2026 Security Guide
Inspired by: Andrej Karpathy’s “digital hygiene” write-up — reprioritized here for a simple do this first order, with plain why for each step and realistic alternatives.
Original framing: ads, data brokers, breaches, and scammers make a basic privacy/security routine worth it. Priority below is adjusted: these are the first things to do — mostly software, high leverage, and a little work to set up. Everything after is secondary (more depth, more niche, or more effort).
Each item below includes a plain why (what problem it solves) and alternatives where they matter.
Top five (do these first)
1. Brave (browser)
Why: The browser is the app that sees almost everything you do on the web. A privacy-minded browser cuts down on trackers and fingerprinting by default, so fewer companies get to stitch your clicks into a profile.
What to use: Brave is built on Chromium (same engine as Chrome), so it feels familiar and you can install extensions from the Chrome Web Store the same way — password managers, accessibility tools, etc. Brave’s Shields block a lot of ads/trackers without extra setup; you can tune per site with the lion icon.
Browser alternative — DuckDuckGo (DDG): The DuckDuckGo browser is simple and strong on privacy with built-in blocking, but it does not support Chrome extensions. Good if you want minimal setup and don’t rely on extensions; not a fit if your workflow depends on 1Password/LastPass in the browser, translators, etc. (DDG also offers privacy extensions for Chrome/Edge/Firefox — that’s add-on protection inside another browser, not the same as the standalone DDG app.)
Practical combo: Many people run Brave as the main browser and pick a private search engine separately (next section) — browser privacy and search privacy are two different knobs.
2. Default search: Brave Search (+ alternatives)
Why: Whatever you type into the search box tells the provider what you’re curious about, worried about, or shopping for — that’s valuable signal. Using a search engine that minimizes tracking and profiling reduces how much of that becomes a durable ad profile.
Primary: Brave Search — set it as the default under browser Settings → Search engine. Own index (not just a skin on another engine), privacy-oriented; optional paid tier if you want to support the product directly. Use !g in the query to send a search to Google when Brave’s results aren’t enough.
Secondary: DuckDuckGo — strong privacy reputation and a simple default for “don’t track me.” Know the tradeoff: results are often syndicated/partnered (historically Bing-heavy), so quality and politics of that partnership differ from Brave’s index — still reasonable as a second-choice private default if you prefer DDG’s feel or results.
Fallback habit: When neither private engine nails it, !g (or opening Google in a tab) beats making Google your 24/7 default.
3. Password manager: 1Password (+ LastPass)
Why: Reusing one password everywhere means one leak unlocks many accounts — breaches are common, and attackers automate trying the same password on other sites. A manager lets you use long, unique passwords without memorizing them.
Primary: 1Password + browser extension in Brave (Chromium — same extension model as Chrome). Family plans cover about five people at roughly ~$50/year (confirm current price). Strong reputation: Secret Key plus master password, Watchtower-style breach awareness, no headline vault breach comparable to competitors’ worst cases.
Secondary: LastPass — similar core features (vault, autofill, families can include six seats on some plans, sometimes a bit cheaper; free tier exists but is limited, e.g. one device type). Trust caveat: a 2022 incident involved stolen vault data; many people migrated away. Still usable if you accept that history and harden with a very strong master password and 2FA — 1Password is the calmer default for “start fresh and sleep at night.”
Both support import/export if you switch later.
4. Biometrics (for sensitive apps)
Why: Your phone or laptop can be lost, stolen, or left unlocked for a minute. A PIN or password protects the device; Face ID / fingerprint / system biometrics add a fast gate so banking, password manager, and email aren’t one tap away for whoever picks up the hardware.
What to do: Enable biometrics for sensitive apps specifically — not only the lock screen — so opening 1Password or your bank isn’t automatic after unlock.
5. Signal (instead of SMS when you can)
Why: SMS travels through carriers, can be intercepted or SIM-swapped, and isn’t end-to-end encrypted like modern messengers. Signal encrypts message content end-to-end; group calls and media are protected in-app. Turn on disappearing messages (e.g. 90 days) if you want old chats to age off devices.
Caveat: Who you talk to has to use Signal too — you’re choosing a better channel, not fixing everyone else’s choices.
Secondary / extra measures
Defense in depth — helpful, not required before the top five.
Hardware security keys (e.g. YubiKey, U2F/WebAuthn)
Why: SMS 2FA is better than nothing, but attackers can SIM-swap your number and receive codes. A physical key is something you have; phishing sites can steal a password but not your key’s crypto handshake in the same way.
When: High-value accounts — email, password manager, Google — after you’ve got software basics down.
“Security questions”
Why: Real answers (“mother’s maiden name”) are often guessable or searchable. Treat answers as extra passwords: random strings stored in your password manager.
Full-disk encryption (e.g. FileVault on Mac, BitLocker on Windows)
Why: If someone steals your laptop, encryption stops them from reading the drive in another machine. Without it, your files, tokens, and cached email are plain to anyone with the disk.
