Start here

You do not need to read this guide from beginning to end. Pick the situation closest to yours, do the short checklist, then come back to the full guide when you want the detail.

The full guide is still here when you want the reasoning, sources, tools, and tradeoffs behind each action.

Introduction

Why this guide exists

Most security advice is written for corporate IT teams or technical hobbyists. This guide is for ordinary households: one person or several, with phones, laptops, a router, online accounts, photos, money, relatives, and a growing pile of connected devices.

The risks are real, but they are not mystical. Most harm is prevented by a small number of high-impact habits: protect email, use unique passwords, turn on a second sign-in step, keep devices updated, back up important files, prepare for scams, and know what to do when something goes wrong.

What it covers

The guide treats security, safety, and privacy as one connected problem. A privacy leak can become a stolen password; a stolen password can become a scam; a scam can become a real-world safety issue.

It covers accounts, devices, home networks, browsers, smart-home equipment, backups, fraud prevention, scams, travel, incident response, high-profile households, and digital estate planning. It also names tools where practical advice needs practical examples.

Who it is for

This is for households that want to take digital safety seriously without becoming security experts. It pays particular attention to people who may need extra support: children, teenagers, older relatives, less technical adults, home workers, and people who are unusually visible online.

It is not written for large organisations, compliance teams, or people facing sophisticated state-level threats. Some of the advice will still help those readers, but they may need specialist support beyond this guide.

How to use it

Start with the Introduction, then move through the guide in order when you want the full reasoning, sources, tradeoffs, and tool choices. If you only have time for a few changes, prioritise email, passwords, a second sign-in step, device updates, backups, and scam decisions.

You do not need to do everything at once. Make the critical changes first, improve the rest over time, and review once a year. Steady progress through the priorities in this guide will leave your household dramatically safer than the day you started.

The structure is deliberate:

• Part 1 gives you the context to make good decisions.
• Parts 2 through 4 work outward from your devices, to your network, to your daily habits.
• Part 5 covers resilience and the real world: backups, fraud, scams, travel, what to do when something goes wrong, and what happens to your digital life when you’re gone.
• Part 6 covers high-profile households, where public attention, harassment, money, controversy, or a specific adversary changes the risk.
• Part 7 is the implementation roadmap: what to do first, what to do next, and what can wait.

Not every recommendation matters equally. Critical means act first; high means do it within a month; medium means useful within a few months; low means good hygiene when convenient. When advice is only relevant to high-risk individuals, the guide says so plainly.

About this guide

This is an independent public guide for households. Product and service names are included because practical advice needs practical examples, but there are no sponsorships, affiliate links, or paid placements.

Linked references are used where factual claims, product features, legal routes, or official advice may reasonably be questioned. Regional examples are starting points, not universal rules: laws, fraud protections, reporting routes, and platform settings vary by country and change over time.

This site uses no analytics, cookies, advertising pixels, or tracking. It is hosted through Cloudflare, which may process basic request and security logs to deliver and protect the site.

Corrections, broken links, and practical feedback are welcome: feedback@digitalhouseholdsecurity.org. Please do not send passwords, account details, private documents, or requests for emergency help; this site cannot provide individual security, legal, financial, or crisis support.

Security advice ages quickly. The visible “last updated” line is there for that reason.

Share this guide

If this guide is useful, please share it with someone who looks after household accounts, devices, money, children, older relatives, or community groups. A simple description is: Digital Household Security is a free, privacy-respecting guide to passwords, scams, backups, devices, privacy, and what to do when something goes wrong.

Part 1 - Understanding the landscape

Before changing a single setting or installing a single app, it helps to understand what you’re actually protecting and who you’re protecting it from. This part is the shortest in the guide, and it’s tempting to skip straight to the practical sections. Resist that urge. The households who stay safe over the long term are not the ones with the most tools; they’re the ones who understand why they’re doing what they’re doing. That understanding is what lets you make good decisions later, when a new device arrives, a new scam appears, or a piece of advice here goes out of date.

1.1 Introduction & scope

What you’re protecting

It’s natural to think of digital security as protecting devices - the phone, the laptop, the router. But devices are replaceable. What you’re really protecting falls into four categories, and keeping them in mind will help you judge how much any given measure is worth.

The first is your accounts and identity: your email, your bank, your government logins, your social media. These are far more valuable to an attacker than the device itself, because access to your email is access to almost everything else - most password resets flow through it.

The second is your data: photos that can never be recreated, financial records, documents, the contents of years of conversations. Some of this is irreplaceable, and some of it is sensitive in ways that could cause real harm if exposed.

The third is your money: bank accounts, cards, and the credit in your name that a thief could borrow against. This is the most directly measurable form of harm, and the one households most often underestimate.

The fourth, and most important, is the people in your household. Children face risks adults don’t. Older relatives are targeted in ways that exploit trust and unfamiliarity. A teenager’s reputation and future can be shaped by a digital footprint they don’t yet understand. No firewall protects these; awareness and conversation do.

1.2 The threat landscape

You cannot defend against what you don’t understand. This section is a tour of who might come after your household and how. It is not meant to frighten you. Most of these threats are defeated by a handful of straightforward measures, and by the end of this guide you’ll have addressed all of them. But you’ll defend better if you know what you’re defending against.

The threats fall into three broad groups, and it’s worth understanding the difference, because they call for different responses.

Opportunistic threats: the automated tide

The vast majority of attacks are not aimed at you. They’re aimed at everyone, automatically, at enormous scale, in the hope that some small fraction will succeed. You are not being singled out; you’re being swept up.

Credential stuffing is the clearest example. When a company suffers a data breach - and they do, constantly - the leaked email-and-password combinations are collected into vast databases and sold. Automated tools then try those same combinations against every other popular service: your bank, your email, your shopping accounts. If you reused a password anywhere, this is how it’s discovered. The attacker never thinks about you personally; a machine does the work against millions of people at once. This single threat is why a password manager and unique passwords are the foundation of everything else in this guide.¹ Industry estimates put the success rate of these automated attempts at well under one percent - but with billions of stolen credentials in circulation, even that small fraction yields hundreds of thousands of compromised accounts.²

Phishing is the other workhorse of opportunistic crime. A message - email, text, or increasingly a fake notification - pretends to come from a bank, a delivery company, the tax authority, or a streaming service, and pushes you to click a link and enter your details on a convincing fake page. Modern phishing has shed the clumsy spelling mistakes of a decade ago; today’s lures are clean, well-designed, and often personalised with information scraped from elsewhere.

Riding alongside these are drive-by malware (malicious code delivered through compromised websites or poisoned ads) and ransomware, which encrypts your files and demands payment to release them. Ransomware was once a problem only for businesses; it now routinely strikes households, and the only reliable defence is a backup the ransomware can’t reach.³

One opportunistic threat deserves special mention because it undermines a defence many people rely on: SIM swapping. Here an attacker convinces your mobile carrier to transfer your phone number to a SIM card they control, often using personal details gathered from breaches and social media. Once they have your number, any security code sent to you by text arrives to them instead. This is precisely why this guide treats SMS-based two-factor authentication as a weak last resort rather than a real protection.⁴ The risk is significant enough that the FBI and the US cybersecurity agency CISA, along with major technology companies, now openly advise moving away from SMS codes in favour of an authenticator app or a hardware key.⁵

Targeted and social threats: when it’s personal

A smaller but more dangerous category of threat is aimed at you or someone close to you specifically. These attacks are more work for the attacker, so they’re rarer - but because they’re tailored, they’re far harder to spot and far more likely to succeed.

Spear phishing is ordinary phishing sharpened to a point. Instead of a generic “your account needs attention,” the message references your employer, your colleague’s name, a recent purchase, or a real ongoing situation - details lifted from your social media, a data breach, or a compromised contact. The personalisation is what makes it dangerous: it bypasses the instinctive scepticism that catches mass-market lures.

The newest and most unsettling threats in this category are powered by artificial intelligence. Voice cloning can reproduce a family member’s voice from a few seconds of audio - easily harvested from a social media video - and use it to fake a distressed phone call: a child claiming to be in trouble, a relative asking urgently for money.⁶ In 2025 the FBI’s Internet Crime Complaint Center devoted a dedicated section of its annual report to AI as a fraud tool for the first time, specifically naming voice-cloning “distress scams” that mimic a family member in crisis.⁷ Deepfake video calls extend the same trick to a moving, talking face. AI-generated phishing produces flawless, personalised lures at scale, removing the linguistic tells people were taught to look for. And QR-code phishing - sometimes called “quishing” - hides malicious links inside the scannable codes now found on posters, menus, and parking meters, where no URL is visible to inspect.

These AI-driven threats are genuinely new, and most households have no mental defence against them yet. The single most effective protection costs nothing: agree a trusted-person code word now, a word never shared online, that any genuine emergency request for money or access must include. If a panicked call can’t produce it, it’s a scam - no matter how much it sounds like someone you love. This is not a novelty of our own invention: the FBI’s own guidance on these scams recommends establishing exactly such a family code word, alongside keeping social-media profiles private so they can’t be mined for voice samples.⁸

Other targeted threats exploit the most vulnerable members of a household directly: child exploitation through gaming platforms and social media, romance and investment scams aimed disproportionately at older and isolated people, and domestic surveillance - stalkerware secretly installed on a phone, hidden tracking tags slipped into a bag, accounts quietly monitored by someone with physical access. These are addressed in detail later in the guide, but they belong on the map of threats from the start.

Privacy erosion: the slow leak

The third group of threats is different in character. There’s no single attacker and no dramatic moment of compromise. Instead, your personal information leaks steadily, legally, and almost invisibly - and the accumulated exposure becomes raw material for the attacks above.

Data brokers quietly assemble detailed profiles of you - your address, income, family members, habits, and movements - by combining public records, loyalty schemes, app data, and breaches, then sell those profiles commercially. Internet providers can see a great deal about your browsing and network use, and in some places may use or share that data in ways households rarely understand. Apps and smart devices can collect location, contact, usage, audio, video, device, and connection data far beyond what people expect.⁹

No single one of these feels urgent, which is exactly why they’re easy to ignore. But privacy erosion is what feeds the other two categories: the data leaked today is the spear-phishing detail, the password-reset answer, or the scammer’s opening line tomorrow. Treating privacy as part of security, rather than a separate luxury, is one of the quiet themes here.

Your household’s specific risk factors

Finally, every household has its own shape, and certain features raise certain risks. It’s worth taking a moment to recognise which apply to yours.

