Hoop’s Hygiene
Every now and then I get reminded about the vast fraud apparatus of the internet, re-invigorating my pursuit of basic digital hygiene around privacy and security in day-to-day computing.
The sketchiness starts with major tech companies, who are incentivized to build comprehensive profiles of you to monetize for advertising or to sell off to professional data broker companies who further enrich, de-anonymize, cross-reference, and resell it. Inevitable and regular data breaches eventually run off and collect your information into dark web archives, feeding into a whole underground spammer/scammer industry of hacks, phishing, ransomware, credit card fraud, and identity theft.
This is a collection of basic digital hygiene tips, starting with the most fundamental and getting a bit more niche from there.
Password manager
Your passwords are your “first factor” — something you know. Do not be a noob and reuse passwords. Mint new, unique, hard passwords for every website or service you sign up with, and combine this with a browser extension to create and autofill them quickly. I use and like 1Password.
This prevents your passwords from being easy to guess or crack, and from leaking once and opening doors to many other services. In return, you now have a central location for all your first factors, so you must secure it thoroughly — which brings us to the next item.
Hardware security key
The most critical services in your life (e.g. Google or 1Password) must be additionally secured with a “second factor” — something you have. An attacker would have to be in possession of both factors to gain access.
The most common second factor is a phone number: you get a text message with a pin code in addition to your password. This is much better than nothing, but using a phone number is known to be extremely insecure due to the SIM swap attack. It is surprisingly easy for an attacker to call your phone company, pretend to be you, and get your number switched to a phone they control. I know this sounds totally crazy but it is true, and I have many friends who are victims of this attack.
Instead, purchase and set up hardware security keys — the industrial-strength protection standard. I like and use YubiKey. These devices generate and store a private key on the device’s secure element itself, so the private key is never materialized on a suspiciously general-purpose computing device like your laptop. Once set up, an attacker needs your password and physical possession of the key to log in. Risk of getting pwned drops by roughly 1000×.
Buy 2–3 keys and store them in different physical locations to prevent lockout if you lose one. In the second-factor settings of a service, look for “U2F” (or WebAuthn / passkey) as the strongest protection — Google and 1Password support it. Fall back to TOTP if you must, and note that YubiKeys can store TOTP private keys; the YubiKey Authenticator app pulls them via NFC when you touch the key to your phone. This is significantly better than storing TOTP secrets in a software authenticator app, because again, do not trust general-purpose computing devices.
Biometrics
Biometrics are the third common authentication factor — something you are. On iOS I recommend setting up FaceID basically everywhere, e.g. to access the 1Password app.
Security questions
Dinosaur businesses are obsessed with the idea of security questions like “what is your mother’s maiden name?” and force you to set them up from time to time. Clearly these are in the category of something you know, so they are basically passwords — but conveniently for scammers, they are easy to research on the open internet, and you should refuse to participate in this ridiculous “security” exercise as written.
Instead, treat security questions like passwords: generate random answers to random questions, and store them in 1Password alongside your passwords.
Disk encryption
Always ensure your computers use disk encryption. On Macs this total no-brainer feature is called FileVault. On Windows it is BitLocker. This ensures that if your computer gets stolen, an attacker can’t pull the hard disk and go to town on all your data.
Internet of Things
More like @internetofshit. Whenever possible, avoid “smart” devices, which are essentially incredibly insecure internet-connected computers that gather tons of data, get hacked all the time, and that people willingly place into their homes. They have microphones, and they routinely send data back to the mothership for analytics and to “improve customer experience” lol ok.
In my younger and more naive years I once purchased a CO2 monitor from China that demanded to know everything about me and my precise physical location before it would tell me the amount of CO2 in my room. These devices are a huge and very common attack surface on your privacy and security and should be avoided.
Messaging
I recommend Signal instead of text messages because it end-to-end encrypts all communications. It also does not store the metadata that many other apps do (e.g. iMessage, WhatsApp). Turn on disappearing messages — the 90-day default is good. In my experience old messages are an information vulnerability with no significant upside.
Browser
I recommend Brave, a privacy-first browser based on Chromium. Basically all Chrome extensions work out of the box and the browser feels like Chrome, but without Google having front-row seats to your entire digital life.
Search engine
I recommend Brave Search, which you can set as the default in the browser. It’s a privacy-first engine with its own index, unlike DuckDuckGo, which is basically a nice skin for Bing and is forced into weird partnerships with Microsoft that compromise user privacy. As with all the services on this list, I pay $3/month for Brave Premium because I prefer to be the customer, not the product.
Empirically, about 95% of my queries are simple website lookups, with the search engine basically acting as a tiny DNS. If I’m not finding what I want, I fall back to Google by prepending !g to the query.
