It is a common misconception that to be secure online, expensive software and systems are required or people ask “why would I be a target, I have nothing to hide.”

It is not expensive to vastly increase your online security whether for yourself, your family, or your organization. It is basically a matter of policy.

And even if you have nothing to hide and no need to worry about security, try talking to some folks that have had their identity stolen. Learn what is like to spend years rebuilding a life that has been compromised, flagged, and blocked from getting credit, loans, or even a flight abroad.

What is involved in creating a policy to stay safe online and implementing it?

  1. Passwords
  2. Two-Factor Authentication
  3. Virtual Private Network
  4. Paid Anti-Virus
  5. Email Aliases

After spending a few minutes reading through this list, it can take anywhere from a full day for an individual or weeks for an organization to break bad habits and implement a policy that focuses on security and privacy. I think everyone that uses the internet should do this, as well as increasing your online security and privacy, it will also save you time. By implementing a policy like this it will save you time, you will have more time so I am essentially saving your life. Now read my tips and then you can start to think about how to add it to your life, improve your online security, and save yourself time.

If you are doubting how much time this will save you think about how long you spend tapping a password into a login box, maybe you need to do it several times. After several attempts perhaps you give in an go through the account recovery process. This is because you are doing passwords wrong.


Even though we are almost into 2020, many people are still not doing passwords right. And that is with a password manager, which is software that is used to remember all your passwords. The fact is, human brains cannot remember strong passwords, random characters, and numbers that are long and unique. Writing them down is not a secure option, also time-consuming, having the same password is too risky, just check Troy Hunts tool to find your overused password publicly available on a dark web paste or breach.

The passwords you use should follow these rules:

  • They should contain a mix of uppercase, lowercase, special characters, and numbers
  • They should be long ideally over 30 characters if allowed*
  • They should be unique
  • They should not contain any words
  • You should not be able to remember it

The only way you are going to get by using a password like without going crazy is by using a password manager. Some object saying, what good is it putting all my private passwords in one place, I understand the objection although these password managers are designed to do one thing, and that keeps your passwords safe.

Using a unique password for every service may seem crazy to some. It’s not and soon it will almost be a requirement. Thanks to the excellent work by leading cybersecurity expert, Troy Hunt. There is now an API available that allows websites to inform users if a password has previously been exposed to a data breach. This then forces the user to use a unique password. But what about a unique email address? Most people cannot keep track of their unique passwords. They cannot be blamed for this as very few human beings are capable of remembering both secure and unique passwords. Our brains are simply not designed to do this. The solution here is simple, a Password Manager.   While the idea of using a Password Manager may not instill confidence in people that already have a hard time remembering passwords. This is a common misconception. The password manager will allow you to only have remembered one password. No more remembering multiple weak passwords of past pets or street names. Your old phone number that has existed for the last 6 years on the dark Web, no longer has to be your password. With a Password Manager at your service, you no longer do you have to be scared of those 16 digits passwords, or longer.

Another thing I see which is a terrible security practice is saving passwords to browsers. This is far more insecure, especially when using a browser like Chrome, run by a company that openly shares sensitive information with various third parties.

Setting up a password manager may take you a full day (if you have a lot of passwords), resetting passwords and automatically saving them to the manager. But the time to be gained is far greater, for example, now that I use a password manager, I never have to spend my time waiting for a password reset email to arrive or tapping every password I may have used into a login box. I now the password manager to automatically log me in. I have also put together a transparent and trusted list of recommended password managers. Here at Thexyz I often recommend Dashlane and offer a 6 of free service through our special offers page.

Two-Factor Authentication

Although many services support Two-Factor Authentication it is used by less than 28% of people who use the Internet. In early 2020 we are starting to see many services require 2FA. Those left unsure about what 2FA is, may soon find themselves locked out of using many services on the internet, or forced to enable 2FA.

What is 2FA and how to enable it? Authy have also written a great intro into 2FA here.