If you have children, you carry risks most security guides ignore: they’re targets for predators, prone to installing whatever a game or friend suggests, and building a digital footprint that will outlast their understanding of it. If you have older or less technical relatives in the household or in your care, they’re disproportionately targeted by phone and email scams and benefit far more from having protections set up for them than merely explained.¹⁰ If anyone works from home, corporate and personal data mingle on the same devices, multiplying what a single compromise can reach. And the more smart devices you accumulate, the more doors there are into your home network - each one a small, often poorly maintained computer.

You don’t need to solve all of this at once. The point of mapping it now is simply this: when you reach the roadmap, you’ll know not just what the recommended steps are, but why each one matters for your particular household.

Part 2 - Securing your devices

This is where the practical work begins. Your devices and accounts are the front line - the things attackers most want and most often reach. The three sections here build outward from the most important defence of all (your passwords and identity), through the devices themselves, to the often-forgotten physical layer that underpins both.

2.1 Password & identity management

If you do only one thing in this entire guide, do this. Many everyday account compromises start with passwords: a reused password exposed elsewhere, a weak password guessed at scale, or a password stolen by phishing. Most are preventable with three habits: unique passwords everywhere, a second factor on what matters, and a way to know when you’ve been exposed.¹

Why passwords fail

The problem isn’t that people choose bad passwords - though many do. The problem is reuse. When one service you’ve signed up to is breached, the leaked email-and-password pair is tested automatically against every other popular service. Reuse one password across your email and a forum that gets hacked, and the forum breach becomes an email breach. This is why password reuse is so damaging, and it’s defeated entirely by never using the same password twice.

That’s impossible to do from memory, which is why the foundation of everything is a password manager.

Password managers

A password manager generates a long, random, unique password for every account, stores them encrypted, and fills them in for you. You remember one strong master password; it remembers the rest.

For most households, Bitwarden is the recommendation: it’s open source, has a genuinely usable free tier, syncs across all your devices, and can even be self-hosted if you want full control later. If you prefer nothing ever leaves your own devices, KeePassXC keeps everything in a local file with no cloud at all, at the cost of setting up your own syncing. If you’ll pay for the smoothest household experience, 1Password is polished and well worth its price. Avoid relying on the password managers built into browsers as your primary store - they don’t travel well between browsers and devices, and they’re easy to leave logged in.

Whichever you choose, the master password is the one password you must get right: make it long, unique, and memorable - a passphrase of several unrelated words works well - and never reuse it anywhere.

Second sign-in step (MFA / 2FA)

A password proves you know something. A second factor proves you have something - your phone, an app, a physical key - so that a stolen password alone isn’t enough. Turning this on is the highest-value half-hour you’ll spend.

Not all second factors are equal. Ranked from strongest to weakest:

A hardware security key (such as a YubiKey) is the gold standard - a small device you tap or plug in, and the only common factor that resists even a convincing phishing page.² An authenticator app generating six-digit codes (Aegis on Android, Raivo on iOS are good open-source choices) is excellent and right for most people. Passkeys, a newer technology now supported by Apple, Google, and Microsoft, are replacing passwords entirely and are both strong and convenient - adopt them where offered.³ Text-message codes are the weakest option: better than nothing, but vulnerable to the SIM-swapping attack described in Part 1, so use them only where no alternative exists. Email codes are weaker still and best avoided.

Turn this second sign-in step on in order of consequence: your email provider or webmail account first, because it’s the recovery route for everything else, then your bank, then the rest over time. You’ll often see this called MFA or 2FA. If you read mail through an app such as Thunderbird or Apple Mail, still set MFA on the provider account itself: Gmail, Outlook, Proton, Fastmail, Posteo, or whichever service actually hosts the mailbox.

Knowing when you’ve been exposed

Breaches are inevitable; the question is whether you find out. The free site Have I Been Pwned lets you check whether your email addresses appear in known breaches, and will alert you to future ones. Check every household member’s addresses, change anything that’s been exposed, and - because most password managers show you which of your passwords are weak, reused, or breached - run that built-in audit at least once a year.

Sharing within a household

Households share accounts - streaming, utilities, shopping - and the wrong way to do it is reading a password aloud or texting it. Password managers solve this with shared collections: the household’s common accounts live in a vault everyone authorised can use, while each person keeps their own private vault, and no one ever exposes their master password. Set up children with supervised vaults where relevant, and configure your manager’s emergency-access feature so a trusted person can reach your accounts if something happens to you - a small step now that prevents a great deal of difficulty later.

2.2 Device security

Your phone, tablet, and computer are where your digital life actually lives. The good news is that modern devices are far more secure by default than they used to be; the work is mostly about turning on protections that already exist and not undermining them.

A few habits that apply to everything

Three principles cut across every device you own. Keep them updated automatically - the majority of malware exploits flaws that were already patched, so an up-to-date device is a hard target.⁴ Use the strongest lock you reasonably can - a six-digit PIN at minimum, biometrics for convenience, never a four-digit code or a swipe pattern. And set up remote wipe before you need it - Find My on Apple devices, Find My Device on Android - and confirm it actually works, so a lost device is an inconvenience rather than a breach.

Phones

On iPhone, work through the privacy settings and revoke app access to your location, microphone, camera, and contacts wherever an app doesn’t genuinely need it. Subscribers to iCloud+ get Private Relay, which hides your browsing from your network and provider. For anyone at elevated risk, Lockdown Mode dramatically reduces the phone’s attack surface, though it’s too restrictive for everyday use by most people.

On Android, the most important factor is timely security updates, which vary enormously by manufacturer - Google’s Pixel phones and a few others patch promptly, while many budget devices are neglected within a year. Check that your phone’s security patch date is recent. For the privacy-minded, GrapheneOS offers a hardened version of Android for supported Pixel phones, F-Droid provides access to open-source apps, and tools like Island or Shelter can wall risky apps off from your personal data.⁵

Computers

Across Windows, macOS, and Linux, the same essentials apply. Turn on full-disk encryption - BitLocker on Windows, FileVault on macOS, LUKS on Linux - so a stolen laptop doesn’t surrender its data. Use a standard (non-administrator) account for daily work, switching to an admin account only to install software, which limits the damage any malware can do. The built-in protections are good: Windows Defender is sufficient for most households, and a free scan from Malwarebytes makes a useful second opinion. On macOS and Linux, an outbound firewall (Little Snitch or the free Lulu on Mac, OpenSnitch on Linux) reveals - and lets you block - apps quietly phoning home.

Linux deserves a mention as a positive choice, not just a technical one: distributions like Linux Mint or Ubuntu are free, collect no telemetry, and make a genuinely viable, private alternative to Windows for everyday use, particularly on older hardware you’d otherwise replace.

Tablets and shared devices

Tablets get neglected because they feel like appliances, but they hold the same data as a phone and need the same care. If a tablet is shared - a household iPad, say - use separate user profiles where the platform supports it (Android does natively), and lock down children’s access with Screen Time or Family Link, protected by an adult’s passcode the child doesn’t know.

Letting go of old devices

When a device leaves your household - sold, handed down, recycled - factory-reset it and remove it from your cloud accounts, or the next owner may inherit access to your data or you may find the device still tied to your account. It’s the digital equivalent of clearing a house before you hand over the keys.

2.3 Physical security

It’s easy to picture digital threats as something that arrives down the wire, but a stolen unlocked phone bypasses every clever defence you’ve built. Physical and digital security are the same attack surface, and this short section covers the parts that happen in the real world.

Theft and loss

The two defences that matter most for a lost or stolen device you’ve already met: full-disk encryption, so the data is unreadable, and remote wipe, so you can erase it from afar. Make sure both are in place on everything before you need them. Beyond that, record the serial numbers of your devices somewhere safe - they’re needed for police reports and insurance - and use a physical lock for laptops left in shared or public spaces.

Eyes and shoulders

A surprising amount of information is simply read over a shoulder - passwords typed in cafes, messages on a train, PINs at a cash machine. Build the habit of positioning your screen away from sightlines in public, shielding the keypad when you enter a PIN, and locking your screen the instant you step away (a reflex worth teaching everyone in the household). A privacy screen filter, which narrows a display’s viewing angle, is a cheap and effective addition for anyone who often works in public.

Paper and post

Identity theft still travels on paper. Shred anything carrying your name and address before it goes in the bin - bank statements, utility bills, delivery labels, prescription information. If mail is left in a shared hallway, roadside box, or anywhere strangers can reach it, a locked mailbox matters. Where it’s offered, opting out of unsolicited pre-approved credit offers removes a favourite target for mail thieves.

The USB trap

Never plug an unknown USB drive or cable into your devices. “Lost” drives left in car parks are a genuine attack technique, and malicious cables that look identical to ordinary ones exist. In public, charge from your own adapter and a wall socket rather than a public USB port, or use an inexpensive USB “data blocker” that allows power but not data - a small guard against the rare but real risk of a tampered charging point.⁶

Smart locks and the front door

As the front door itself becomes a connected device, it inherits connected-device problems. If you fit a smart lock, choose one that retains a physical key as a fallback and whose maker has a clear record of firmware updates - an abandoned smart lock is a lock that stops getting security fixes. Be cautious with features like automatic unlocking based on your phone’s location, which can be easier to fool than a key.

When tampering is a real concern

For most households, the scenario of someone physically tampering with a device is remote, and the measures above are enough. For the small number who do face it - covered more fully in the high-profile section in Part 6 - encrypted devices, a firmware password that prevents booting from a USB stick, and an awareness that physical access is itself a threat all become more important. If that describes your situation, treat physical and digital security as one plan rather than two.

The thread running through this section is simple: the strongest password in the world is useless if the unlocked phone is sitting on a café table. Locking the screen, shredding the statement, and ignoring the stray USB stick are not glamorous, but they hold up the whole structure.

Part 3 - Securing your network & connections

Every device in your home reaches the outside world through the same few points: your router, your internet connection, and the invisible plumbing that carries your traffic. Get this layer right and you protect everything behind it at once. This is the most technical part of the guide, but the core ideas are simple, and you can stop at whatever depth suits your household.

3.1 Network security

Your router is the most important device in your home that you never think about. Everything connects through it, which makes it both your first line of defence and, if neglected, the open gate to everything behind it.

The five-minute router fix

Most home networks are vulnerable not because routers are weak, but because they’re left on their factory settings. A handful of changes closes the common gaps, and none of them require technical skill.

Change the router’s administrator password away from the default - the factory password is often printed on a sticker or listed online for that exact model. While you’re in the settings, turn off WPS, a “convenient” pairing feature that has long-standing weaknesses,¹ and turn off UPnP, which lets apps quietly open holes in your firewall without telling you.² Disable remote management unless you specifically need to administer the router from outside your home. Set the wireless security to WPA3, or WPA2 if some of your devices are older. And change the network name away from anything that identifies you or the router’s make and model. Finally, make sure the router installs firmware updates automatically, or put a monthly reminder in your calendar to check - an unpatched router is a standing invitation.

