Personal Cybersecurity: A Practical Threat-Model Checklist

Quick Reference — biggest wins, in order

#	Action	Why it matters
1	Password manager (Bitwarden) + unique password per site	Kills credential stuffing — the #1 way accounts fall. One breach can't cascade.
2	Hardware security key (YubiKey) or passkey on critical accounts	Phishing-resistant MFA — even with your password an attacker can't log in.
3	Lock down email + phone (your recovery roots)	Whoever owns your email/number can reset everything else.
4	Turn on automatic updates everywhere	Most breaches exploit known, already-patched bugs.
5	Full-disk encryption + screen lock on every device	A lost/stolen laptop or phone becomes a non-event.
6	Backups: 3-2-1, and test a restore	The only real defense against ransomware and deletion.
7	Freeze your credit + use Privacy.com virtual cards	Blocks new-account fraud; virtual cards neutralize merchant breaches.
8	Learn the phishing tells & the callback rule	The human is the most-attacked layer; verify out-of-band.

Step 0
Build your threat model

The five questions

What do I want to protect? (Assets: money, email, photos, identity, reputation, location, business data.)
Who do I want to protect it from? (Adversaries: scammers, an ex, a data broker, an employer, a stalker, organized crime, a government.)
How likely is it I'll need to? (Realistic risk, not movie scenarios.)
How bad are the consequences if I fail? (Recoverable annoyance vs. life-altering.)
How much trouble am I willing to go through? (Security you won't sustain isn't security.)

Most people's real adversary is automation: bots replaying leaked passwords, mass phishing, and SIM-swap fraud. Defending against that is cheap and high-leverage. Targeted attacks (a determined human after you specifically) need a different, heavier playbook — know which one you're in. Framework adapted from the EFF's Surveillance Self-Defense.

Step 1
Passwords & a password manager

Adopt a password manager — recommended: Bitwarden

This is the single highest-leverage move. It generates and remembers a unique, random password for every site, so one site's breach can't unlock the others. You only memorize one strong master password.

Recommended: Bitwarden — open-source, independently audited, free for unlimited devices/passwords, and optionally self-hostable. The Premium plan (~$10/yr) adds hardware-key (YubiKey) 2FA, Bitwarden Authenticator TOTP, and Vault Health Reports. Use the built-in Reports tab to find reused/weak/breached passwords and fix them.

Manager	Cost (as of mid-2026)	Notes
Bitwarden ★	Free (unlimited, multi-device); Premium ~$10/yr	Open-source, audited, self-host option. Top pick. Premium required to use YubiKey as 2FA.
1Password	~$3/mo individual ($35.88/yr); Family ~$4.99/mo	Most polished UX; Watchtower alerts, Travel Mode.
Proton Pass	Free tier; paid bundles with Proton	Privacy-focused; built-in email aliases.
KeePassXC	Free, open-source	Local-only file; you control sync. Maximum control, more manual.
Apple Passwords / Google Password Manager	Free, built-in	Fine if you live in one ecosystem; both now do passkeys.

Make the master password strong & unique — it's the one key to everything. Use a long passphrase (4–6 random words), never reuse it, and protect the manager account itself with MFA (Step 2). Don't store the master password in the manager.

Make every password unique (kill reuse)

Reused passwords are how one leak becomes ten hacked accounts ("credential stuffing"). Let the manager generate 16+ random characters per site. Prioritize changing reused passwords on your email, bank, and any account tied to money first.

Use your manager's built-in audit (Bitwarden "Reports," 1Password "Watchtower") to find reused, weak, and breached passwords, then fix them in priority order.

Follow modern password rules (length > complexity)

The current standard is NIST SP 800-63B Revision 4 (finalized July 2025). It overturns the old "change it every 90 days, add symbols" advice:

Length beats complexity. A long passphrase (e.g. correct-horse-battery-staple-46) is stronger and more memorable than P@ss1!. NIST recommends ≥15 characters where a password is the only factor; aim long.
No forced periodic rotation. Change passwords only when there's evidence of compromise — scheduled rotation just produces weaker, patterned passwords.
No arbitrary composition rules. NIST now says systems "shall not" force special-character/upper-lower mixes.
Screen against breached lists. Avoid any password that's appeared in a leak — your manager and many sites check this automatically.

