Take Control of the Privacy and Security

In a world where personal data is gold, protecting your digital identity is a must! This guide offers key steps to reclaim your privacy with tools like password managers and multi-factor authentication. Take control of your digital life now—don’t wait!

Privacy & Security(updated on: )
Take Control of the Privacy and Security
Table of contents

We believe privacy is a basic human right, full stop. In today’s digital world, protecting your personal information isn’t optional anymore. This post digs into the first and most important layer of that: strong, unique passwords and solid authentication. That’s just the starting point. As this series goes on, we’ll get into securing your browsing habits, managing your data footprint across platforms, and more. The goal is simple: give you practical, effective ways to take your privacy back. Before any of that, remember the following.

The more private and secure you are the less convenient things get!

~ Someone from the community

Introduction

Privacy gets harder to hold onto every year. Social media, online advertising, and government surveillance have made every internet user a target in some form. Personal data is one of the most valuable commodities on the web now, and it’s collected whether you notice or not.

My own dive into digital privacy started with a personal experience I’ll share in a future post. For now, let’s focus on how you can take control of your own online life.

Here’s the good news: you’re not figuring this out alone. The digital privacy community is active, generous, and genuinely helpful, whether you’re just getting started or heading toward the more “paranoid” end of the spectrum. There are guides, tools, and people willing to walk you through it.

We’re not security experts. But we’ve put real time into researching and testing the tools that actually work, and we’ll be sharing them throughout this series. Privacy and security are serious enough that you shouldn’t take any single source, including this one, as gospel. Do your own research and figure out what fits your actual threat model.

This post is an overview of the tools and strategies that have worked for us. Our hope is that it gets you started, and curious enough to dig further on your own.

Passwords

Passwords are supposed to be our little secrets, information only we know. Security generally comes down to three factors of authentication:

  1. Something you know (like a password or passphrase)
  2. Something you have (like a 2FA code or a security key)
  3. Something you are (like your fingerprint or Face ID)

You can layer more than one of these together, and we’ll get into that shortly. For now, passwords are still the default on nearly every platform. Sometimes they’re the only option, which makes getting them right non-negotiable.

Golden rule: never reuse a password across accounts. This is still one of the most common mistakes out there, and yes, we’ve been guilty of it too. Reuse a password and one compromised account effectively hands over the keys to every other account using it. So every account gets its own password. No exceptions.

Guessability matters too. A password built from insecure words, phrases, or meaningful dates is basically a red flag with extra steps for anyone who knows you even a little.

Short passwords are another trap. Plenty of sites technically enforce a capital letter, two digits, a symbol, and eight characters minimum, and people still land on something like “John@1990.” It checks every box the platform asks for. It’s still weak.

And let’s be honest, human memory isn’t built for this. Hundreds of accounts, each needing something unique and long? Nobody’s keeping that in their head. So what actually solves it?

A password manager. Let’s get into what that means.

What is a Password Manager?

If there’s one tool worth adopting immediately, it’s a password manager. It stores your passwords securely, generates strong new ones on demand, and auto-fills your login when you land on a site you already have an account with. The only password you need to actually remember is the one that unlocks the manager itself, which frees you up to use long, random, genuinely unguessable passwords everywhere else.

Two stand out for us: Bitwarden and KeePassXC.

BitWarden

Bitwarden logo

BitWarden is a cloud-based password manager that provides strong security. Cloud-based managers allow you to sync your passwords across all your devices, but some people might have privacy concerns about this method.

KeePassXC

KeyPassXC logo

KeePassXC, on the other hand, is a local password manager, which means your passwords are stored directly on your computer. You will need to manage backups if you want to access your passwords on multiple devices, but this method is highly secure.

A more recent addition worth knowing about: Proton Pass. Proton has built one of the strongest reputations in the privacy-respecting service space, and Proton Pass carries that reputation into password management. It’s cloud-based like Bitwarden, and it comes with a built-in email-aliasing feature that’s genuinely useful for keeping your real address out of forms you don’t fully trust.

Proton Pass

Proton Pass logo

Proton Pass is also a cloud-based password manager that provides strong security. It has a built-in aliasing option that comes in handy for generating email addresses on the fly. Proton Pass is developed by the Proton team, who are widely considered a privacy-respecting company within the community.

Passkeys: The Password Killer

This is worth adding since I first wrote this guide, because the landscape has genuinely shifted: passkeys have gone from niche to mainstream. A passkey replaces the password entirely for a given account. Instead of a secret you type in, your device holds a cryptographic key pair, and logging in is just a biometric check or a device unlock. There’s no secret being transmitted for an attacker to phish, guess, or leak in a breach. That’s the whole point.