Separating your network: the highest-impact step

Here is the single most effective thing a moderately confident household can do, and it’s one most households have never heard of. A typical home network is flat: the smart bulb, the games console, the work laptop, and the baby monitor all sit together, able to talk to one another freely. That means a single compromised device - and cheap smart gadgets are compromised constantly - can reach everything else.

The fix is segmentation: splitting your one network into separate, isolated ones. A practical household setup has three. A primary network for the things you trust - phones, tablets, computers. An IoT network for everything smart - TVs, speakers, cameras, plugs - kept walled off so a hijacked device can’t reach your real computers. And a guest network for visitors, giving them internet access without a route into your home. Most modern routers offer at least a guest network out of the box; full segmentation needs a router or access point that supports it, and a friendly appliance like Firewalla makes it approachable if your hardware doesn’t.

The payoff is large: when a smart bulb is your weakest link - and it usually is - segmentation ensures that’s all it can ever be.

Taking more control: alternative router software

For those who want to go further, the software a router runs can be replaced with something more capable and more trustworthy than the manufacturer’s. OpenWrt and DD-WRT turn many consumer routers into far more flexible, longer-supported devices. For the genuinely keen, OPNsense or pfSense running on a small dedicated computer deliver near-professional capability for free. This is optional, more involved territory - but it’s there if the hobby bug bites, and it rescues otherwise-abandoned hardware from the scrap heap.

Your internet connection

The way you connect shapes a few choices. On fibre or cable, you can usually replace the provider’s router with your own for more control and better security. On satellite internet like Starlink, your connection sits behind the provider’s network in a way that makes hosting services awkward but is no less secure for everyday use; reach your home remotely with the VPN approach in Part 3.3 rather than by opening it to the internet. On mobile broadband, you have less control, so lean on device-level protections and a VPN. And whatever your connection, check that your router’s firewall blocks unsolicited incoming IPv6 traffic - many providers now hand a public address to every device in your home, and you want the router’s firewall standing in front of them.

3.2 Firewalls & DNS filtering

Two quieter technologies do a lot of unseen work: firewalls decide what’s allowed to connect, and DNS filtering decides which destinations your devices are even allowed to look up. Together they block a great deal of bad traffic before it reaches you.

Firewalls on your devices

Every modern device has a firewall, and the defaults are mostly sensible. On Windows and macOS, confirm the built-in firewall is on, and on public networks set it to block all incoming connections - there’s no reason to accept them in a café. The more interesting kind, for the curious, is an outbound firewall that shows you what your apps are sending out: Little Snitch or the free Lulu on a Mac, OpenSnitch on Linux. Watching how much software phones home unprompted is genuinely eye-opening, and you can block what you don’t like.

DNS filtering: blocking the bad stuff for the whole house

DNS is the internet’s address book: every time a device visits a site, it first looks up that name to get a number. Because every connection starts with a lookup, filtering those lookups is a powerful and efficient choke point - you can block ads, trackers, malware domains, and adult content for every device in the home at once, before any connection is even made.

There are two routes. The simplest is a cloud service: NextDNS gives you per-device profiles, parental controls, and a clear log of what’s being blocked, with a free tier generous enough for most households; Cloudflare’s 1.1.1.2 and 1.1.1.3 offer one-line malware and adult-content blocking; Quad9 focuses on blocking known-malicious domains. Point your router at one of these and the whole household is covered.

The hands-on route is to run your own blocker on a small always-on computer like a Raspberry Pi. Pi-hole is the well-known choice and AdGuard Home is a slightly friendlier alternative; both block ads and trackers network-wide and give you complete visibility and control. The trade-off is that you’re now maintaining a small piece of infrastructure, and occasionally adding a site to an allow-list when filtering breaks something.

Encrypting your lookups

By default those DNS lookups travel unencrypted, which means your internet provider can see - and in some places sell - a record of every site you visit, just from the lookups.³ Modern systems support encrypted DNS (you’ll see it called DoH or DoT), which closes that window. You can switch it on for the whole home at the router, or per-device in browsers like Firefox and Chrome, using a privacy-respecting resolver such as Quad9, Mullvad, or NextDNS.

Filtering for children - and its limits

DNS filtering is a useful parental tool: services like CleanBrowsing’s family filter or NextDNS profiles can block adult content across the network, and many routers let you schedule internet access per device. But be honest about its limits. A determined teenager can sidestep DNS filtering with a VPN, and it doesn’t touch what happens inside an app. Treat it as one helpful layer alongside device-level controls and, far more importantly, ongoing conversation - not as a wall that does the parenting for you.

3.3 VPNs

Few security tools are as oversold as the VPN. The adverts promise anonymity, safety, and freedom; the reality is narrower and more useful once you understand what a VPN actually does. It encrypts your internet traffic and routes it through a server elsewhere, so the network you’re on can’t read it and websites see the server’s location instead of yours. That’s genuinely valuable in specific situations - and beside the point in others.

When a VPN actually helps

A VPN earns its keep in three situations. On untrusted Wi-Fi - hotels, cafés, airports - it stops anyone on the same network snooping on your traffic. For privacy from your internet provider, it prevents them logging and selling the sites you visit (though encrypted DNS achieves much of this more simply). And for reaching your own home network from afar - your files, your cameras, your Pi-hole - a VPN lets you in securely without exposing those things to the open internet.

It’s just as important to know what a VPN does not do. It does not make you anonymous: cookies, logins, and browser fingerprinting still identify you. It is not needed to use a secure website on your own home network. And it does not protect you from malware or phishing. A VPN is a tool for a few specific jobs, not a force field.

The best option for most households: reaching home

For the common need - getting back to your home network while you’re out - the modern answer is delightfully simple. Tailscale builds a private encrypted network linking your devices together with almost no configuration, and it’s free for a household’s worth of devices. Under the hood it uses WireGuard, a fast, modern VPN technology you can also set up yourself directly on a capable router or a Raspberry Pi if you’d rather not use a third party. Either way, you end up able to reach your home securely from anywhere, without leaving a single door open to the wider internet.

Choosing a commercial VPN

For the public-Wi-Fi and provider-privacy jobs, a commercial VPN makes sense - but the choice matters, because you’re moving your trust from your internet provider to the VPN company, which can now see your traffic instead. Choose one that has been independently audited, keeps no logs, publishes an open-source app, and operates from a sensible jurisdiction. Mullvad (which doesn’t even ask for your name and takes cash) and ProtonVPN (which has a usable free tier) are two well-regarded options. Steer clear of free VPNs that aren’t tied to a trustworthy paid service: running a VPN costs money, and if you’re not paying, your data usually is.⁴

Whatever you pick, switch on its kill switch, which cuts your connection if the VPN drops so you’re never accidentally exposed.

Two honest caveats

A VPN on a router protects every device automatically, but it asks a lot of the router’s processor - check yours can handle it before relying on it. And in households with children, remember that the same VPN apps that protect you on café Wi-Fi can also be used to slip past your DNS-based parental controls. As ever, the technology is one layer; the conversation is another.

For most households, the whole of this section reduces to two sentences. Use Tailscale to reach home. Use Mullvad or ProtonVPN on public Wi-Fi. Beyond that, a VPN is rarely the thing standing between you and harm - the passwords, the updates, and the backups matter far more.

Part 4 - Privacy, data & daily habits

The previous parts secured your devices and your network. This part is about what happens through them every day: the browsing, the smart devices quietly listening in the corner, and the software you choose to trust with your information. These are the habits and choices that shape how much of your life leaks out into the world - and, for households with children, where the safety conversations matter most.

4.1 Browser & online privacy

You spend more time in your web browser than in almost any other piece of software, and it sees almost everything you do online. Choosing a good one and setting it up well is one of the easiest high-value privacy improvements available, and it costs nothing.

Choosing a browser

The browser market is dominated by Google Chrome, which is fast and capable but built by an advertising company with a deep interest in your data. There are better choices for a privacy-minded household.

Firefox, paired with a good content blocker, is the most flexible option: it’s open source, backed by a non-profit, has strong privacy defaults, and supports the widest range of privacy extensions. Brave is a good alternative for those who’d rather not configure anything - it’s built on the same engine as Chrome but blocks ads and trackers out of the box. For the more demanding, LibreWolf is a version of Firefox tuned for privacy from the start. Approach Chrome and Microsoft Edge with caution: both are capable browsers, but Google and Microsoft’s own privacy documentation describes browser usage, diagnostic, browsing activity, history, preference, URL/search, and personalisation data that may be sent back depending on settings, sign-in, and connected features.¹ That does not make them unsafe; it means privacy-minded households should start elsewhere unless they have a specific reason to use them.

On phones, the same logic applies: Firefox with a content blocker on Android, and Brave on iOS, where it has the best support for blocking.

A few key extensions

You don’t need many - every extension you add can read the pages you visit, so restraint is itself a privacy measure. A small, well-chosen set covers most needs: uBlock Origin is the best ad and tracker blocker available, with very little performance cost; Privacy Badger, from the Electronic Frontier Foundation, learns and blocks trackers automatically; and your password manager’s extension makes good security convenient. Beyond those, resist the urge to install every privacy add-on you come across - more extensions mean a larger attack surface, not better protection.

Search and email

Your search engine sees your most candid questions, and the big ones build detailed profiles from them. Privacy-respecting alternatives - Startpage, Brave Search, or the self-hostable SearXNG - return useful results without the tracking. Switching your browser’s default search is a thirty-second change with a lasting benefit.

Email deserves similar thought. Encrypted providers like Proton Mail and Tuta keep your messages private even from the provider, and both have free tiers. Just as useful is the habit of email aliasing - using a service like SimpleLogin or addy.io to create a different, disposable address for each site you sign up to. When one of those sites is breached or starts spamming you, you disable that single alias rather than your real address, and you can see exactly who leaked it. At minimum, keep separate email addresses for the things that matter most - banking, shopping, social media, and casual sign-ups - so a breach in one corner of your life doesn’t spill into the others.

The tracking you can’t see

Even with cookies blocked, websites can identify you through fingerprinting - the unique combination of your browser version, screen size, fonts, and settings.² It’s harder to defend against, but Brave and LibreWolf both work to disguise your fingerprint, which is one more reason to prefer them. Separately, data brokers assemble and sell profiles of you from public records, app data, and breaches; you can have much of this removed, either by working through the major brokers’ opt-out processes yourself or by paying a removal service to do it.⁴ For most households this is a low-priority tidy-up; for high-profile households, as covered in Part 6, it becomes a frontline defence.