Step 2
MFA & passkeys — not all factors are equal

The MFA tier list (use the strongest each site offers)

Method	Strength	Weakness
Passkey (FIDO2/WebAuthn)	Best. Phishing-resistant — cryptographically bound to the real site; no shared secret to steal.	Recovery/sync model varies; still rolling out everywhere.
Hardware security key (e.g. YubiKey)	Phishing-resistant; ideal for high-value accounts.	Costs money; buy two (a backup) or you can lock yourself out.
Authenticator app (TOTP)	Good. 6-digit codes from Aegis/Ente/Google Authenticator. No phone-number dependency.	Phishable in real time (you can be tricked into typing the code into a fake site). Back up the seeds.
Push approval	Convenient; "approve on phone."	"MFA fatigue" — attackers spam prompts hoping you tap approve. Prefer number-matching.
Email code	Better than nothing.	Only as strong as your email account.
SMS text code	Weakest MFA — but still better than none.	SIM-swap & SS7 interception. FBI IC3 logged 982 SIM-swap complaints and >$26M losses in 2024 alone.

Rule of thumb: turn on the strongest option each account supports, and keep a second factor as backup. Any MFA beats none.

Get a YubiKey — the strongest MFA you can buy

Recommended: YubiKey 5 Series by Yubico. A physical hardware key that provides phishing-resistant FIDO2/WebAuthn authentication — even if an attacker has your password, they can't log in without the key in hand.

Which key to buy:

YubiKey 5C NFC — most versatile: USB-C + NFC (tap to phone). Best for most people.
YubiKey 5 NFC — USB-A + NFC, if your laptop has USB-A.
YubiKey 5Ci — USB-C + Lightning, for iPhone users without NFC.

Buy two YubiKeys, register both everywhere. If you only have one and lose it, you can be locked out of critical accounts. Keep the backup somewhere safe (home safe, etc.).

Register your YubiKey on these accounts first:

Bitwarden (Premium required → Account Settings → Security → Two-step Login → YubiKey OTP)
Google / Gmail (Security → 2-Step Verification → Security Key)
Apple ID (Settings → Password & Security → Security Keys)
GitHub, Microsoft, Twitter/X, Dropbox, Coinbase — all support FIDO2 hardware keys
Your bank (if supported — check Security settings; many now accept FIDO2)

Set up passkeys / an authenticator app on critical accounts

Enable the best available factor on your email, password manager, bank, primary cloud (Apple/Google/Microsoft), and any account holding money. Passkeys are now broadly supported (Google, Apple, Microsoft, Amazon, and hundreds more); consumer awareness hit ~90% in 2026.

Passkeys can sync via your platform or password manager (convenient) or be device-bound (more locked-down).
If passkeys aren't offered, use a TOTP authenticator app, not SMS. Pick one that lets you export/back up the seeds (Aegis, Ente Auth, 2FAS) so a lost phone isn't a lockout.

Save backup/recovery codes offline

When you turn on MFA, each service shows one-time recovery codes. Save them somewhere offline you'll actually find later — printed in a drawer, in a fireproof safe, or in an encrypted note separate from the account they unlock. This is the difference between "lost my phone" and "lost the account forever."

Step 3
Email & phone — the keys to the kingdom

Harden your primary email like a vault

Almost every "forgot password" flow sends to your email — so your inbox is the master key. Give it your strongest unique password + phishing-resistant MFA, and review which apps/devices have access.

Consider a separate, secret recovery email that you never use publicly and that isn't your day-to-day address — so a compromise of one doesn't cascade. Periodically check account "security activity"/sign-in history.

Add a carrier PIN / port-out lock (anti-SIM-swap)

SIM swapping lets a fraudster move your number to their SIM and intercept SMS codes. Call your carrier (or use the app) to set a port-out PIN / Number Lock / SIM-protection so your number can't be transferred without it.

