How do I create a strong password?

Use a password manager to generate a unique, random password for each account — at least 16 characters long. Alternatively, create a passphrase of 4-5 random words strung together, like 'correct-horse-battery-staple'. Avoid reusing passwords across sites, and never use personal information like birthdays or pet names.

How can I spot a phishing email?

Look for red flags: a sender address that doesn't match the real company domain, a sense of urgency ('Your account will be locked in 24 hours'), generic greetings ('Dear Customer'), spelling or grammar mistakes, and links that don't match the displayed text. Hover over links before clicking and never enter credentials on a page you reached from an email link.

Is it safe to use public WiFi?

Public WiFi networks in cafes, airports, and hotels are generally not safe for sensitive activities. Attackers on the same network can intercept unencrypted traffic. Use HTTPS websites, avoid logging into banking or email on public WiFi, and consider using a VPN to encrypt your connection.

What is two-factor authentication and why do I need it?

Two-factor authentication (2FA) adds a second verification step to your login — usually a code from an authenticator app or a hardware key. Even if someone steals your password, they cannot access your account without the second factor. Enable 2FA on your email, banking, and social media accounts first.

How do I know if I've been hacked?

Warning signs include: passwords that no longer work, logins from unfamiliar locations or devices, messages or posts you didn't create, unauthorized purchases, friends receiving strange messages from your account, and unexpected password reset emails. Check haveibeenpwned.com to see if your credentials appeared in known data breaches.

Online Safety Basics - Digital Life Guide

Why Online Safety Matters

We spend a significant portion of our lives online — banking, shopping, communicating with friends and family, managing work, and entertaining ourselves. Every one of those activities involves personal information: your name, address, credit card number, private messages, and more. If that information falls into the wrong hands, the consequences can range from annoying spam emails to full-scale identity theft.

The numbers paint a clear picture. In 2024, the average cost of a data breach reached $4.88 million worldwide, and billions of credentials have been exposed in breaches over the past decade. Identity theft affects millions of people each year, and phishing attacks remain the number-one entry point for cybercriminals. These are not problems that only affect large corporations — everyday internet users are the primary targets.

The good news is that most online attacks rely on human error rather than sophisticated hacking. A stolen password here, a clicked link there — small mistakes that add up. Learning a few core habits dramatically reduces your risk. You do not need to become a cybersecurity expert to stay safe online. You just need to understand the basics and apply them consistently.

How to Create Strong Passwords

Your password is the first line of defense for every online account. A weak password is like a cheap lock on your front door — it might look fine, but anyone determined enough can get past it. The single most important thing you can do for your online safety is use a different, strong password for every account.

Use a password manager. Trying to remember dozens of unique passwords is unrealistic. A password manager generates random, complex passwords for each of your accounts and stores them in an encrypted vault. You only need to remember one master password. Popular options include Bitwarden (free and open source), 1Password, and KeePass (fully offline). If you want to generate a strong password right now, try KnowKit's Password Generator.

Length beats complexity.A passphrase like "summer-cloud-velvet-piano" is far harder to crack than "P@ssw0rd1!" even though it is easier to type and remember. Aim for at least 16 characters. The NIST guidelines (the US government's cybersecurity standards) explicitly state that length matters more than forcing a mix of uppercase, numbers, and symbols.

Never reuse passwords. When a company suffers a data breach, attackers take the stolen username-password pairs and try them on other services — a technique called credential stuffing. If you use the same password for your email and a random shopping site, a breach at that shopping site puts your email at risk. And your email is the master key to all your other accounts because password resets go there.

Recognizing Phishing Attacks

Phishing is when someone pretends to be a trusted entity — your bank, a social media platform, a package delivery service — to trick you into revealing personal information. These phishing email examples arrive in inboxes every day, and they are getting harder to spot. Attackers now use AI to write convincing messages with perfect grammar and professional formatting.

Here are the most common red flags to watch for:

Suspicious sender address. The email might look like it is from Netflix, but the actual address is something like "support@netflix-secure-login.com." Always check the full email address, not just the display name.
Urgency and fear. Phishing messages create a false sense of urgency: "Your account will be suspended in 24 hours" or "Unusual activity detected — verify immediately." Legitimate services rarely demand instant action.
Generic greetings. "Dear Customer" or "Dear User" instead of your actual name is a common sign. Real companies usually address you by name.
Mismatched links. Hover your mouse over any link before clicking it. The URL in the tooltip should match the company's real website. A link that displays "paypal.com" but actually goes to "paypa1-secure.xyz" is a scam.
Unexpected attachments. Never open an attachment you were not expecting, especially if it is a .zip, .exe, or .docm file.