4.2 Smart home & IoT security

The “Internet of Things” - the growing crowd of connected devices in a modern home, from televisions and speakers to doorbells, cameras, plugs, and children’s toys - is where convenience and risk collide most sharply. Each of these is a small computer connected to your network and the wider internet, and most of them are built to a price, secured as an afterthought, and abandoned by their makers within a couple of years. For a growing number of households, this is now the weakest point in the whole system.

Why these devices are the weak link

Three problems compound. Many IoT devices stop receiving security updates almost as soon as they’re sold, so known flaws are never fixed.³ Many phone home to their manufacturers constantly, sending data - sometimes including audio or video - to servers you have no visibility into. And because they sit on your home network, a single compromised device can become a foothold from which an attacker reaches your computers and phones. A cheap smart bulb should never be a route to your laptop, but on a flat network, it can be.

The single most important step

If you take one action from this section, make it this: put every smart device on a separate network, isolated from the computers and phones you actually care about. This is the network segmentation described in Part 3.1, and it’s worth repeating here because IoT is the reason it matters most. Properly isolated, a hijacked camera or speaker can reach the internet but not your real devices - its blast radius is contained. Pair this with a glance at your network’s traffic now and then (a tool like Pi-hole makes this visible), because a device suddenly chattering to unfamiliar servers is a red flag worth investigating.

Cameras and doorbells

Connected cameras carry the sharpest privacy trade-off in the home, because they capture exactly what you’d least want exposed. Favour cameras that record to local storage - an SD card or a small recorder - over those that send everything to the manufacturer’s cloud by default. For the capable, an open-source system like Frigate keeps recording and even AI motion detection entirely local, with no subscription and no third-party servers. Be especially thoughtful about the big consumer ecosystems whose business models lean on data; if privacy matters to you, weigh that before installing a camera that streams your front door to a company’s cloud. And review who can see the footage - both the people in your household and the company behind the device.

Voice assistants

A voice assistant is, by design, a microphone that is always listening for its wake word. That’s not inherently sinister, but it deserves respect. Use the hardware mute button when you want genuine privacy - a physical switch is more trustworthy than a software setting - and review and delete your stored voice history periodically, which the major providers allow. Many households reasonably decide that bedrooms and other private spaces are no place for an always-on microphone. For the technically inclined, fully local voice control through a system like Home Assistant is becoming a real alternative that never sends your voice to anyone.

Choosing and retiring devices wisely

A little thought at purchase saves trouble later. Favour devices that use local protocols like Zigbee, Z-Wave, or the newer Matter standard over cheap Wi-Fi gadgets, and check whether the maker has a track record of providing updates. When a device reaches the end of its supported life, either replace it or isolate it further - an old device with no internet access at all is far safer than one quietly running years-old, unpatched software. And for the enthusiast, projects like Home Assistant can bring an entire smart home under local control, removing the cloud dependency from devices that never truly needed it.

The theme of this section is restraint as much as configuration: every connected device you add is a small ongoing responsibility, so it’s worth asking, before each one enters the house, whether the convenience is worth the upkeep.

4.3 Supporting children, teens & older relatives

Security advice often treats the household as a set of identical adults. Real households are not like that. Children, teenagers, older relatives, less technical adults, disabled people, carers, guests, and people under stress all have different risks and different levels of confidence. The aim is not to control them or shame them. The aim is to make safer choices easy, keep trust intact, and notice when someone is being pressured, exploited, or isolated.

Start with trust, not surveillance

The strongest household protection is still conversation. Children and teenagers need to know they can bring a strange message, an embarrassing mistake, or a frightening threat to an adult without immediately losing their phone or being blamed. Older relatives need the same respect: help should not feel like a lecture from someone younger who has decided they are helpless. If the household rule is “tell us early and we will help calmly,” you will hear about problems sooner.

That does not mean no boundaries. It means boundaries are explained. Parental controls, screen-time limits, app restrictions, and DNS filtering are useful for younger children, but they should be presented as guardrails, not secret monitoring. As children become teenagers, privacy matters more. Move gradually from control to coaching: teach them how scams work, how screenshots spread, why location sharing matters, and how to leave a conversation that turns coercive. The same principle applies with older relatives: set up protections with them, not around them, unless there is a genuine safeguarding reason to step in.

Children and teenagers

Start with the basics. Give each child their own device account, not a shared adult login. Use age-appropriate parental controls, keep devices updated, restrict app installation for younger children, and review privacy settings on gaming, messaging, and social platforms. Turn off public location sharing by default. On gaming platforms, check voice chat, friend requests, direct messages, and whether strangers can invite the child into private groups.

For younger children, the biggest issues are privacy and contact with strangers: apps collecting too much information, public profiles, location exposure, and adults or older children moving conversations into private channels. For teenagers, add reputation, coercion, sextortion, impersonation, and financial scams. NCMEC and the FBI both warn that online enticement and sextortion can begin with someone a young person thinks they know or trust, and the right adult response is to comfort, preserve evidence, and report rather than punish the child for being targeted.⁵

A practical rule helps: no one who cares about you will demand secrecy, money, images, or urgency as proof of trust. If someone says “don’t tell your parents,” “send this now,” “I’ll ruin you,” or “you’re in trouble unless you pay,” that is the moment to get help. Keep reporting routes visible: platform reporting, school safeguarding, NCMEC’s CyberTipline in the US, CEOP in the UK, and local law enforcement for immediate danger.

Older and less technical relatives

Older adults are not inherently bad with technology; many are excellent. The risk is that scammers deliberately exploit trust, isolation, authority, urgency, and fear. The FBI and FTC both document heavy losses among older adults, especially from impersonation, tech-support, romance, investment, and emergency scams.⁶ The best support is practical and respectful: set up safer defaults before a crisis, and agree what to do when a call or message feels urgent.

Help them use a password manager if they are willing, but do not make it a purity test. For some people, a well-kept password book stored at home is still a big improvement over reused passwords and sticky notes by the computer. Turn on a second sign-in step for the email provider account, banking, and government accounts, preferring authenticator apps or passkeys where they are comfortable. Set transaction alerts on bank accounts, add trusted contacts where banks offer them, and set up whatever new-account fraud protection is available locally. If they are comfortable with it, help create a dedicated email address for banking and healthcare that is not used for shopping or newsletters.

The most valuable household agreement is a pause rule. No bank, police officer, tax authority, delivery company, tech-support caller, or investment adviser gets money, gift cards, cryptocurrency, remote computer access, or account codes during the first contact. The answer is: “I need to check this; I will call back using a number I already have.” Then hang up, wait, and call the real number from a card, statement, or official website. This simple script defeats a remarkable number of scams because it breaks the emotional rhythm the scammer depends on.⁷

Shared recovery and emergency access

Support works best when it is planned, not improvised. Agree who can help with account recovery, who knows where the emergency password-manager access is, and who should be called before money is moved under pressure. Do not create a situation where one person secretly controls another adult’s digital life unless there is a legal or safeguarding reason. A trusted contact is not the same as surveillance.

For children, the adult should hold recovery routes until the child is old enough to manage them responsibly. For teenagers, make the handover gradual: teach them how their password manager, authenticator app, recovery codes, email account, and device backups work. For older relatives, write down the support arrangement in plain language: what you can help with, what you cannot access without permission, and what should happen if they are ill, hospitalised, or unreachable.

Warning signs that something is wrong

Watch for sudden secrecy, fear, shame, unexplained payments, new online relationships that demand privacy, pressure to buy gift cards or cryptocurrency, remote-access software appearing on a computer, bank withdrawals that do not fit normal habits, or a child becoming distressed after messages arrive. None of these proves abuse or fraud on its own. They are reasons to slow down, ask gently, and make it easy to tell the truth.

Be especially careful where digital risk overlaps with coercive control or domestic abuse. Monitoring software, shared passwords, location trackers, smart-home access, and account recovery can all be used to control someone. If you suspect this, do not confront the suspected abuser through a monitored device and do not start deleting things in a way that may escalate danger. Use a safer device and seek specialist support. Safety comes before tidiness.⁸

The thread through all of this is dignity. Good household security helps people keep agency. It gives children a safe way to ask for help, teenagers a way to recover from mistakes, older relatives a way to resist pressure, and everyone a shared language for saying: stop, verify, then act.

4.4 Open-source software & privacy tools

Throughout this guide, open-source tools keep appearing among the recommendations. That’s not coincidence or ideology - it reflects a genuine advantage. Software whose code is open to public inspection can be independently checked for both security flaws and hidden data collection, which makes it easier to trust with the private corners of your life. It’s also, very often, free. This section gathers the everyday alternatives worth knowing about, so you can replace the parts of your digital life you’d rather not hand to a large company.

Everyday productivity

For documents, spreadsheets, and presentations, LibreOffice and ONLYOFFICE are capable, free replacements for the usual office suite, with ONLYOFFICE handling Microsoft’s file formats particularly smoothly. If you’d like the convenience of cloud documents, calendars, and contacts without handing them to a major provider, Nextcloud offers a self-hosted alternative you control entirely, and CryptPad provides encrypted collaborative documents that need no account at all. For notes, Standard Notes keeps everything encrypted and synced across devices.

Communication that respects you

This is the area where a single switch makes the biggest difference, and it’s the one I’d most encourage every household to make: move your group conversations to Signal. It offers best-in-class end-to-end encryption for messages and calls, it’s free, it’s open source, and it’s run by a non-profit with no interest in your data. WhatsApp also encrypts personal messages and calls, but its privacy policy documents wider account, connection, group, usage, log, device, and location data. Telegram is convenient, but ordinary Cloud Chats are not end-to-end encrypted; only Secret Chats are. For sensitive household conversations, Signal is the cleaner default.⁹ For households that want to go further, Element, built on the open Matrix network, can be self-hosted and even bridges to other chat systems.

Files, photos, and media

To sync files between your own devices without any cloud in the middle, Syncthing does it directly and privately. For encrypted cloud storage where the provider genuinely cannot read your files, Filen and Proton Drive both offer free tiers. To replace a photo service that mines your images, Immich is a self-hosted alternative that has matured impressively. And for media, VLC plays anything without watching you, while Jellyfin turns your own film and music collection into a private streaming service for the household.

A realistic way to adopt these

The mistake people make is trying to switch everything at once, hitting friction, and giving up. A gentler path works better: start with the two changes that deliver the most for the least effort - your browser and your messaging app - and let the rest follow as the need arises. You don’t have to leave every mainstream service to benefit; even a partial shift meaningfully reduces how much of your household’s life is collected and sold. Treat it as a direction of travel, not a single leap, and pick the next switch when you’re ready rather than all of them today.

