FAQ

Twelve characters minimum. Sixteen or more is better. Long beats complex when it comes to resisting brute force attacks. A 16 character random password is essentially unbreakable. A short complex password full of substitutions is weaker than people think.

If you're using a password manager (which you should be), the manager generates passwords for you and you never have to type them. There's no reason to keep them short.

For your master password, use a passphrase: four to six random words combined into something memorable. Twelve random words provides margin against future computing advances.

For more, see our explainer on what is a password manager.

No. The capital letter, the numbers, and the special character don't make it strong. Attackers' password cracking tools work through common patterns first, and "word with capital letter, common numbers, common special character" is one of the most common patterns. The password gets cracked in seconds.

Strong passwords are random or pseudo random. A 20 character random string is stronger than both common patterns and the classic substitution approach.

No. The old advice to rotate passwords regularly has been retired by NIST in their digital identity guidelines. Forcing regular changes pushes people toward weak, formulaic passwords (Spring2025!, Summer2025!) that are predictable and easy to crack.

Change passwords when there's a reason: a breach notification, suspicious activity, or you suspect the password has been compromised. Otherwise, leave a strong unique password in place.

No. This is the single most dangerous habit in personal cybersecurity. When any one site is breached and your password leaks, every other site that uses the same password is now at risk. Attackers run automated tools that take leaked credentials and try them against hundreds of other services.

Use unique passwords for every account. The only practical way to do this is with a password manager.

For most everyday passwords, no. Use a password manager.

For your master password, writing it on paper while you're learning it is fine. Store it somewhere physically secure. After you've memorized it through repetition, destroy the paper.

For 2FA backup codes, printed copies stored securely are a reasonable backup.

If the manager uses zero knowledge architecture (and the major reputable ones do), the company's servers contain only encrypted blobs. The encryption key is your master password, which lives only on your device. If the company gets breached, attackers get encrypted vaults they can't read without your master password.

The LastPass breach in 2022 demonstrated both sides of this. Users with strong master passwords were fine. Users with weak master passwords had vaults cracked.

Your master password is the entire security model. Make it strong.

Browser password managers are better than reusing passwords. They're free, sync across your devices, and fill passwords automatically.

The downsides: they're tied to one browser, the security model is sometimes weaker than dedicated managers, and they don't include features like breach monitoring or emergency access.

For most people, a dedicated password manager is worth the small cost.

Passkeys are a newer authentication method that replaces passwords entirely with cryptographic credentials stored on your device. They're phishing resistant, can't be stolen in breaches the way passwords can, and don't require you to remember anything.

Use them whenever a service supports them. Most password managers now support storing passkeys alongside passwords.

Two factor authentication (2FA) requires two separate proofs of identity to log in: usually your password plus something else, like a code from your phone or a hardware key. Even if someone steals your password, they can't log in without the second factor.

You need it because passwords leak constantly. Microsoft has reported that any form of 2FA blocks more than 99 percent of automated account takeover attempts.

For more, see our explainer on how two factor authentication works.

In order from strongest to weakest: hardware security keys (FIDO2/WebAuthn), which are phishing resistant; authenticator apps (TOTP), the right default for most accounts; passkeys, same cryptographic strength as hardware keys; and SMS codes, which are vulnerable to SIM swapping and should only be used when nothing else is available.

Your phone number isn't tied to your phone the way you might think. If someone convinces your carrier to transfer your number to a SIM card they control (a SIM swap attack), they receive your text messages, including 2FA codes.

The FBI has documented thousands of SIM swap attacks per year with hundreds of millions of dollars in losses.

SMS 2FA is still better than no 2FA. But for accounts that matter, use authenticator apps or hardware keys instead.

Yes, but it requires more sophisticated attacks than SMS. The two main ways: real time phishing (the attacker captures your code on a fake site and uses it immediately on the real one), and device compromise (malware capturing your screen or keystrokes).

For most users, authenticator apps are sufficient. For high value targets, hardware keys provide an extra layer of protection because they're phishing resistant.