Then stop using SMS as your main 2FA wherever a better option exists, and don't tie critical recovery to your phone number. Major US carriers all offer some form of port-freeze — turn it on today.

Step 4
Devices — updates, encryption, locks

Turn on automatic updates everywhere

OS, browser, apps, and your router/firmware. The vast majority of real-world compromises exploit known vulnerabilities that were already patched — auto-update closes that window without willpower. Replace devices that no longer get security updates (out-of-support phones, ancient routers).

Enable full-disk encryption + a strong screen lock

Encryption makes a lost or stolen device unreadable. Turn it on and set a real lock (6+ digit PIN or biometric), with a short auto-lock timeout.

Platform	Encryption	Find/wipe
macOS	FileVault (on by default on Apple Silicon)	Find My
Windows	BitLocker / Device Encryption	Find My Device
Linux	LUKS (at install)	—
iOS / Android	On by default with a passcode set	Find My / Find My Device — enable remote wipe

Prune apps, extensions & permissions

Install software only from official stores/sources. Periodically review app permissions (location, mic, camera, contacts) and revoke what's unneeded. Browser extensions are a common malware/data-theft vector — keep only ones you trust and use; a sold/hijacked extension can read everything you do.

Step 5
Network, browser & VPN

Secure your home router & Wi-Fi

Change the default admin password; update firmware (enable auto-update if available).
Use WPA3 (or WPA2 at minimum) with a strong Wi-Fi passphrase.
Put IoT/smart-home gadgets and guests on a separate guest/VLAN network so a hacked smart bulb can't reach your laptop.
Disable WPS and remote admin from the internet.

Use Brave browser + let your password manager autofill

Recommended: Brave Browser — Chromium-based (compatible with Chrome extensions), blocks ads and trackers by default at the network level, built-in fingerprinting protection, no setup required. Combine with the Bitwarden extension for autofill — a password manager that won't autofill a fake domain is phishing protection you get for free.

If you prefer Chrome or Firefox, add uBlock Origin — malvertising is a real infection route and a good blocker stops most of it.

Keep the browser updated; periodically prune extensions — a sold or hijacked extension can read everything on every page.

Use a reputable VPN on untrusted networks — Surfshark

Recommended: Surfshark — no-logs policy (independently audited), unlimited simultaneous devices (use it on everything), WireGuard protocol for speed, ~$2–3/mo on a 2-year plan. Enable the CleanWeb feature to block malware/ad domains at the VPN level.

VPN reality check: a VPN hides your traffic from the local network/ISP and shifts your IP — useful on hotel/café/airport Wi-Fi, or when you don't want your ISP seeing your browsing. It does not make you anonymous, stop phishing, or replace MFA. HTTPS already encrypts site content. A free VPN almost certainly monetizes your traffic — don't use one. Surfshark (paid) is trustworthy; free VPNs are not.

Step 6
Phishing & social engineering — the human layer

Learn the tells & the callback rule

Most successful attacks start with a message, not malware. The common levers are urgency, fear, authority, and a too-good offer. Train these reflexes:

Urgency = slow down. "Act now or your account is locked" is the oldest trick.
Never click links in unexpected messages. Navigate to the site yourself or use a saved bookmark.
Verify out-of-band (the callback rule). "Your bank/CEO/family" calling or texting? Hang up and call the number you have, not the one they gave.
Never read an MFA code to anyone. No legitimate company asks for your one-time code; that's an account-takeover in progress.
Deny unexpected MFA push prompts — a prompt you didn't trigger means someone has your password. Deny, then change it.

2026 escalation: AI voice-cloning powers "family emergency" and fake-boss scams — a familiar voice is no longer proof. Agree on a family code word for emergencies, and verify money/gift-card/crypto requests through a second channel, always.

Step 7
Backups — your ransomware insurance

Follow 3-2-1 and test a restore

3-2-1 rule: 3 copies of important data, on 2 different media, with 1 off-site (or offline/immutable). Ransomware and deletion are what backups defend against — and the only thing that truly does.