Part 5 - Resilience, response & the real world

Everything so far has been about prevention - keeping bad things from happening. This part accepts a harder truth: sometimes they happen anyway. A drive fails, a card is cloned, a scam lands at exactly the wrong moment, a phone is lost at an airport, an account is breached despite your care. Resilience is what separates a bad day from a catastrophe. These sections cover the safety nets - backups, fraud protection, scam decisions, travel precautions, a plan for when something goes wrong, and provision for the day you’re no longer there to manage any of it.

(Physical security appears earlier in Part 2.3 alongside device security, where it sits most naturally.)

5.1 Backup & recovery

Most households have no working backup. They have good intentions, perhaps a half-configured cloud sync, and a quiet assumption that nothing will go wrong - until a hard drive dies, a laptop is stolen, or ransomware encrypts everything in an afternoon, and years of photos and documents are simply gone. A backup is the one safety net that turns these disasters into inconveniences, and getting any backup running matters far more than getting a perfect one.

The rule worth remembering

The time-tested principle is 3-2-1: keep three copies of your data, on two different types of storage, with one of them kept somewhere else. The original on your laptop is one copy; an external drive at home is a second, on different hardware; an encrypted cloud backup is the third, safely offsite. That spread protects you against the full range of disasters at once - a failed drive, a stolen laptop, a house fire, a ransomware infection. For stronger protection, keep one copy fully offline and test that you can restore from it, because a backup you’ve never tested is only a hope.

How to do it

For a hands-off approach, Backblaze backs up an entire computer to the cloud automatically for a flat yearly fee, and it’s hard to fault for simplicity. If you’d prefer cloud storage where even the provider cannot read your files, Proton Drive and Filen offer encrypted options. And for those who want full control, tools like Restic, Duplicati, and Kopia can back up - encrypted and deduplicated - to a local drive, a cloud bucket, or both; Duplicati’s friendly interface makes it the gentlest starting point of the three.

Don’t forget the phones, which hold more irreplaceable photos than anything else in the house. Apple and Google both offer encrypted device backups, and Immich is a self-hosted option for those avoiding the big providers. Whatever you choose, confirm the backup actually includes what you’d grieve to lose.

Surviving ransomware specifically

Ransomware is the threat that ordinary backups can fail against, because the malware often lies dormant and will encrypt your connected backup drive right alongside everything else. The defences are specific: keep versioned backups that retain a month or more of history, so you can roll back to before the infection; keep at least one copy offline and disconnected, updated periodically, that ransomware can never reach across the network; and use separate credentials for your backups so a compromised main account doesn’t hand the attacker your backups too. If the worst happens, the advice is firm - don’t pay. Payment funds the crime, marks you as a willing target, and frequently doesn’t restore your files anyway.¹ A good backup is what lets you refuse.

5.2 Financial fraud & credit protection

Of all the harms covered here, financial fraud is the most directly measurable - and, for many households, the most likely. It sits at the meeting point of security and privacy: the data that leaks about you becomes the raw material for draining your accounts or borrowing in your name. A few deliberate measures make you a far harder target and turn any fraud that does occur into something recoverable rather than ruinous.

Protecting your accounts

Start with the bank itself. Turn on transaction alerts for everything, so a fraudulent payment surfaces within minutes rather than at the next statement. Use a dedicated email address for banking that you use nowhere else, and prefer a bank that secures logins with an app rather than text-message codes. For online shopping, virtual or disposable card numbers - offered by services like privacy.com and by many modern banks - let you give each merchant a number that can’t be reused if that merchant is breached. Some households keep a separate, low-balance account purely for online spending, topped up as needed, so a compromised card never reaches their main funds.

New-account fraud protection

The aim is simple: make it hard for someone with your stolen details to open bank accounts, loans, phone contracts, credit cards, or other financial products in your name. The mechanism is very country-specific. In the US, the strongest household measure is usually a free security freeze with each major credit bureau, plus fraud alerts when appropriate. In the UK, there is no direct universal equivalent to the US freeze; the closer tool is Cifas Protective Registration, which flags your details so member organisations carry out extra checks, and it is best used when your identity is at heightened risk. In France and many other European countries, the emphasis is more often on official identity-theft reporting, checking national banking or credit incident files, monitoring accounts, and challenging fraudulent debts rather than pre-emptively freezing a consumer credit file.²

So the household rule should be regional rather than absolute: find the strongest new-account fraud protection available where you live, set it up before a crisis if appropriate, and keep the recovery details somewhere safe. If your country offers a credit freeze, use it. If it offers fraud warnings, protective registration, banking-file checks, or official identity-theft reporting routes, learn those instead. Pair this with transaction alerts and credit or account monitoring where available, so a fraudulent application or account does not sit unnoticed for months.

When fraud happens anyway

If you’re hit, speed matters. Contact your bank’s fraud team directly - not general customer service - and report the crime to the national body (Action Fraud in the UK, the FTC and IC3 in the US), keeping the reference number and a record of every conversation, which you’ll need for disputes. Request a copy of your credit report to spot any accounts opened without your knowledge. The faster you move, the more the law and your bank’s protections work in your favour.

Don’t forget the children

A child’s financial identity is usually quiet, which makes it a perfect, quiet target for identity thieves - the theft often goes undiscovered for years, until the child applies for their first account and finds debts already in their name.³ In the US, parents can usually create and freeze a protected child record with the major credit bureaus. Elsewhere, check whether your country has an equivalent child-protection, credit-reference, or identity-theft reporting route. The principle is the same even when the paperwork differs: children need someone to notice unusual financial activity long before adulthood.

5.3 Scam playbook

Most scams do not win because the victim is foolish. They win because the attacker creates pressure, confusion, shame, excitement, or fear at exactly the moment a normal person is trying to be helpful. A household scam playbook gives everyone permission to pause. It turns “I should know what to do” into “we already agreed what to do.”

The thirty-second rule

If a message, call, pop-up, QR code, or direct message creates urgency, stop for thirty seconds before doing anything. Do not click the link. Do not scan again. Do not keep the caller on the line. Do not read out a code. Do not move money. Scams commonly pretend to be a known organisation, invent a problem or prize, pressure you to act immediately, and demand payment in a specific way.⁴ The pause is not politeness; it is the defence.

Common scam scenes

• Bank, tax, police, delivery, utility, or tech-support messages. Do not use the link, QR code, phone number, or login page provided in the message. Open the real app or type the official address yourself. If it claims to be your bank, call the number on the back of your card.
• “Your account is compromised.” A real bank or platform will not ask you to move money to a safe account, transfer funds to protect them, buy gift cards, send cryptocurrency, or hand over a one-time code. Anyone asking for those things is the attacker.
• “I’m in trouble, send money.” Use the trusted-person code word. If there is no code word, end the call or chat and contact the person through a separate route you already trust.
• Unexpected invitations, calendar events, or meeting links. Treat an invite like any other message. If it asks you to sign in, download something, install a tool, or open a meeting you were not expecting, verify with the person through a separate route before touching the link.⁵
• Remote-access support calls or pop-ups. Do not let an unexpected caller take control of your device. If you already did, disconnect the device from the internet, call the bank from another device if money was involved, and change important passwords from a trusted device.
• Marketplace, parcel, ticket, rental, or refund scams. Be wary of pressure to leave the platform, pay by bank transfer, use friends-and-family payments, scan a QR code, or pay a small “verification” fee. Small fees are often a test before a larger theft.⁵

When money or codes are involved

The household rule should be blunt: no one gets money, gift-card numbers, cryptocurrency, bank transfers, payment-app transfers, password-reset links, login links, or authentication codes because they asked in an urgent message. Codes are not proof that the other person is legitimate. They are often the key the scammer needs to enter your account. If a real organisation needs action, you can contact it after the conversation ends, using a number, app, or website you already trust.

Relationship, investment, and crypto scams

The slowest scams are often the most damaging because they begin with trust, loneliness, opportunity, or belonging rather than a fake invoice. Be careful when someone met online wants to move the conversation to a private app quickly, introduces an investment or cryptocurrency opportunity, shows impressive screenshots, offers early withdrawals to build confidence, coaches you on what to tell your bank, or asks for more money to release your supposed profits. Romance and investment scams increasingly overlap, and recovery scammers often target victims a second time by claiming they can get the money back.⁶

After a near miss or loss

Shame helps criminals, so make the household rule explicit: anyone can say “I think I nearly fell for something” without being mocked. If credentials were entered, change that password from a trusted device and sign out active sessions. If money moved, call the bank’s fraud team immediately. If a device was controlled remotely, disconnect it and treat it as compromised until checked. Keep screenshots, messages, phone numbers, wallet addresses, payment details, and dates. Report the scam through the relevant national route, then tell the rest of the household what happened so the same script does not work twice.

5.4 Travel security

Travel strips away the comforts of your home network and replaces them with hostile Wi-Fi, public charging ports, unfamiliar laws, and the simple fact that devices are far easier to lose or have stolen on the move. A little preparation keeps a trip from becoming an incident.

Before you leave

Do your housekeeping at home, on a network you trust. Update every device and app before departure rather than over hotel Wi-Fi. Confirm your backups are current and that remote wipe is working, so a lost device is recoverable and erasable. Note your devices’ serial numbers. Tell your bank your travel dates to avoid both fraud blocks and missed fraud. And for higher-risk destinations, consider travelling with a cheap, near-empty device rather than your daily phone or laptop.

Crossing borders

This surprises people: at many borders, including the US and UK, officials can require you to unlock and hand over your devices, sometimes without a warrant.⁷ Your defences are simple but must be in place beforehand. Full-disk encryption combined with powering the device fully off before the border is the strongest everyday protection - an encrypted, powered-down device is genuinely difficult to access. Logging out of sensitive accounts before crossing, and back in afterwards, limits what’s reachable even if the device is examined; some password managers offer a “travel mode” that removes selected data entirely until you restore it. Know that you can decline, that declining may mean being refused entry or having the device detained, and weigh that against where you’re going.

On the ground

Treat all public Wi-Fi - hotel, café, airport - as if a stranger is reading it, because they might be. Use a VPN for anything sensitive, and never do your banking on open Wi-Fi without one. Confirm the real network name with staff, since fake look-alike hotspots are a common trick. For charging, use your own adapter in a wall socket rather than a public USB port, or carry an inexpensive USB data blocker. Often the safest option of all is to use your phone’s own mobile data, sharing it to your laptop, rather than trusting the local network at all.