So why does this matter now rather than later? Because by 2026, passkeys aren’t experimental anymore. Consumer awareness has climbed sharply, and a large majority of people who’ve tried them have enabled a passkey on at least one account. All three password managers above, Bitwarden, KeePassXC, and Proton Pass, now support storing and syncing passkeys, not just passwords. That’s a meaningful shift from where things stood when this guide was first written.

Here’s how we’d suggest approaching it: keep your password manager, but start creating passkeys wherever a high-value account offers them, email and banking first. You don’t need to migrate everything at once, and most of the web still runs on passwords, so your manager isn’t going anywhere. One more thing worth knowing: passkey portability used to be a real concern, since a passkey created in one manager could get you locked into it. That’s improving too, with a cross-platform standard (the Credential Exchange Protocol) now letting you move passkeys between supporting managers instead of recreating them by hand.

Adding Another Layer of Security

With a password manager in place and strong, unique passwords everywhere, it’s time to layer on the second authentication factor: something you have, on top of something you know. Two main options here: 2FA codes, or a hardware security key.

2FA Codes

2FA codes come in three flavors: SMS, email, and app-generated codes. SMS is the weakest of the three; attackers can intercept messages more easily than most people assume. Email is a modest improvement, but not by much. The strongest option is a Time-based One-Time Password (TOTP) generated by a dedicated app. The app and the website share a “seed code,” and both sides calculate a new code every 30 seconds independently. Your device’s clock needs to be synced for this to actually work.

For TOTP, we recommend Aegis on Android and Ente Auth on iPhone. Password managers can generate TOTP codes too, but it’s generally better practice to keep your 2FA app separate from your password vault. If someone compromises one, they don’t automatically get the other.

Aegis

Aegis logo

Aegis Authenticator is a free and open-source app for Android to manage your 2-step verification tokens for your online services. Aegis Authenticator operates completely offline/locally, but includes the option to export your tokens for backup unlike many alternatives.

Ente Auth

Ente Auth logo

Ente Auth is a free and open-source app which stores and generates TOTP tokens. It can be used with an online account to backup and sync your tokens across your devices (and access them via a web interface) in a secure, end-to-end encrypted fashion. It can also be used offline on a single device with no account necessary.

Hardware keys

The second option is a physical hardware security key. These devices hold an encrypted private key used purely for authentication, and they’re one of the strongest forms of 2FA precisely because logging in requires physically having the thing in hand.

Hardware keys earn their security from two properties: physical presence and phishing resistance. Yubico’s YubiKeys, for instance, use a standard that blocks phishing attempts outright, and they need no battery or charging to work.

We personally use a Yubico key. It’s widely trusted and supports multiple authentication standards. Hardware keys can feel like overkill for casual users, sure, but for anyone serious about locking down their accounts, they’re close to foolproof.

If hardware keys interest you, Yubico’s site (or an alternative like Nitrokey) has the details on setup. One practical note: keep a backup key stored somewhere safe. Losing your only hardware key can lock you out of your own accounts just as effectively as it locks out an attacker.

YubiKeys

Yubico logo

The Yubico Security Key series is the most cost-effective hardware security key with FIDO Level 2 certification. It supports FIDO2/WebAuthn and FIDO U2F, and works out of the box with most services that support a security key as a second factor, as well as many password managers.

Nitrokey

NitroKey logo

Nitrokey has a security key capable of FIDO2 and WebAuthn called the Nitrokey FIDO2. For PGP support, you need to purchase one of their other keys such as the Nitrokey Start, Nitrokey Pro 2 or the Nitrokey Storage 2.

Conclusion

Safeguarding your digital privacy isn’t optional anymore. It’s baseline maintenance. A password manager, unique passwords everywhere, passkeys where they’re offered, and multi-factor authentication (hardware keys included, if you’re serious about it) all stack together into real, meaningful defense. Every layer you add makes an attacker’s job measurably harder.

Here’s the thing worth remembering: digital privacy was never about having something to hide. It’s about keeping control of what’s yours. With what we’ve covered here, you’ve got a real starting point. It might feel like a lot at once, but even a few of these changes, done properly, add up fast.

Stay tuned for the next part of this series, where we’ll dig into the next layer of privacy and security. More is coming soon, and we’ll keep working through practical ways to protect yourself in a digital world that keeps shifting under our feet.