High

Explore more on A2Z eZines: Technology guides, Lifestyle, and Science explainers.

Frequently Asked Questions

Use a password manager and give every account a unique, strong password. Credential stuffing — where attackers try leaked passwords from one site on others — is the most common way accounts get hijacked. Unique passwords break that chain entirely.
A VPN is most valuable on public Wi-Fi, where others on the same network could intercept unencrypted traffic. For home use it is less urgent, but it does hide your browsing habits from your internet provider. Choose a provider with a clear, audited no-logs policy.
Data brokers collect information from public records (voter rolls, property deeds, court filings), social media profiles, retailer loyalty programs, website tracking pixels, and purchases from other brokers. They then aggregate and sell profiles containing your name, address, phone number, relatives, and estimated income.
Check the actual sender address (not just the display name), look for urgency or threat language, hover over links before clicking to see the real destination, and verify any unexpected request by contacting the organization through a number you look up yourself — not one in the email.
Many privacy-conscious users keep two browsers: one for logged-in accounts (where convenience matters) and one set to enhanced privacy mode for general browsing. This limits cross-site tracking while keeping your workflow manageable.