Different countries, different rules

The wider world plays by different rules. Some countries monitor communications heavily, some restrict or ban VPNs outright, and intelligence-sharing arrangements between nations mean your data may travel further than you’d expect. Before visiting a higher-risk country, check the local position on VPNs and encrypted messaging, and assume that in the most surveillance-heavy destinations, anything on the local network may be observed. For most holidays this is academic; for travel to certain places, it’s worth a few minutes’ research before you fly.

5.5 Incident response: when something goes wrong

Despite every precaution, something may slip through. The difference between a scare and a disaster usually comes down to what you do in the first hour - and whether you’d thought about it at all beforehand. This section is the plan to reach for when you suspect something is wrong, and it’s worth reading before you need it, because calm is hard to summon in the moment.

Spotting that something’s wrong

The early signs are often quiet: a password-reset email you didn’t request, an alert about a login from somewhere unfamiliar, a bank transaction you don’t recognise, friends receiving messages you never sent, or a device that suddenly slows down, behaves oddly, or sprouts apps you didn’t install. Ransomware announces itself more bluntly, with files renamed and a demand for payment. Treat these signals seriously rather than explaining them away; acting on a false alarm costs little, while ignoring a real one costs a great deal.

The first hour

If you believe a device is compromised, disconnect it from the network to stop anything spreading or sending data out, but don’t immediately wipe or even power it off if you can avoid it, since that can destroy useful evidence. Then, working from a different, trusted device, change the passwords for your most important accounts - email provider or webmail first, then banking, then your password manager - and turn on a second factor anywhere it isn’t already on. If money is involved, call your bank’s fraud line straight away. Photograph any ransom note or error message before you touch anything, as you’ll want it for reports.

Reclaiming a compromised account

When an account itself has been taken over, go beyond changing the password. Every major service lets you see and sign out all active sessions - do that, to evict the intruder. Then check the settings attackers love to abuse but victims rarely inspect: hidden email forwarding rules that quietly copy your mail to them, and filters that delete security warnings before you see them. Remove any you didn’t create, review which third-party apps have access and revoke the unfamiliar, and run your address through Have I Been Pwned to understand what was exposed.

Cleaning a compromised device

For a device, the safe assumption is that you can’t reliably “clean” malware by hand. A factory reset and a restore from a backup taken before the trouble started is the dependable path. If you’ve no clean backup, rebuild the device fresh and copy back only your personal files, not applications. For anything business-critical, professional forensic help may be worth the cost.

Reporting and recovering

Report the incident to the appropriate national body - Action Fraud in the UK, the FTC and IC3 in the US - and obtain a reference number for any insurance or dispute. National cyber-security agencies publish free, current recovery guidance. Check whether your home insurance includes any cyber cover. And keep a written record of everything as you go: dates, screenshots, who you spoke to. The single best preparation, though, costs nothing and happens long before any incident: once a year, talk through a “what if” as a household - what would we actually do, right now, if the main email account were hacked? The households that handle a real incident calmly are invariably the ones that imagined it in advance.

5.6 Legacy & digital estate planning

This is the section no one wants to write and every household eventually needs. Our lives are now bound up in accounts, devices, and encrypted vaults that, by design, only we can open - which means that when someone dies or becomes incapacitated, the people handling their affairs can be locked out of photos, finances, and memories at exactly the moment those things matter most. A little planning spares the people you love a great deal of grief and frustration. The very security measures this guide recommends are precisely what make this planning necessary: a password manager protected by a master password no one else knows is a vault that closes forever if you don’t leave a key.

Leaving a key to the vault

The cleanest solution works through your password manager. Bitwarden offers free emergency access, letting you nominate a trusted person who can request entry to your vault after a waiting period you set; 1Password has a similar feature. For a belt-and-braces approach, write your master password and your second-factor backup codes on paper and store them somewhere genuinely secure - with your will, with a solicitor, or in a safe - treated with the same care as the deed to your house. Never store this in the cloud, which would undo the protection entirely. The principle is simple: exactly one trusted route into your digital life should exist, and the right people should know it’s there.

The tools the platforms already give you

The major providers have quietly built features for exactly this, and almost no one uses them. Google’s Inactive Account Manager lets you decide what happens to your account after a long period of inactivity, including passing data to a nominated contact. Apple’s Digital Legacy lets you name people who can access your account after your death.⁸ Facebook can memorialise an account or hand it to a legacy contact. Setting these up takes a few minutes each and resolves a great deal in advance.

Writing it down

Beyond access, whoever handles your affairs will need a map. A simple digital estate inventory - a list of your important accounts, subscriptions, any cryptocurrency or digital assets, domain names, and what should happen to each - turns a bewildering search into a manageable task for whoever has to sort your affairs. Note where the credentials live rather than the credentials themselves, keep it with your other estate documents, and revisit it once a year, because accounts and services change. Pay particular attention to anything that vanishes without action: cryptocurrency whose recovery phrase only you hold, or domains and subscriptions that will quietly lapse or fail when the card behind them stops working.

The kindest framing is this: a single page, stored with your will, telling the right person how to reach your password manager and what to do with your key accounts, is among the most considerate things you can leave them. It costs an afternoon now and saves them one of their hardest weeks later.

Part 6 - High-profile households

Most households can read this for awareness and move on. Some will recognise themselves immediately. This section is for households where public attention, money, controversy, harassment, or a specific adversary changes the risk.

6.1 When the rules change

The rest of this guide assumes the ordinary threat model: automated attacks, opportunistic scams, weak passwords, neglected devices, and the slow leak of personal data. For most households, that is the right model. The standard roadmap will do more good than exotic defences.

But the number of people who are meaningfully visible has grown. You do not need to be a film star or cabinet minister. You might be a local politician, campaigner, influencer, streamer, journalist, doctor, lawyer, school leader, landlord, executive, performer, creator, wealthy-looking person, or simply someone whose post went viral. You might be involved in a public dispute, a court case, a messy separation, a controversial job, or a community argument that spilled online. You might have one persistent obsessive person. Visibility does not have to be glamorous to become risky.¹

The threshold is not fame; it is targetability. If someone can name you, search you, contact you, impersonate you, or find people around you, you have moved beyond the ordinary model. The foundations still apply, and apply more urgently. This section adds the extra layer: reducing what can be found, hardening what can be attacked, and planning for the point where online attention becomes physical-world risk.

6.2 What’s different about a motivated adversary

An automated attacker gives up when you become inconvenient; there are millions of easier targets. A motivated adversary does not. That one difference changes the shape of the problem.

They will research. They will read old posts, public records, domain registrations, company filings, property records, leaked databases, tagged photos, school newsletters, event pages, livestream backgrounds, and posts from friends. They will try the public email address, then the private one, then the recovery account. They may target the people around you - partners, children, assistants, colleagues, moderators, agents, volunteers, housemates - because the shortest path to you may not go through you.

They may also use attention as a weapon. Doxxing, fake accounts, malicious reports to platforms, deepfake or intimate-image abuse, swatting threats, fraudulent complaints, and impersonation all aim to make your ordinary life difficult, frightening, or expensive.² The practical consequence is that a high-profile household needs two plans at once: a technical security plan and an exposure-management plan.

6.3 Reducing your exposure

For most households, privacy is about limiting commercial data collection. For a high-profile household, privacy is a safety control. The information an adversary needs to reach you is the information you try to deny them.

Start with address exposure. Data brokers and people-search sites aggregate names, home addresses, relatives, phone numbers, and past locations. For ordinary households, removal is good hygiene; for a targeted household, it can be the difference between being findable and not. Work through removals yourself or use a reputable removal service. Repeat the process periodically, because data reappears. Search your name, old usernames, phone numbers, email addresses, domain names, business names, and images of your home from the point of view of someone trying to locate you.³

Separate public life from private life. A public role should have its own email address, phone number, mailing address, payment channel, calendar, and social accounts. The phone number used for public work should never secure your bank account. The email address on a website should not be the recovery address for your password manager. If you run a newsletter, shop, campaign, channel, or booking page, assume every contact detail on it will eventually be copied somewhere you do not control.

Audit what your household publishes. Remove or delay routine-revealing posts: school names, uniforms, regular routes, gym times, clinic visits, vehicle plates, house-front photos, window views, boarding passes, hotel room numbers, badges, and event lanyards. Be especially careful with live posting. Sharing a photo from a place after you have left is safer than announcing where you are while you are still there.

Consider address privacy in the legal and administrative world. Use a PO box, mailbox service, business address, registered agent, or professional office address where lawful and practical. Review domain registrations, company filings, charity records, electoral rolls, property records, and professional directories. In some places, address-confidentiality programmes exist for people at demonstrated risk, especially stalking or domestic-abuse victims. The goal is not secrecy for its own sake. The goal is that a casual search does not point to where you sleep.

6.4 Hardening against a determined attacker

The standard measures in this guide are not optional here; they are the baseline. A high-profile household should treat account security, device security, and recovery as things that must work under pressure.

Lock down identity accounts first. Your primary email, password manager, phone account, social accounts, domain registrar, cloud storage, bank, and payment accounts are the crown jewels. Use unique passwords, hardware security keys where supported, and recovery details that do not point back to public contact channels. Remove SMS as a second factor wherever you can. Call your mobile carrier and add the strongest available protection against porting or SIM changes: account PIN, port freeze, number lock, or in-store-only changes.

Treat platforms as infrastructure. For creators, politicians, performers, activists, and people with a loud public presence, a social account may be reputation, income, and contact point all at once. Turn on the strongest login protection each platform offers. Record backup codes. Add trusted admins carefully and remove anyone who no longer needs access. Protect the email address behind every platform. Register obvious domain names and handles before an impersonator does. Keep a clean public contact path so strangers do not need to hunt for private channels.

Expect impersonation. High-profile households should assume fake accounts, cloned voices, fake screenshots, and AI-generated media will become easier. Keep a short public verification page or pinned post listing your real accounts and contact routes. For private emergencies, use the trusted-person code word from Part 1. For public claims, respond from verified channels rather than arguing in screenshots. If intimate-image or deepfake abuse occurs, preserve evidence, report through platform channels, and use specialist reporting routes where available.⁴

Assume devices may be of interest. A motivated adversary may try phishing, malicious links, account recovery abuse, device theft, or physical access. In domestic-abuse and stalking situations, the risk may be someone who has already handled the phone or knows the passcode. Stalkerware is not an abstract threat in that context. If you suspect monitoring, do not investigate from the possibly compromised device; safety planning comes first, ideally with a specialist organisation or advocate.⁵

Use high-risk modes where warranted. Apple Lockdown Mode, GrapheneOS on supported Android Pixel phones, advanced account protection options, hardware security keys, separate admin accounts, device encryption, and strict app permissions all make sense here. They have friction, which is why they are not default advice for everyone. For someone facing persistent personal targeting or sophisticated spyware risk, that friction may be a good trade.⁶

6.5 Bridging digital and physical

For most readers, physical security means theft, shoulder surfing, and lost devices. For a targeted household, digital and physical safety merge. An address found online becomes a doorstep. A routine visible in posts becomes a schedule. A compromised account becomes a way to message contacts, cancel bookings, track deliveries, or gather travel details.

