Staying Safe Online

With more and more of our daily lives going digital and the ever increasing number of apps one needs to operate effectively in today's society, I thought I would share some tips on how to remain safe and secure on the digital wild west we call the internet.

Staying Safe Online
Photo by Dan Meyers / Unsplash

With more and more of our daily lives going digital and the ever increasing number of apps one needs to operate effectively in today's society, I thought I would share some tips on how to remain safe and secure on the digital wild west we call the internet.

It's important to note first, however, that nobody is un-hackable.  With enough determination and resources, you can and will be compromised.  This guide is about making you a less attractive target to a would-be attacker.  You don't have to be the most secure person in the world, you just have to be more secure than most other people.

In an effort to strengthen our defences, we will be looking at the following tools, technologies or practices:

  • Phishing and Malware
  • Password Managers
  • Multi-Factor Authentication
  • Virtual Private Networks (VPNs)
  • Software Updates
  • Digital Segregation

Phishing and Malware

Phishing is when an attacker tries to steal your login details, by trying to dupe you into entering them into their malicious website.  This bogus website will be made to look the same as its legitimate counterpart.

Most attackers will attempt to gain your login details or compromise your machine by sending you a link in an email to their bogus website, or to a piece of malicious software for you to download and run.

It is good practice to NEVER open a link contained in an email you were not expecting, or from someone you do not know.  If you know the sender, but are unsure, contact them by another means of communication and confirm that they sent you the email.

If you feel safe enough to open a link in an email, always double and triple check the address that the link is going to take you to.  If it is a website link, make sure that the padlock icon is present in your browser's address bar, and that the address matches what the site looks like.  Always look at the whole address and not just the beginning.


Be on the look out for any typos or design irregularities on the site itself.  If the site you are on does not look like what you were expecting, or as polished as it usually does, this is a red flag.  Do not type anything into it.

If a link you visit downloads a file onto your computer, DO NOT OPEN IT. Regardless of what type of file it is. Delete the file immediately.

If you fall foul of a phishing campaign, you can limit the damage done by following the advice below.

Password Managers

The Best Password Managers for 2022
Our top-rated password managers help you create strong passwords for all your online accounts and alert you of potential data leaks.

If you are using the same username and password on more than one website, you are at risk.  If a website you have an account with gets compromised, attackers will attempt to use the stolen login data on other websites, like your Gmail, Facebook or online bank, to see if you use the same username and password there.

To find out if your login details have been stolen, there is a very good service operated by Microsoft Regional Director @troyhunt called have i been pwned? This website allows you to enter your email address, and will tell you if your details have been leaked as part of a data breach.  If they have, then it is advisable to change your password on any other websites where you have used the same account information to log in.

The best practice is to use a different password for each and every website you have an account with. It can be difficult, however, to create and remember multiple different passwords, for every website you want to create an account with.

Thankfully due to password manager tools, you don't have to.

By using a password manager, you only have to remember 1 master password. This password then unlocks your password vault, which contains your username and password information for other websites you have accounts with.  

Some of them will also help you to generate new random passwords or passphrases, when you want to sign up to a new website.

Spilt Boogieman Gore Cautious Hypnosis Wheat
A random passphrase generated by my password manager, which would take 64 billion trillion years to crack with today's technology

The most important thing here is to make sure that the master password you choose is completely new, hard to guess and is never used for anything else.  This password should be created and used solely to unlock your password manager.

It can take time to build up your vault with your existing username and password information, but once you have them all in there, you never have to remember them ever again.  Some of these password managers, like LastPass can even rate your password security, based on metrics like how long it's been since you last changed the password, if the password has been included in a data breach or how easy your password is to crack/guess.

Once all your login information is stored securely in your vault, you can go through and change your passwords on all of the sites with longer, more random and secure passwords.

When you want to login to a website, you can use the password manager's accompanying browser plugin to unlock your password vault, and auto-fill in the username and password fields for you, without you ever having to type in or even know what the password is.

This practice, combined with enabling Multi-Factor Authentication is probably the best thing you can do to improve your security.

Multi-Factor Authentication

The Best 2FA Apps 2022: Authy vs Google Authenticator & More
Using 2FA is the best way to maintain the security of your online accounts. Here are our top picks for the best 2FA apps and hardware.

Another way to ensure that your accounts are secure, is to enable Multi-Factor Authentication or MFA for short, wherever possible.  The multiple factors it describes are usually, something you know i.e. your login details and something you have, e.g. a one-time temporary code, or a USB device, such as a YubiKey.

MFA is an extra layer of security, which requires you to add an additional piece of information after you have logged in with your username and password.  This means that even if your username and password are compromised, a would-be attacker cannot gain access to your account.

Usually when enabling MFA on a website, you are presented with a QR code, which you can scan from your chosen MFA application, in order to setup the one-time code that you will require, in future, to log in with.  Generally speaking, these one-time codes change every 60 seconds.