For most accounts, this is a reasonable convenience. The tradeoff: storing both factors in the same place weakens the two factor principle. For sensitive accounts (primary email, financial accounts), keep the second factor in a dedicated authenticator app or hardware key.

If you have backup codes saved (which you should), use them to log in and re enable 2FA on a new device. If you don't have backup codes, recovery depends on the service.

Save backup codes when you set up 2FA. Store them in your password manager for most accounts, and printed and physically secured for important ones.

A small physical device, usually a USB stick or NFC token, that performs cryptographic authentication. Brands include YubiKey, Feitian, Titan, and Solo. They cost between 25 and 75 dollars per key.

Hardware keys are phishing resistant because they only respond to the legitimate domain. A fake site can't trick the key into authenticating.

Maybe. You probably need one if you travel and use untrusted WiFi regularly, live somewhere with internet censorship, are a journalist or activist, or your ISP aggressively monetizes browsing data and that bothers you.

You probably don't need one if you mostly use the internet from home on a network you control with HTTPS, or if you'd be relying on a free VPN you can't verify.

For more, see our explainer on what is a VPN and how does it actually work.

No. VPNs hide your IP address from websites and your traffic from your ISP, but they don't make you anonymous. Websites still identify you through cookies, browser fingerprinting, and accounts you log into.

Mostly no. Running a global VPN network costs significant money. If you're not paying, the business model has to come from somewhere else, usually selling user data or injecting ads.

The FTC has documented multiple cases of free VPN apps secretly selling user data. The exceptions: some legitimate providers offer limited free tiers (Proton VPN) as a marketing channel.

Yes. Your ISP sees that you're connected to a VPN provider's server. They can't see what you do inside the encrypted tunnel, but they know you're using one.

A commitment by the VPN provider not to keep records of what their users do through their service. Reputable providers commit to this and have it independently audited.

Mullvad and NordVPN are among the providers with public audit reports. Reading the audit tells you more than marketing copy.

A little. Modern VPNs with WireGuard typically slow connections by 5 to 15 percent. Servers closer to you are faster than distant ones. For most users, the slowdown is unnoticeable for normal browsing.

Mostly no. VPNs protect against specific network layer threats: someone capturing traffic on the same WiFi, your ISP tracking your browsing. They don't protect against malware, phishing, weak passwords, or any of the application layer attacks that account for most security incidents.

Phishing is a social engineering attack that tricks you into giving up credentials, money, or access. The attacker sends a message appearing to come from a trusted source with a hook that prompts you to act: a fake login page, a malicious attachment, a request to send money.

For more, see our explainer on what is phishing and how to spot it.

Common signs: the sender address doesn't quite match the claimed sender; the URL the link goes to doesn't match the legitimate site; the message has urgency that doesn't fit; it asks for information the real organization wouldn't request through that channel; the grammar or phrasing feels slightly off; or the request is unusual for the relationship.

None of these alone is definitive, but most phishing fails on at least one of these dimensions.

Don't enter any information on the page that opened. Close it. If you already entered credentials, change them immediately on the real site and on any other site where you used the same password. Enable 2FA if you haven't already. Report the phishing email if you can.

Smishing is phishing via SMS instead of email. Texts claiming to be from your bank, delivery service, or tax agency, with links to fake sites optimized for mobile screens. The same defensive principles apply: be skeptical of unexpected messages, verify through known channels, don't click links you weren't expecting.

Vishing is phishing via voice calls. Someone calls claiming to be from Microsoft support, your bank, or the IRS, and walks you through a process ending with you giving remote access to your computer or transferring money.

The defense is to hang up and call back through a number you got from somewhere else (your card, the official website). Real organizations don't pressure you to act immediately on a call.

Yes. Romance scams use the same technique (impersonation plus emotional manipulation) but extended over weeks or months before introducing the financial ask. The FTC tracks romance scams as among the highest dollar value categories of consumer fraud.

