How to Stay Secure While Browsing the Web

Security is not binary. You're not perfectly safe or totally compromised. You're on a spectrum, and the goal is to make attacking you more work than it's worth.

Most people are not targeted individually. You're more likely to be caught in a mass credential leak, click the wrong link in a phishing email, or connect to a bad network than to have someone specifically after you. Your security strategy should reflect that.

Ask yourself three questions before spending time on any security measure: What am I protecting? Who would want it? How would they get it? The answers shape everything.

The most common ways people actually get compromised

If you remember all your passwords, you're doing it wrong. A password you can memorize is a password someone can guess, brute-force, or find in a leak from another site you used the same password on.

The only workable system is a password manager. It generates and stores a unique, random, long password for every site. You only remember one master password.

What makes a password strong

Which password manager?

Use any reputable option. Bitwarden is free, open source, and audited. The built-in browser or OS options work fine for most people and are dramatically better than no manager at all.

Your master password

This one password protects everything. Make it a passphrase: four or five random words strung together. Something like "marble fence theory cloud" — long, memorable, impossible to guess. Use a random generator, not phrases from books or songs.

Two-factor authentication (2FA) means logging in requires your password plus a second proof that you're you. Even if someone steals your password, they can't get in without that second factor.

Enable it on every account that offers it. This single step blocks the vast majority of account takeovers.

2FA options, ranked strongest to weakest

Priority accounts for 2FA

Start here: email first (it's the master key to everything else), then banking, then any account tied to payment methods, then social media.

Phishing is the most successful attack vector in existence because it targets you, not your software. No amount of technical hardening protects you if you hand over your credentials voluntarily.

The red flags

• Urgency. "Your account will be closed in 24 hours." Real companies don't work this way.
• The sender address doesn't match the company. Hover over it. support@paypa1.com is not PayPal.
• Links that don't match the text. Hover before clicking. The URL in your status bar is the real destination.
• Requests for credentials, payment, or personal info via email or text.
• Unexpected attachments, especially .zip, .exe, .docm, or .xlsm files.
• Requests that bypass normal process. "Don't tell IT, just click here."

The right habit

When an email asks you to log in somewhere, don't click the link. Open a new tab and navigate to the site directly. If something is actually wrong with your account, you'll see it there.

Your browser is your primary interface with the internet. It matters what you use and how you configure it.

Browser basics

Extensions worth installing

Extensions to avoid

Every extension you install can read your browser activity. Only install extensions you genuinely need from publishers you can verify. Coupon finders, free PDF converters, and "speed booster" extensions are a common malware delivery mechanism.

Settings to change right now

• Block third-party cookies
• Enable Safe Browsing (Chrome) or Enhanced Tracking Protection (Firefox)
• Set your default search engine to DuckDuckGo or Brave Search if privacy matters to you
• Disable saving passwords in browser if you use a dedicated password manager
• Turn off autofill for addresses and payment info

The padlock icon in your browser means your connection to that site is encrypted. Data you send — forms, passwords, payment info — is protected from eavesdropping on the network.

Never enter sensitive information on a site without HTTPS. If the URL starts with http:// rather than https://, your data travels in plaintext.

What HTTPS does not mean

HTTPS tells you the connection is encrypted. It does not tell you the site is legitimate. A phishing site can have a valid HTTPS certificate. The padlock means "your connection to this site is private." It does not mean "this site is safe."

Certificate warnings

If your browser shows "Your connection is not private," take it seriously. Don't click through unless you have a specific technical reason and know exactly what you're doing.

VPNs are useful tools that the industry has dramatically oversold. Understanding what they actually do saves you money and prevents false confidence.

What a VPN actually does

• Hides your traffic from your internet service provider
• Masks your IP address from websites you visit
• Encrypts your traffic on untrusted networks like public Wi-Fi
• Lets you appear to be in a different country

What a VPN does not do

• Make you anonymous. The VPN provider sees your traffic instead of your ISP. You're trusting them.
• Protect you from phishing, malware, or weak passwords
• Stop websites from tracking you via cookies, fingerprinting, or login sessions
• Replace other security measures

Tracking is different from hacking. You won't get your account stolen from ad trackers. But companies build detailed profiles of your behavior, sell that data, and that data can get leaked, subpoenaed, or used to manipulate you.

How you're tracked while browsing

Data brokers

Companies like Spokeo and BeenVerified collect and sell your name, address, phone number, and more. You can opt out individually, though it's tedious. Services like DeleteMe do this automatically for a subscription fee.

Email tracking

Most marketing emails contain tracking pixels that tell the sender when you opened the email and from what device. Enable "block remote images" in your email client, or use Proton Mail, which strips tracking automatically.

Do these in order. The first three have the highest return on time invested.