Another option, although not recommended, is to have a one-time code sent to your phone via text message.  This is convenient as it means you do not need to have an application dedicated to generating codes for you, but it is open to abuse.  

If an attacker manages to steal your phone number (using a technique known as sim swapping) they are then in possession of the second factor of security you relied on to keep your account protected.

A YubiKey is a physical USB device which you can use as your extra layer of security.  This is arguably the most secure way to protect your account, as it requires the attacker to physically obtain the device from you without your knowledge.

Many of the most popular companies, like Facebook, Apple, Amazon and Google all offer the ability to enable 2FA or MFA on your account.

Virtual Private Networks (VPNs)

Do you use public WiFi?  Do you sometimes connect to WiFi hotspots that do not require a password to join?  If so, you are leaving yourself vulnerable.

13 Tips for Public Wi-Fi Hotspot Security
Public Wi-Fi hotspots can be a hacker’s paradise. Following these basic security tips can mean the difference between safe surfing and an ID theft or data-loss nightmare.

You have no way of knowing if someone is eavesdropping on you and the traffic coming to and from your device.  It is not enough to say to yourself that you have connected to this network before and nothing bad has happened.  

It is very easy to create a malicious wireless access point with the same name as a legitimate one.  Your device does not care which one is legitimate and which one is malicious.  It will connect to whichever one is the closest, or has the strongest signal.

If your device is set up to connect automatically to known networks, you may not even realise that you are connected to this malicious hotspot.

When you connect to public WiFI, you have no control over who else is connected and what they are up to.  Traffic coming to and from your device, if you are browsing to websites that are unencrypted, will be sent in plain text, open for anyone you are sharing the network with, to read.  

In the worst-case, this can result in someone not only being able to see what you are looking at, but allow them to impersonate you and access the same websites as you, logged in as you, without even needing to know your login details.

One way to avoid this eventuality is to ensure that you are using a VPN when connected to any untrusted WiFi networks.

The best VPN service 2022
Everything you need to know about VPNs - and which one to get

By connecting to a VPN, you are ensuring that all the traffic coming and going from your device is encrypted and therefore cannot be seen or understood by anyone eavesdropping on the network.

I recommend connecting to a VPN before you join any network that does not belong to you.  You can download software for mobile and desktop devices that make it easy to connect to the VPN of your choice.

If you are a little more tech savy, you can even create your own VPN in the cloud, and then you do not have to trust a third-party with your browsing data.

How to Make Your Own VPN For Free (Updated 2022)
In this guide, you can find out how to make your own VPN and protect your data and devices when you’re online. Find out more on how to make your own VPN!

Software Updates

The easiest way to compromise someone's machine is through exploiting known vulnerabilities in software that is known to be running on it.  When a security vulnerability is found in a piece of software, an update is usually published to patch this vulnerability.  If you do not update your machine regularly though, you are still vulnerable.

It can be annoying when it seems that every application is offering you the chance to update all day every day, but it is vital that you do these updates as often as you can.

In late 2021 and early 2022 there have already been 2 very high profile, critical vulnerabilities found in software that is run on about 90% of the world's computers.  

Cyber security: Log4j vulnerability issue explained
The Log4j vulnerability allows malicious attackers to execute code remotely on any targeted computer
The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation

If you do not update your devices, they are vulnerable.  An attacker could quite easily exploit the vulnerability found in the first exploit, Log4Shell, to get your device to run malicious code, granting them access to it.  They can then exploit the second vulnerability, DirtyPipe, to escalate their privileges to an administrator level.  With this level of access, your device is now essentially owned by the attacker and they can use it to steal your contacts, read your email and switch on your microphone or camera.  All of this without your knowledge.

Always make sure you regularly update all your devices as often as you can.

Digital Segregation

10 Best FREE Email Account | Mail Service Providers (2022 List)
Best FREE Email Account and Mail Service Providers: ✔️ ProtonMail ✔️ Outlook ✔️ Gmail ✔️ Yahoo! Mail ✔️ Zoho Mail ✔️ and more.

In order to make you as unattractive a target as possible to would-be attackers, it is advisable to keep as many things separate as you can.

Wherever possible, use separate email addresses for important, high-risk things.

Have a separate email address that you use solely for your digital banking for example.  Do not share this with anyone and do not use it for anything other than banking.

This way, if your personal email is compromised, your bank account is still secure.


If you do receive a phishing email, strange phone call or are asked to install some software on your machine, do not panic.  It is highly unlikely that the attacker is targeting you as an individual.  More often than not, you are part of a larger campaign where thousands or millions of people are being targetted.

By following the advice above you are doing your best to ensure that an attacker would rather give up and move on to an easier target, than spend more time than necessary trying to compromise you specifically.

I hope this post has given you some pause for thought and has inspired you to up your game a bit when it comes to your digital hygiene.

For a very enlightening peek into the methods used by attackers, I recommend listening to the episode Dirty Coms, from the fantastic Darknet Diaries podcast.