Privacy protection online 2026

{{whyLabel}}: Reusing passwords is the #1 cause of account takeovers; a manager ensures unique, complex credentials for every site.

{{howLabel}}:

• Download a reputable open-source manager like Bitwarden or KeePassXC.
• Generate a master password of at least 20 characters using a passphrase (e.g., four random words).
• Import existing passwords and use the built-in 'Security Audit' to find duplicates.

{{doneWhenLabel}}: All accounts have unique passwords and the master password is memorized or stored in a physical safe.

{{whyLabel}}: Passkeys are phishing-resistant and represent the 2026 standard for secure, passwordless authentication.

{{howLabel}}:

• Log into your high-value accounts (Google, Microsoft, Apple, GitHub).
• Navigate to Security settings and select 'Create a Passkey'.
• Save the passkey into your hardware security key or your encrypted password manager.

{{doneWhenLabel}}: Your top 5 most important accounts no longer require a typed password.

{{whyLabel}}: SMS codes are easily intercepted via SIM-swapping; hardware keys provide the highest level of protection.

{{howLabel}}:

• Purchase two generic FIDO2/WebAuthn security keys (one for daily use, one for backup).
• Register both keys on all accounts that support them.
• Disable SMS 2FA wherever hardware keys or TOTP (authenticator apps) are accepted.

{{doneWhenLabel}}: Hardware MFA is the primary second factor for all critical accounts.

{{whyLabel}}: Using your real email address everywhere allows data brokers to link your activities across different platforms.

{{howLabel}}:

• Register with an open-source aliasing provider (e.g., SimpleLogin or Addy.io).
• Create a unique alias for every new service you sign up for.
• Deactivate aliases that start receiving spam to instantly stop the leak.

{{doneWhenLabel}}: Your primary email address is hidden from 90% of the services you use.

{{whyLabel}}: Standard DNS allows your ISP to log every domain you visit; private DNS encrypts these queries and blocks trackers.

{{howLabel}}:

• Use a provider like Quad9 (9.9.9.9) for privacy or NextDNS for customizable blocking.
• Enter the DNS-over-TLS or DNS-over-HTTPS addresses in your router settings to protect the whole home.
• Configure 'Private DNS' on your mobile device (Android/iOS) for protection on the go.

{{doneWhenLabel}}: A DNS leak test confirms you are using your chosen private provider.

{{whyLabel}}: If your device is stolen, unencrypted data is easily accessible to anyone with physical access.

{{howLabel}}:

• On Windows, use VeraCrypt (open-source) or BitLocker (if available).
• On macOS, ensure FileVault is turned on in System Settings.
• On Linux, use LUKS encryption during or after installation.

{{doneWhenLabel}}: All system and external backup drives require a password/key to mount.

{{whyLabel}}: Mainstream browsers are optimized for data collection; hardened browsers block fingerprinting and telemetry by default.

{{howLabel}}:

• Download LibreWolf (hardened Firefox) or Brave (set to 'Aggressive' blocking).
• Install essential extensions: uBlock Origin (in Medium Mode) and a cookie auto-delete tool.
• Disable 'Safe Browsing' if you prefer not to send URL hashes to Google (trade-off: slightly lower malware protection).

{{doneWhenLabel}}: The browser scores 'Strong Protection' on tools like Cover Your Tracks.

{{whyLabel}}: Apps often collect location, contact, and microphone data that they don't strictly need.

{{howLabel}}:

• Go to Settings > Privacy > Permission Manager on your phone.
• Revoke 'Always Allow' location for all apps except navigation.
• Disable microphone and camera access for any app that isn't a communication tool.
• Enable 'Delete permissions if app is unused'.

{{doneWhenLabel}}: Only essential apps have access to sensitive sensors.

{{whyLabel}}: Standard SMS and many 'secure' apps still collect metadata (who you talk to and when).

{{howLabel}}:

• Install Signal and set it as your default messaging app where possible.
• Enable 'Sealed Sender' and 'Registration Lock'.
• Set 'Disappearing Messages' by default (e.g., 1 week) to minimize data lingering on devices.

{{doneWhenLabel}}: Your most frequent contacts are moved to Signal with disappearing messages active.

{{whyLabel}}: Photos contain hidden data like GPS coordinates, device serial numbers, and exact timestamps.

{{howLabel}}:

• Use an open-source tool like 'ExifEraser' (Android) or 'Metadata Cleaner' (Desktop).
• Run all photos through the cleaner before uploading to social media or cloud storage.
• Configure your camera app to stop saving location data in settings.

{{doneWhenLabel}}: Shared photos no longer contain GPS or device-identifying tags.

{{whyLabel}}: Data brokers scrape public records to sell your profile; manual opt-outs reduce your visibility in search engines.

{{howLabel}}:

• Visit the 'Opt-Out' pages of major aggregators (e.g., Whitepages, Spokeo, MyLife).
• Use a free guide like the 'Big Ass Data Broker Opt-Out List' to find direct links.
• Submit removal requests using your email aliases.

{{doneWhenLabel}}: Your name and address no longer appear in the top 5 people-search engines.

{{whyLabel}}: Privacy is a moving target; regular audits ensure your settings haven't been reset by updates.

{{howLabel}}:

• Create a recurring calendar event every 3 months.
• Review 'Active Sessions' in your main accounts and log out of unknown devices.
• Check for firmware updates on your router and IoT devices.
• Delete accounts for services you haven't used in the last 90 days.

{{doneWhenLabel}}: A recurring reminder is set in a privacy-respecting calendar.