Think in circles around the household. First, the person in the public role. Then partners, children, housemates, assistants, moderators, agents, staff, close relatives, and anyone with account access or schedule knowledge. Bring them up to the right standard. A determined adversary will use the easiest route, not the most honourable one.

Decide what is private before there is a crisis. Home address, children’s schools, travel dates, medical appointments, vehicle plates, daily routines, private email addresses, personal phone numbers, and recovery contacts should be treated as sensitive. If staff, volunteers, or collaborators help with public work, give them written rules for what may be shared, what must be checked first, and where suspicious messages should be reported.

If threats become credible - stalking, domestic abuse, violent threats, extortion, swatting, or persistent harassment - this guide is no longer enough by itself. Preserve evidence. Use a safer device to seek help if monitoring is possible. Contact specialist support organisations, platform safety teams, law enforcement where appropriate, and professional security or privacy advisers if the situation warrants it. Getting help is not an admission that you failed at digital hygiene. It is the correct escalation.

6.6 Keeping perspective

This section is deliberately stronger than the rest of the guide. That does not mean every household should adopt all of it. Over-applying high-risk measures can waste money, exhaust patience, and make security feel unattainable. The point is to match the defence to the risk.

A useful test is this: can you name a person, group, audience, role, or public controversy that gives someone a reason to target you personally, beyond generic financial gain? Is your home address, routine, employer, school, or private contact information easy to find? Would losing a social account, email account, or phone number create public, financial, or safety consequences? If yes, use this section. If no, read it for awareness and follow the standard roadmap.

The aim is not to disappear from the world. Most high-profile people cannot and should not. The aim is to separate public contact from private life, make account takeover difficult, make doxxing less fruitful, protect the people around you, and know when the problem has moved beyond self-help.

Part 7 - Implementation roadmap

Everything in this guide comes together here. If the rest of the guide is the what and the why, this is the when - a concrete sequence that turns a long list of good ideas into a manageable plan. It exists because the single biggest reason households stay unprotected is not disagreement about what to do; it’s being overwhelmed by how much there is. The cure for overwhelm is order.

Two principles shape this roadmap. The first is impact before effort: the earliest steps are the ones that block the most damage for the least work, regardless of how technical they sound. The second is owners, not volunteers: a task assigned to “the household” is a task assigned to no one. As you work through each phase, decide explicitly who is responsible for each item, and write it down.

A note before you begin: you will not finish the first week’s list in an afternoon, and that’s fine. Doing the Week 1 items at all, even spread across a few evenings, puts your household ahead of the overwhelming majority of households. Progress beats perfection at every stage.

7.1 Week 1 - Critical foundations

These five actions close the open doors that automated attacks walk through every day. Nothing else here matters as much.

Start by installing a password manager - Bitwarden is the recommendation for most households - and begin moving your accounts into it, giving each a unique, generated password. You won’t do all of them in a week; start with the important ones. Protect the manager itself with a strong master password and a second factor.

Next, turn on a second sign-in step, often called multi-factor authentication, and do it in order of consequence: your email provider or webmail account first (because it resets everything else), then your bank, then everything else over time. Prefer an authenticator app or a hardware key over text-message codes.

Then make sure every device - phones, tablets, computers - is set to update its operating system and apps automatically. Most successful malware exploits flaws that were patched months earlier in people who never installed the update.

Turn your attention to the router. Change its administrator password away from the factory default, and disable WPS. This takes ten minutes and closes one of the most commonly overlooked doors into a home network.

Finally, run your household’s email addresses through Have I Been Pwned to see what’s already been exposed, change any breached passwords, and check what new-account fraud protection exists where you live: credit freezes in the US, protective registration or fraud flags in some places, official identity-theft reporting and file checks in others. The local tool varies; the priority does not.

7.2 Month 1 - Network and device hardening

With the foundations in place, spend the first month strengthening the devices and the network they sit on.

Confirm that full-disk encryption is switched on for every computer and phone, so a lost or stolen device doesn’t become a data breach. Set up network-wide DNS filtering - NextDNS for simplicity, or Pi-hole and AdGuard Home if you’d rather self-host - to block ads, trackers, and malicious domains across the whole household at once. Move your daily browsing to a privacy-respecting browser with a good content blocker. If your router supports it, create a separate network for smart-home devices so a compromised gadget can’t reach your computers. And get at least one backup running - even a simple automated copy to an external drive plus a cloud service - because the day you need a backup is the day it’s too late to start one.

7.3 Months 2 to 3 - Privacy and communication

Now the work shifts from defence to deliberate privacy, and from individual protection to household habits.

Move household group conversations to an end-to-end encrypted messenger such as Signal. Set up email aliases for shopping and sign-ups so a future breach exposes a throwaway address rather than your real one. Review and tighten the permissions every app on every phone has quietly accumulated. Configure secure remote access to your home network - Tailscale or WireGuard - so you can reach your files and devices from outside without exposing them to the internet, and set up a trustworthy VPN for the whole household to use on public Wi-Fi. Finally, write your household’s incident response plan: a single page that says what to do, and who does it, if an account is hacked. Rehearsing calm beats improvising in a panic.

7.4 Months 4 to 6 - Advanced and optional

These steps are worthwhile but not essential for every household. Take them on as time and interest allow.

Consider bringing your smart home under local control with a hub like Home Assistant, removing the cloud dependency from devices that don’t need it. Set up self-hosted file, calendar, and contact syncing if you’d rather not rely on the big providers. Add hardware security keys for your highest-value accounts. Submit opt-out requests to the major data brokers, either manually or through a removal service. Draft a digital estate plan - a sealed record of how your accounts and password manager can be accessed if something happens to you - and configure the inactivity and legacy-contact features the major platforms offer. And if privacy matters enough to you, evaluate a Linux desktop for the household members willing to make the switch.

7.5 Ongoing - The annual review

Security is a practice, not a project. Once a year, put a recurring date in the calendar and work through a short review: audit your passwords for anything weak or reused, recheck Have I Been Pwned for new breaches, test that you can actually restore from a backup, review and revoke the third-party apps connected to your main accounts, update your household’s incident plan and emergency contact details, and refresh the digital estate record. While you’re at it, run a brief “fire drill” - talk through what the household would do if one person’s email were hacked right now. The households that handle a real incident calmly are the ones who imagined it in advance.

That’s the whole arc: a handful of critical actions this week, steady hardening over the following months, and a light yearly rhythm to keep pace with a changing world. You don’t have to do it all, and you don’t have to do it perfectly. Worked through in order, this roadmap will leave your household dramatically safer than the day you started.

Appendix A - Key concepts explained

This guide leans on a handful of ideas that it treats as building blocks: open source, encryption, two-factor authentication, passkeys, backups, and so on. If those terms are already familiar, skip this appendix. If they’re not - and there’s no shame in that, because the technology industry rarely bothers to explain itself - read this first. Everything else in this guide will make more sense once these concepts click into place. Each is explained in plain language, with no assumed background.

What is “source code”, and what does “open source” mean?

Every app and program on your devices is built from source code - the human-written instructions that tell the computer what to do. You never normally see it; you just see the finished app. It’s a bit like a recipe: you eat the cake, you don’t read the recipe, and you usually can’t even get hold of it.

Most software is closed source (also called proprietary). The company keeps the recipe secret. You’re trusting that the app does only what it claims - that your messaging app isn’t quietly copying your contacts, that your “free” game isn’t tracking your location - but you have no way to check, and neither does anyone else. You’re taking the company’s word for it.

Open source software publishes its recipe for anyone to read. This sounds like a small technical distinction, but for privacy and security it’s profound, for two reasons.

First, it can be checked. Security researchers, journalists, and curious experts around the world can - and do - inspect open-source code for flaws, for hidden tracking, for anything that betrays the user. A closed-source app could be sending your data anywhere and you’d never know; an open-source one is examined in the open. Problems get found and fixed, often quickly, by people with no stake in covering them up.

Second, it can’t quietly betray you later. A company can take a closed-source app you trusted and, in a future update, start harvesting your data - and you’d have no way to see it happen. With open source, such a change would be visible to the watching community and would cause an immediate outcry.

This is why open source appears so often in this guide’s recommendations. It isn’t about ideology or saving money (though open-source software is usually free). It’s that when you’re choosing what to trust with the private corners of your life - your passwords, your messages, your files - software whose inner workings can be independently verified deserves more trust than software that simply asks you to believe it. “Trust, but verify” becomes “trust because others can verify.”

A fair question is: if you personally can’t read the code, does it help you that someone else can? Yes - in the same way that you can’t personally inspect a restaurant’s kitchen, but the fact that health inspectors can, and do, makes you safer when you eat out. You benefit from the scrutiny even when you’re not the one doing it.

What is encryption?

Encryption scrambles information so that only someone with the right key can unscramble and read it. To everyone else, it’s meaningless gibberish. It is the single most important idea in digital security, and it underpins almost everything else in this guide.

Think of it as a lockbox. You put your message, file, or password inside, lock it, and only the holder of the correct key can open it. Anyone who intercepts the locked box - a thief, a snooping network, even the company storing it - sees only a sealed container they can’t open.

Encryption protects information in two situations. In transit, it protects data moving across the internet - which is why a website address beginning https (the “s” is for secure) is safe to send your password to, while plain http is not. At rest, it protects data sitting on a device - which is what “full-disk encryption” means: if your encrypted laptop is stolen, the thief gets a locked box they can’t open, not your files.

Modern encryption, used properly, is genuinely strong - strong enough that even governments with vast resources can’t break it by force. That’s why the practical attacks described here go around encryption (stealing your password, tricking you into handing over access) rather than through it.

What does “end-to-end encrypted” mean?

This phrase appears throughout the guide, especially around messaging, and the distinction it draws is important.

Ordinary encryption often protects your data on its journey and while a company stores it - but the company itself usually holds a key and can read it. Your messages might be encrypted in transit to the provider’s servers, but the provider can still see them.

End-to-end encryption means the message is locked on your device and can only be unlocked on the recipient’s device. Nobody in between - not the network, not even the company that runs the service - holds a key. The “two ends” are you and the person you’re talking to, and the lock is sealed for the entire journey between you.