Automate it (Time Machine, File History, Backblaze, or an encrypted cloud), and keep at least one copy the malware can't reach — an unplugged drive or an immutable/object-lock cloud. A backup you've never restored is a hypothesis: do a test restore of a few files now. (More in Linux Server Hardening for servers.)

Step 8
Identity & money

Freeze your credit (free, high-impact)

A credit freeze blocks new lenders from pulling your credit, which stops most new-account identity fraud. In the US it's free and you must freeze at all three bureaus (Equifax, Experian, TransUnion); thaw temporarily (with a PIN) when you apply for credit.

Also turn on transaction alerts at your bank/cards, and consider a freeze for your kids (a common, long-undetected fraud target). Outside the US, check your local credit-reference agencies for the equivalent.

Check for past breaches & set alerts

Search your emails at Have I Been Pwned (haveibeenpwned.com) and subscribe to its alerts. For any hit, change that account's password (and anywhere you reused it) and confirm MFA is on. Your password manager likely flags breached logins too.

Use virtual cards for online purchases — Privacy.com

Recommended: Privacy.com — free for US residents. Generates single-use or merchant-locked virtual card numbers that charge your real debit/credit card. If a merchant is breached or charges you fraudulently, the virtual card number is worthless — your real card stays untouched.

How to use it well:

Single-use cards — create one per subscription trial or one-time purchase; close it after.
Merchant-locked cards — lock a card to one merchant (e.g. Netflix). If that card number leaks, it can only charge Netflix.
Spending limits — set a maximum per transaction or per month to prevent overbilling.
The browser extension auto-fills virtual card numbers at checkout — the real card number never leaves your browser.

Shrink your exposed data footprint

Less public data = fewer answers for "security questions" and social engineering. Lock down social-media privacy, avoid posting answers to common security questions (pet, school, mother's maiden name), and remove yourself from data brokers — see the dedicated Data Broker Opt-Out guide. Use email aliases for signups so one leak doesn't expose your real address.

If you've been breached — triage

Work in order; speed limits the damage.

incident checklist (copy & work top-down)

1. From a CLEAN device, change the password on the affected account + your EMAIL first.
2. Revoke active sessions / "sign out everywhere," and remove unknown devices & app passwords.
3. Turn on (or re-issue) MFA; regenerate recovery codes.
4. Change the password anywhere you reused the old one.
5. Money involved? Call the bank/card, freeze cards, freeze credit at all 3 bureaus.
6. Check email forwarding rules & filters (attackers add hidden auto-forwards).
7. Scan the device for malware; if unsure it's clean, back up data and reinstall the OS.
8. Document dates/times; report (IC3.gov in the US, your bank, the platform).
9. Watch statements & credit for 6-12 months; consider an identity-theft report/affidavit.

Why email first: if the attacker controls your inbox, they can reset every other reset you attempt. Secure the recovery root before chasing individual accounts.

Common mistakes & anti-patterns

Reusing one password everywhere. One breach unlocks everything. Unique + manager.

SMS as your only 2FA on critical accounts. SIM-swappable. Use passkeys/keys/TOTP.

Reading an MFA code to a "support agent." That's the attack. Never share one-time codes.

Approving MFA prompts you didn't start. Deny + change password — someone has it.

No backup, or never testing one. Ransomware/deletion is unrecoverable without it. 3-2-1 + restore test.

Forced 90-day password changes. Outdated; produces weaker patterns. Change on compromise only.

Treating a VPN as total security. It's not anonymity or anti-malware. Buy it for a reason.

Clicking links in "urgent" messages. Navigate yourself; verify out-of-band.

Ignoring updates. Known, patched bugs are most attackers' entire toolkit.

No recovery codes saved. A lost phone becomes a permanent lockout. Store them offline.

Quick Reference — biggest wins, in order

Step 0Build your threat model

Step 1Passwords & a password manager

Step 2MFA & passkeys — not all factors are equal

Step 3Email & phone — the keys to the kingdom

Step 4Devices — updates, encryption, locks

Step 5Network, browser & VPN

Step 6Phishing & social engineering — the human layer

Step 7Backups — your ransomware insurance

Step 8Identity & money