IoT / “smart” home devices
Why: Cheap connected gadgets often have weak updates, broad permissions, and always-on mics or cameras. Fewer devices means fewer doors into your network and less data shipped to vendors you don’t control.
Per-merchant virtual cards (e.g. Privacy.com)
Why: One card number shared everywhere lets breaches and shady merchants charge you again or link purchases across sites. Virtual cards cap exposure and separate merchants.
Virtual mail / address hygiene
Why: Every form that stores your home address becomes another breach row. A virtual mailbox or strict “only when shipping” habits limits how often your real address sits in databases.
Email discipline
Why: Email is the reset path for most accounts — if it’s owned, you’re owned. Combine good habits (no blind link clicks, images off by default) with provider choice; see Email discipline (expanded).
VPN (e.g. Mullvad)
Why: Hides your IP from sites and networks you don’t trust (coffee-shop Wi‑Fi, aggressive trackers). It’s not magic — the VPN provider sees traffic unless you layer other tools — use when the threat model fits.
DNS blocking (e.g. NextDNS, Pi-hole)
Why: Before your browser loads a tracker, DNS can refuse to resolve known bad domains — network-wide ad/tracker blocking without per-browser setup (Pi-hole is the classic home-lab version).
Outbound firewall (e.g. Little Snitch on Mac)
Why: Lets you see which apps talk to the internet and when — handy for spotting chatty software that shouldn’t phone home constantly.
Work laptop separation
Why: Employer machines often run MDM, logging, DLP, and remote monitoring — fine for work, bad for personal email, banking, or side projects. Keep personal accounts on your hardware.
Email discipline (expanded)
Should you move away from Gmail?
There isn’t one right answer — it depends on threat model and what you’re optimizing for.
What changed (important nuance): Google stopped using personal Gmail content to personalize ads in 2017. Consumer Gmail is not supposed to feed the ad machine from the literal text of your messages the way early critics feared. Workspace business mail was not used for ads in the same way either.
What Gmail still does: Google still processes mail for spam/phishing/malware, security, and “smart” features (categories, Smart Reply/Compose, nudges, etc.). Those require access to content or metadata on their servers. You also remain inside the Google account ecosystem, so Search, YouTube, Android, ads on other surfaces, and account activity can still fuel profiling and ads — just not “read this email to pick the ad” in the simple sense. Legal requests (warrants, etc.) can still reach provider-held mail; no consumer Gmail is “zero-knowledge” end-to-end for all correspondence.
Why people still choose Proton, Tuta, Mailbox.org, etc.:
- Business model — You pay; you’re closer to being the customer than the product (Karpathy’s framing).
- Jurisdiction & policy — Some providers emphasize Swiss/EU governance; verify current docs if that matters to you legally.
- Encryption — True end-to-end encryption usually only applies provider-to-provider (e.g. Proton → Proton). Mail to Gmail is ordinary email on the far end; Google can see it in the recipient’s inbox. So “privacy email” is not a magic shield for all threads — it’s strongest for internal mail and metadata posture on the provider side.
- Subject lines / metadata — Some providers encrypt more of the envelope than others; compare if you need it.
Practical strategies:
| Approach | Good for |
|---|---|
| Stay on Gmail, harden | Convenience, Google ecosystem, strong default filtering; acceptable if your main worry is phishing and account takeover, not Google’s business model. Use security key / best 2FA, review Google Account → Security & Data, limit OAuth to apps that need Gmail. |
| Hybrid | Proton (or similar) for banking, health, sensitive life admin; Gmail for long-tail signups and stuff you don’t care about. Gradually move high-sensitivity accounts first. Forwarding from Gmail to a new inbox can ease transition — then update senders over time. |
| Full migration | Strong privacy values, journalism/sources, highly sensitive work, or you want minimal ad-driven parent company — accept cost, migration effort, and some feature friction. |
Gmail limitation on aliases: you+label@gmail.com routes to the same account; senders can strip or guess patterns. Real alias products (SimpleLogin, Addy.io, provider-native aliases) give per-site burners and breach isolation better than plus-addressing alone.
Habits that matter on any provider
- Don’t use email links for “sign in and fix account” moments. Open the app or type the site URL; phishing lives on look-alike links and urgency. Karpathy’s rule still holds.
- Load remote images only when needed — Default off (or “ask”). Tracking pixels (tiny remote images) report opens, often IP/device signals. Newsletters and marketing love this; so do some bad actors.
- 2FA everywhere important — Prefer authenticator app or security key over SMS for high-value accounts (SIM swap).
- Unique passwords — 1Password already on the list above; same for email — it’s the reset key to everything else.
- Aliases for new signups — Reduces one email = universal ID across breaches and spam.
Karpathy’s closing stance: Pay for software when you can so incentives align. Perfection isn’t the goal.
Maintenance: Confirm 1Password, Brave, search, and email vendor pricing and policies on official sites before quoting numbers — they change.