This is the difference between a postcard and a sealed letter. With ordinary encryption, the postal service can read the postcard as it passes through. With end-to-end encryption, only the sender and recipient can open the envelope; everyone who handles it in between sees only the sealed outside. It’s why a messenger like Signal can promise that it cannot read your conversations - not “won’t,” but genuinely cannot, because it doesn’t hold the key.

What is “zero-knowledge”?

Closely related, zero-knowledge describes a service designed so that the company providing it cannot access your data - even if it wanted to, even if compelled by a court, even if its own servers were hacked. The provider stores your information but holds no key to unlock it; only you do.

A zero-knowledge cloud-storage service, for example, stores your files but genuinely can’t read them. The advantage is obvious: a breach of the company exposes only locked boxes. The trade-off is equally important to understand - if you lose your key (your password), there is usually no “forgot password” rescue, because the company has no way to reset what it can’t access. That responsibility shift, from the company to you, is the price of the protection.

What is two-factor authentication (the “second factor”)?

A password is a single proof of who you are: something you know. The problem is that a password can be stolen, guessed, or leaked in a breach, and once someone has it, they’re in.

Two-factor authentication (2FA, also called multi-factor authentication or MFA) adds a second, different kind of proof, so that knowing the password alone isn’t enough. The classic framing is three categories: something you know (a password), something you have (your phone, an app, a physical key), and something you are (a fingerprint or face). Requiring two of these means a thief who steals your password still can’t get in, because they don’t also have your phone in their hand.

In practice it usually looks like this: you enter your password as usual, then the service asks for a six-digit code from an app on your phone, or a tap on a small physical key, or your fingerprint. The minor daily inconvenience buys an enormous amount of protection - it’s the difference between a stolen password being a catastrophe and being a shrug.

What is a passkey?

A passkey is a newer way of signing in that replaces the shared secret of a password with a pair of cryptographic keys. One key stays private on your device, protected by your fingerprint, face, device PIN, or password manager. The other key sits with the website. When you sign in, the site asks your device to prove it holds the private key, but the private key itself is never sent to the site.

That difference matters. With a password, the website stores something that can be stolen and reused, and you can be tricked into typing it into a fake login page. With a passkey, there is no password for the fake page to steal, and the passkey is tied to the real website it was created for. That makes passkeys strongly resistant to ordinary phishing: a passkey for your bank will not work on a look-alike site with the wrong address.¹

For households, the practical experience is simple: you go to sign in, your device asks for your fingerprint, face, PIN, or password-manager unlock, and you’re in. Behind the scenes it is stronger than a password plus a text-message code, but to the user it can feel easier than either. That is why passkeys are worth adopting where the service offers them, especially for email, banking, password managers, and other high-value accounts.

The trade-off is recovery. If your passkeys live only on one phone and that phone is lost, damaged, or wiped, you need another recovery route. Many households will use synced passkeys through Apple, Google, Microsoft, Bitwarden, 1Password, or another password manager, which makes them much easier to live with across devices. That convenience means trusting the account or password manager that syncs them, so protect that account especially well and keep recovery codes somewhere safe. For the highest-risk accounts, a hardware security key can still be the cleanest option because it is a physical object you control.

What is “the cloud”?

“The cloud” sounds mystical but means something mundane: someone else’s computer, somewhere else, that you reach over the internet. When your photos are “in the cloud,” they’re stored on a company’s computers in a data centre, and your devices sync to them. When you use a “cloud service,” you’re using software running on those distant machines rather than your own.

The cloud is convenient - your data is backed up, available everywhere, and shared easily - which is why it’s everywhere. The catch, and the reason this guide keeps returning to it, is that “someone else’s computer” means someone else has custody of your data. They may be able to read it, they may be compelled to hand it over, and they may be breached. None of that makes the cloud bad; it makes it a thing to use thoughtfully, choosing providers you trust and, where it matters most, ones that use end-to-end or zero-knowledge encryption so that “someone else’s computer” can’t actually read what you’ve stored.

What is a backup?

A backup is an extra copy of something important, kept so you can get it back when the original is lost, broken, deleted, stolen, corrupted, or encrypted by ransomware. That sounds obvious, but it leads to one of the most common household mistakes: confusing sync with backup.

Sync is not the same as backup. Sync keeps the same files available across devices. If you save a photo on your phone and it appears on your laptop, that is sync. It is useful, but it also faithfully syncs mistakes: delete a folder, overwrite a document, or let ransomware encrypt files, and the bad change may sync everywhere. A real backup keeps history, so you can go back to an earlier version or recover something after it disappeared.

A good household backup has three qualities. First, it is automatic, because backups that depend on remembering will eventually stop happening. Second, it is versioned, meaning it keeps older copies for long enough to notice a problem and recover. Third, at least one copy is away from the device it protects: either in the cloud, on a NAS, or on a drive that is not permanently connected. A backup sitting beside the laptop helps when the laptop dies, but not if both are stolen or damaged together.

The simple recipe is the old 3-2-1 rule: three copies of important data, on two different kinds of storage, with one copy somewhere else. For many households that means the original files, a local backup to an external drive or NAS, and an encrypted offsite backup. The exact tools matter less than the outcome: if a laptop is stolen, a drive fails, or a folder is accidentally deleted, you can calmly restore the thing that mattered.²

The final test is the only one that counts: restore something. A backup you have never restored from is a promise, not proof. Once or twice a year, pick a file, restore it to a different folder, and check that it opens. That small ritual turns backup from wishful thinking into a safety net.

What is “self-hosting”?

The opposite of relying on the cloud is self-hosting - running a service on a computer you own and control, often a small, cheap, always-on machine at home like a Raspberry Pi. Instead of storing your photos on a company’s servers, you store them on your own; instead of using a company’s password manager, you run your own copy.

The appeal is complete control: your data never leaves your possession, and no company can read it, sell it, lose it, or shut the service down. The cost is responsibility - you become the IT department, handling setup, updates, and backups yourself. This guide mentions self-hosting as an option for the more confident and curious, never as a requirement. It’s the far end of the privacy spectrum, powerful but not for everyone.

What is a “firewall”?

A firewall is a guard that controls what’s allowed to connect to or from your device or network. It watches the traffic trying to come in and go out, and blocks anything that doesn’t meet its rules.

The everyday analogy is a building’s security desk. An inbound firewall is the guard stopping unexpected visitors from walking in off the street - it blocks connections from the internet that you didn’t ask for. An outbound firewall is the guard noticing an employee trying to sneak something out - it spots an app on your device quietly sending data somewhere it shouldn’t, and lets you stop it. Your devices and your router all have firewalls; mostly they work quietly in the background, and the guidance here is largely about making sure they’re switched on and, for the curious, watching what the outbound one reveals.

What is “DNS”?

Every website lives at a numeric address (called an IP address) that computers use to find it - something like 93.184.216.34. But humans can’t remember numbers like that, so we use names like example.com instead. DNS, the Domain Name System, is the internet’s phone book: the service that looks up a name and returns the number, every single time you visit a site.

Two things make DNS interesting here. Because every connection begins with a DNS lookup, filtering those lookups is a powerful way to block bad things - ads, trackers, malware sites, adult content - for every device at once, before any connection is even made. And because those lookups are, by default, sent in the open, whoever runs your network (notably your internet provider) can see a list of every site you visit just by watching them - which is why this guide recommends encrypting them.

What is a “VPN”?

A VPN, or Virtual Private Network, does two things at once: it encrypts your internet traffic so the network you’re using can’t read it, and it routes that traffic through a server elsewhere, so websites see that server’s location instead of yours.

Picture it as a private, opaque tunnel between you and the wider internet. Whoever you share a network with - the café, the hotel, your internet provider - can see that the tunnel exists, but not what travels through it. And the world on the far side sees traffic emerging from the tunnel’s exit, not from your front door. This is why a VPN protects you on untrusted Wi-Fi and hides your browsing from your provider. As this guide stresses, though, it’s a tool for specific jobs, not a cloak of total invisibility - the section on VPNs explains exactly where it helps and where it doesn’t.

What is “IoT” - the Internet of Things?

The Internet of Things is the sprawling category of everyday objects that now connect to the internet: smart TVs, speakers, doorbells, cameras, thermostats, plugs, lightbulbs, even some fridges and children’s toys. The “thing” is anything that isn’t a traditional computer or phone but has been given a network connection.

The reason this guide devotes a whole section to them is that each one is, in truth, a small computer - and usually a poorly secured, rarely updated one, built to a low price and forgotten by its maker within a couple of years. Every IoT device you add to your home is another small, often weak, door into your network. That’s not a reason to avoid them entirely, but it is the reason to keep them on a separate network and to choose them with a little more care than their novelty might suggest.

A note on the alphabet soup

The technology world is drowning in abbreviations - WPA3, UPnP, IPv6, DoH, MFA, and dozens more. You do not need to memorise any of them to follow this guide or to keep your household safe. Where an abbreviation matters, it’s explained at the point it’s used, and Appendix E lists them all with plain-language meanings for quick reference. Treat that list as something to glance at when a set of letters trips you up, not as a vocabulary test. Understanding the ideas in this appendix matters; remembering the acronyms does not.

Appendix B - Household security cheat sheet

A one-page summary for the fridge door. Print it, stick it up, and make sure the whole household can read it in two minutes.

Appendix C - Tool comparison tables

Starting recommendations for a typical household - not the only valid choices. The highlighted pick in each table is a sensible default if you don't want to deliberate. Links point to official project or product pages. Prefer cross-platform tools where you can, because most households eventually contain a mix of Windows, macOS, Linux, iOS, and Android devices. Always check that a tool is still actively maintained before relying on it.

Password managers

Online safety checks

Authenticator apps

Email providers

Email aliases

Browsers

Messaging and calls

Backups

Private storage and photos

Notes and local transfer

Open-source everyday software

DNS filtering

VPNs

For email and messaging, switching the whole household at once is rarely necessary. Start by using the stronger option for sensitive conversations, account recovery addresses, and anything involving identity, health, legal, or financial information.

Appendix D - Self-assessment scorecard

Tick off what your household already does. The score updates as you go. Re-run it once a year and watch it climb - anything below 30% means head straight to the roadmap's Week 1 list. Critical items are weighted more heavily, so you can't score well while skipping the essentials.

Appendix E - Glossary & abbreviations

Every term and abbreviation used in the guide, in one alphabetical list. Type in the box to filter. For the deeper background on the big ideas - open source, encryption, the cloud - see Appendix A. Throughout the guide these terms carry a faint underline; hover any of them to see the definition without leaving the page, and the first mention in each part links here.