Phishing is not limited to email. SMS phishing (sometimes called "smishing") uses text messages to create urgency — fake delivery notifications, package tracking updates, or bank alerts. The same rules apply: do not click links, do not call phone numbers in the message, and verify through the official app or website instead.

When in doubt, go directly to the service by typing the URL into your browser or opening the official app. Never log in through a link you received in an email or text message.

Public WiFi Safety Tips

Free WiFi at coffee shops, airports, hotels, and libraries is convenient, but it comes with real risks. On a public network, your data travels through the same connection as everyone else in the building. A motivated attacker on the same network can potentially see unencrypted traffic — the websites you visit, the forms you fill out, and in some cases, the credentials you type.

Check for HTTPS.Before entering any sensitive information, look at the address bar. A padlock icon and "https://" at the start of the URL mean the connection between your browser and the website is encrypted. Modern browsers warn you when you try to load a site without HTTPS, and most legitimate sites use it by default. However, HTTPS only protects the connection to the site — it does not hide which site you are visiting from anyone monitoring the network.

Use a VPN on public networks. A Virtual Private Network (VPN) encrypts all of your internet traffic and routes it through a secure server. Even on an unsecured public WiFi network, anyone snooping will only see encrypted data. You do not need an expensive VPN — free options like ProtonVPN and Cloudflare WARP provide solid protection for everyday use. If you regularly work from cafes or travel frequently, a VPN is one of the best investments you can make in your online safety.

Avoid sensitive activities on public WiFi when possible. Save online banking, large purchases, and password changes for your home network or mobile data connection. If you must use public WiFi for something sensitive, at minimum ensure the site uses HTTPS and, ideally, connect through a VPN.

What Is Two-Factor Authentication and Why Do You Need It

Two-factor authentication (2FA) adds a second layer of verification on top of your password. After entering your password, you must also provide a second factor — usually a six-digit code from your phone. Even if an attacker steals your password, they cannot log in without that second code. It is one of the single most effective things you can do to protect your accounts.

Authenticator apps vs. SMS codes. There are several ways to receive 2FA codes. SMS-based 2FA sends a text message with a code. It is better than nothing but vulnerable to SIM swapping, where an attacker tricks your carrier into transferring your phone number to their SIM card. Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes on your phone without needing a cellular connection. They are significantly more secure than SMS. The gold standard is a hardware security key (like a YubiKey), which is practically immune to phishing, but it costs money and is overkill for most casual users.

Which accounts to protect first. Enable 2FA on your most critical accounts as soon as possible. Start with your primary email account — it is the master key because password reset emails for every other service go there. Then add 2FA to your banking and financial accounts, your password manager, social media accounts, and any cloud storage services. Most major services support 2FA and provide step-by-step setup instructions in their security settings.

Save your backup codes. When you set up 2FA, most services give you a set of one-time backup codes. Store these somewhere safe — a printed copy in a drawer, not in a file on your computer. If you lose your phone and cannot access your authenticator app, these codes are your only way back into your account.

Online Safety Checklist

Put these into practice today. Each item takes only a few minutes but makes a real difference in your online security.

Use a password manager and generate a unique password for every account
Enable two-factor authentication on your email, banking, and social media
Check haveibeenpwned.com to see if your credentials appeared in data breaches
Hover over links before clicking — verify the actual URL matches the sender
Look for HTTPS and the padlock icon before entering any sensitive information
Install a VPN and use it whenever you connect to public WiFi
Update your software, browser, and operating system regularly
Never reuse passwords across different websites or services
Save 2FA backup codes in a safe, offline location
Review your account login activity periodically for unrecognized devices

Online safety is not about living in fear of the internet. It is about building a few good habits so you can browse, shop, and connect with confidence. The five areas covered in this guide — strong passwords, phishing awareness, public WiFi safety, two-factor authentication, and secure browsing habits — form a solid foundation. As you continue through the Digital Life Guide series, we will build on these basics with deeper dives into privacy, data management, and more.