I am not going to go into too much detail about what two-factor authentication is or why should you enable it, you can read that here. The short answer is this should be enabled and if you are not already using 2FA, you really should. It often increases the security of login by around 1000%. To enable 2FA you will need a 2FA app, I recommend Authy although Google and Microsoft both have second-factor authentication apps.

I like Authy because it can be installed on both your desktop and mobile device. Using Authy over a service like Google also prevents the sharing of your private data with a company that has a poor track record when it comes to protecting people’s privacy.Two-factor authentication has been available for several years, it is rarely however required and instead offered as an optional feature. This policy has led to a low adoption rate of 2FA. I believe many services see less than 10% adoption rate unless 2FA is made mandatory.

In the coming years, we expect to see more services adopt a stricter 2FA policy and as services begin to roll out mandatory second-factor authentication, people risk being locked out of online services if they fail to embrace a 2FA solution.

To get started with 2FA, download Authy on your Android, iPhone, Mac or Windows device.

You can then start enabling 2FA on your logins, it is a great time to do this when you are already setting up your password manager.

Virtual Private Network

As many as one-quarter of internet users around the world use VPNs, according to a survey from Global Web Index. With content becoming restricted based on your location, extensive data tracking from service providers, and other privacy concerns. It is becoming increasingly important to use a Virtual Private Network (VPN) when connecting to the internet.

This is also worth enabling when using the internet in a shared location, like a coffee shop or airport.
With a VPN, it’s true your ISP may no longer have access to your browsing data, but the VPN provider now does. Some VPNs even sell that data to third parties, just like your ISP may or may not do, so in that way, you could be right back where you started. That’s why you should be especially cautious of “free” VPNs. Those services still have to make money, and chances are your data is the primary revenue source.

Many people rely on free Anti-Virus or protection that comes pre-installed on a computer or device. This is simply not enough for the current, ever-growing threat landscape that in 2020 we can expect to get even weirder and more sophisticated. People that pay for anti-virus get a better list of virus definitions that is updated sometimes weeks faster than on free anti-virus.

Often thought of like email, why pay for something that you can get for free? Just like free email services, free anti-virus may include adware that allows the vendor to distribute the software without cost. This software can re-write configuration files on a device and leave a user vulnerable to viruses. It was also recently discovered that many anti-virus apps in Google Play, actually do not provide any protection. When it comes to selecting an Anti-Virus vendor, you have to be able to trust the service. On servers, computers, and mobile devices I set up for people, I always recommend ESET. I don’t just recommend it because of a partner relationship, they are actually really quick and the first vendor to discover and patch some serious security vulnerabilities.

Email Aliases

Your main email address is often used to log in to various services. When a breach happens, hackers can attempt to log in to the email account first to lock the user out and gain access to other online services. If your username or email ID is not an actual email account, then this solves this problem as a hacker cannot guess what the real email is if they only know the alias.

Using aliases also helps with spam and bacn, no, not that bacon, all those unwanted newsletters filling your inbox. Also, if for example your alias email ID is involved in a breach or suddenly starts getting a lot of spam, then you can simply shut the email alias down and change it to something else.

Another way aliases can be useful is when you need to receive an email from someone or somewhere but are hesitant to give your email address. If you give out a more disposable email alias instead, you get the email and can then later be easily terminated.

Email aliases are easy to set up and a great way to protect your real email address. With almost 10 billion pwned accounts in the Have I Been Pwned database at the time of writing this, it is easy to see why using an alias is a good idea.

Spread the word

People are often overwhelmed when it comes to protecting themselves online. Online security doesn’t have to be hard. A common objection I often hear is the “I have nothing the hide” stance. This is when I introduce Troy Hunts: Have I been Pwned tool, which lists every email address and password exposed in a data breach. If you haven’t already, check it out. You can feel safe entering your email and password into the tool as it doesn’t save them. It might also provide the needed motivation to complete steps 1 through 5 and take control of your online security.

To further increase your online privacy, you may want to check our post on which browser best protects your privacy.