Credit cards
Mint new, unique credit cards per merchant. There’s no need to use one credit card across many services — that lets them “link up” your purchasing across accounts and exposes you to fraud if any one merchant leaks the number.
I like and use privacy.com to mint new cards for every transaction or merchant. You get a clean interface for all your spending and notifications for every swipe. You can also set per-card limits (e.g. $50/month), which dramatically decreases the risk of being charged more than expected. With a privacy.com card, you also get to enter totally random information for the name and address fields when filling out billing info. This is huge, because there is simply no need for random internet merchants to know your physical address — which brings me to the next item.
Address
There’s no need to give out your physical address to the majority of random services and merchants. Use a virtual mail service. I currently use Earth Class Mail but I’m a bit embarrassed by that and looking to switch to Virtual Post Mail due to its much stronger commitments to privacy, security, and its ownership structure and reputation.
Either way, you get an address you can give out, they receive your mail, scan and digitize it, and you decide what to do with each piece (shred, forward, etc.) through their app. You gain security and privacy and quite a bit of convenience.
I still use Gmail just for sheer convenience, but I’ve started to partially use Proton Mail as well. While we’re on the topic, a few more thoughts.
Never click any link inside any email you receive. Email addresses are extremely easy to spoof, and you can never be sure the email isn’t a phishing attempt. Instead, manually navigate to the service of interest and log in from there.
Disable image loading by default in your email settings. If you get an email that needs images, you can click “show images” to load them — not a big deal. This matters because many services use embedded images to track you: they hide identifiers in the image URL, so when your client loads the image, they know you opened the email. There’s no need for that. Confusing images are also a common way scammers smuggle information past spam filters.
VPN
If you want to hide your IP/location from services, you can do so via VPN indirection. I recommend Mullvad. I keep VPN off by default and enable it selectively when dealing with services I trust less.
DNS-based blocker
You can block ads and trackers by blocking entire domains at the DNS level. I like and use NextDNS, which blocks all kinds of ads and trackers. For more advanced users who like to tinker, pi-hole is the physical alternative.
Network monitor
I like and use Little Snitch on my MacBook. It lets you see which apps are communicating, how much, and when, so you can keep track of what apps on your computer “call home” and how often. Any app that communicates too much is sus and should potentially be uninstalled if you don’t expect the traffic. The Windows alternative is GlassWire.
Work–life separation
Ideally, do not log into or access any of your personal services on work computers. Most have company-operated monitoring software installed to protect intellectual property. This makes sense, but you should know that activity on the computer is quite likely extensively logged (networking, keyloggers, screenshots) and possibly actively monitored by the security department.
Generative AI
The same model that helps you write emails helps scammers write better ones. Generative AI — ChatGPT, Claude, Gemini, image and video generators — creates content from your prompts, and it has quietly become a meaningful new attack surface on both sides of the screen.
Treat prompts like a postcard. Whatever you paste into a hosted LLM may be retained, used for training, or eventually leaked in a breach. Don’t paste passwords, customer data, internal documents, medical records, or anything you wouldn’t email to a stranger. Most major providers offer a “don’t train on my data” toggle — turn it on, but don’t treat it as a guarantee. If you genuinely need to work with sensitive content, run a local model with Ollama or LM Studio and skip the cloud entirely.
Phishing got an upgrade. AI-generated phishing is cheaper, grammatically perfect, and increasingly tailored from public information about you. Voice cloning needs about 30 seconds of audio — enough to fake a frantic call from a family member. Treat any unexpected message or call that creates urgency as untrusted, even if it sounds exactly like your boss, spouse, or kid. Verify out-of-band on a known channel before doing anything financial or sharing anything sensitive. Pre-agree on a family code word now, before you need it.
Don’t blindly run AI-generated code or commands. LLMs hallucinate package names with confidence (e.g. “just pip install requests-helper-pro”), and attackers register the hallucinated names on npm and PyPI to ship malware — sometimes called slopsquatting. Verify a package exists, has a real maintainer, and a reasonable history before installing. Read AI-suggested shell commands the same way you’d read one from a stranger on the internet, because functionally that is what they are.
Verify, don’t trust. LLM output is plausible-sounding but not necessarily true. They confidently invent statistics, court cases, citations, and API methods that don’t exist. Cite-check anything that matters before forwarding it, and never let an AI’s confidence substitute for your own judgment.
Closing thoughts
I just want to live a secure digital life and establish harmonious relationships with products and services that leak only the necessary information. I want to pay for the software I use so that incentives are aligned, and so I am the customer. This is not trivial, but it is possible to approach with some determination and discipline.
Last updated 2026-04-28