If someone you've only met online asks for money, no matter how compelling the story, treat it as a scam until proven otherwise.

Specific patterns target older adults: fake calls from "Medicare" or "the IRS," grandparent scams, tech support scams, lottery scams. The defenses are the same as for any phishing: be skeptical of unsolicited contacts, don't act under pressure, verify through known channels.

If you have older relatives, explain that the IRS doesn't call demanding payment and that Medicare doesn't ask for SSN verification by phone.

A data breach is when private information held by an organization gets accessed, taken, or exposed by someone who wasn't supposed to have it. The information can be passwords, credit card numbers, medical records, government identifiers, or anything else organizations store.

For more, see our explainer on what is a data breach.

Have I Been Pwned lets you check whether your email address has appeared in known breach databases. It's free and you can sign up for notifications when new breaches affect your email. Most password managers also have built in breach monitoring.

Change your password for the breached service immediately using a unique strong password. Change your password on any other service where you used the same or similar password. Enable 2FA on the breached account. If financial data was exposed, contact your bank. If government identifiers were exposed, place credit freezes with the three major credit bureaus.

An attack where someone takes leaked username and password pairs from one breach and tries them on hundreds of other sites. If you reuse passwords, credential stuffing is the attack that turns one breach into many. Unique passwords through a password manager break this attack entirely.

The free options cover most of what paid services do. Credit freezes are free. Credit monitoring through the three bureaus is often free. Have I Been Pwned is free. The FTC's recovery process at IdentityTheft.gov is free. Paid services add features like dark web monitoring and concierge restoration help, which can be useful but aren't essential.

A lock on your credit report that prevents new credit accounts from being opened in your name. The freeze is free under federal law. You place it with each of the three bureaus separately: Equifax, Experian, and TransUnion. The downside is that every time you legitimately apply for new credit, you have to lift the freeze beforehand.

When someone uses your personal information without permission to commit fraud, open accounts, get medical care, file taxes, or otherwise impersonate you. The damage ranges from a few hundred dollars in fraudulent charges to years of cleaning up fake accounts and tax fraud.

For more, see our explainer on what is identity theft and how to recover from it.

Common signs: you apply for credit and get rejected unexpectedly; you receive bills or collection notices for accounts you didn't open; the IRS rejects your tax return because someone already filed using your SSN; you receive medical bills for treatments you didn't have; or existing accounts show transactions you didn't make.

Contact any company where fraudulent activity is happening. Place a fraud alert with one of the three credit bureaus. File an identity theft report at IdentityTheft.gov. Place credit freezes with all three bureaus. File a police report if appropriate. Document everything.

Class action lawsuits follow large breaches. Settlements are typically modest per individual but can be meaningful if you actually file a claim. Watch for legitimate class action notices for breaches that affected you.

A variant where the thief combines real information (often a real Social Security number, sometimes belonging to a child) with fabricated names and addresses to open accounts and build credit history before abandoning them. Children are particularly vulnerable. Place credit freezes on your children's credit through each bureau.

Malware that encrypts files on a computer or network and demands payment to provide the decryption key. Modern ransomware also exfiltrates copies of your data and threatens to publish it if you don't pay.

For more, see our explainer on what is ransomware and how does it actually work.

The default answer is no. Paying funds future attacks. The criminals might not actually decrypt your files. Payment may even be illegal if the ransomware group is sanctioned.

Exceptions include when there are no backups and the data is irreplaceable, or when downtime costs more than the ransom. Get expert advice before deciding and report to the FBI Internet Crime Complaint Center regardless.

The defenses stack: offline backups (the foundation), prompt software patching, limited administrative access, 2FA on accounts, phishing awareness training, and anti malware software. For organizations, the CISA StopRansomware site has free resources.

Disconnect the device from the network immediately. Don't try to clean the malware yourself. Report to law enforcement. Restore from backups if you have them. Check the No More Ransom project for free decryption tools that might work for specific ransomware families.

Real time antivirus catches most known ransomware variants. Newer behavior based detection looks for suspicious patterns and can stop some unknown ransomware mid attack. Antivirus is part of the defense, not the whole defense.

A way of protecting communication so that only the sender and recipient can read messages. The service provider sees only encrypted content and cannot provide plaintext even if subpoenaed.

For more, see our explainer on what is end to end encryption.

End to end encrypted by default: Signal, WhatsApp, iMessage between Apple devices, Google Messages RCS chats. Partially encrypted: Telegram (only in "secret chats," not default), Facebook Messenger (rolled out gradually since 2023). Not end to end encrypted: Discord, Slack, Microsoft Teams by default, most email.

For sensitive communication, use Signal.

No, not in the end to end encrypted sense. Standard email providers can read all of it. For email that needs to be private from the provider, ProtonMail and Tutanota provide end to end encryption between users on the same service. For most sensitive content, dedicated messaging apps are a better channel than email.

Generally yes. Work email accounts are owned by the employer, who has full administrative access. For personal communications, use a personal email account on a personal device.

Similar to email. Work computers and networks are typically monitored by the employer. If you want privacy at work, use personal devices on personal networks. Don't rely on a VPN on a work computer to provide privacy from your employer.

Less than it used to be. Modern HTTPS encryption protects most of what you do. The remaining risks include DNS leaks (which reveal which sites you're visiting), misconfigured sites that don't use HTTPS, and captive portal attacks. For most casual use, public WiFi is fine. For sensitive activity, a VPN adds a layer of protection.

Yes, if you have one. Hotel WiFi is one of the use cases where VPNs provide real value. The networks are often poorly maintained and sometimes monitored. A VPN encrypts your traffic from your device to the VPN provider.

Direct attacks against your device through WiFi require specific conditions including a vulnerability in your device's WiFi software and an attacker in range. This kind of attack is rare against patched modern devices. The more common WiFi attacks are passive monitoring and fake network creation, both mitigated by HTTPS and VPNs.

Layered: parental controls on their devices, content filters, and ongoing conversations about what they encounter online. Place credit freezes on your children's credit through each of the three bureaus to prevent synthetic identity fraud. Don't post excessive personal information about kids on social media. Teach them to be skeptical of unsolicited contacts.

For specific accounts, yes. Use your password manager's shared vault features to share specific entries without exposing your entire vault. Don't share your master password.

Two concerns: protecting them from scams, and helping them manage accounts as cognitive abilities decline. For scam protection, have ongoing conversations about common scams. For account management, power of attorney and password manager family plans provide formal mechanisms. Some banks have caregiver access programs.

Use a password manager. Generate unique strong passwords for every account. Enable 2FA on at least your primary email and any account that holds money or sensitive data.

Those two steps eliminate the most common attacks (credential stuffing, password phishing, weak passwords) that account for the majority of personal compromises.

For most people, between zero and a hundred dollars per year covers the essentials. Free: a password manager (Bitwarden's free tier is excellent), an authenticator app, credit freezes, breach monitoring through Have I Been Pwned. Cheap: a paid password manager subscription (10 to 36 dollars per year), a VPN if you need one (60 to 120 per year). One-time: hardware security keys (50 to 100 dollars total). The free tier alone covers the most important defenses.

"Use strong passwords." The advice isn't wrong, but it's incomplete. Without a password manager, it means a few strong passwords that get reused, which is worse than the advice acknowledges. "Don't click suspicious links" also fails because phishing has gotten too good for vigilance to be reliable alone.

Place credit freezes proactively. Most identity theft scenarios are blocked by frozen credit, the freezes are free, and most people who haven't been victims yet haven't bothered. Saving your 2FA backup codes and maintaining tested offline backups round out the list.

If you don't have a password manager, install one this week. If you don't have 2FA on your important accounts, set it up. If you haven't placed credit freezes with the three bureaus, place them. For specific topics, work through the explainer articles linked throughout this FAQ.

The defense is layered. No single tool handles everything. The major defensive moves are done once and benefit you continuously.