Internet security: A power user’s guide to staying safe online

There are lots of straightforward steps you can take to protect your privacy online. Spend a couple of minutes now to get yourself set up, and you’ll never worry about it again.

You’ll have heard countless times that about how important it is to protect your online privacy and security. You wouldn’t leave your PIN number lying around, so why would you play fast and loose with your online passwords when they can provide access to exactly the same bank accounts?

Thankfully, being that little bit more safe online isn’t nearly as much of a hassle as it might at first seem. Most of the steps we’ve outlined below take a matter of minutes to complete, after which you can get on with your life as usual.

After compiling our list of recommended steps, we sat down with cybersecurity expert Ed Williams, who heads up SpiderLabs at Trustwave EMEA. Ed has spent the best part of a decade doing penetration testing and consulting for various government and private sector organisations.

Without further ado, here are the most effective steps you can take to staying safe online.

1) Use a Password Manager

Ed Williams’ effectiveness ranking − 5/5

Of all the steps you can take in our list, a password manager is the single most effective. When testing for vulnerabilities, weak passwords are the first thing that Williams and his team attack, because so many people use either easy to guess passwords or ones that are used across multiple online accounts.

“I, for example, use 20 to 30 passwords a day and I’m sure most people are the same, so having something that manages all of that and then ensures these passwords are non-shared is a really important thing,” he says.

A password manager is important because using the same password for every single website is incredibly insecure. The chances of Amazon getting hacked and your account password getting stolen is fairly low. But if you use the same password for a much smaller, less secure site, a hacker could easily gain access to your Amazon account that way.

A password manager solves this issue by making it easy to generate a secure, unique password for every site. It then remembers these for you, and lets you access them from any device you’d need them on.

You’ve got a couple of options if you want to start using a password manager. LastPass is the manager we’ve got the most experience with, but check out our full guide below for all of our top picks.

Related: Best password manager

Once you’ve set your password manager up, you’ll need to import all your passwords, go through your list, and generate unique passwords for any accounts that might be using the exact same login details.

This takes a little bit of time, but once everything’s set up your password manager of choice will make it really easy to create a brand new password you haven’t used elsewhere.

The final point is to make sure your ‘Master Password’ − which you use to unlock your password manager − is as secure as it can be. We’d recommend the Diceware method to generate a password that’s both strong and reasonably easy to remember.

For the love of god, please don’t reuse your everything password.

2) Enable two-factor authentication

Ed Williams’ effectiveness ranking − 5/5

Along with a strong, unique password, two-factor authentication (aka 2FA) is a must if you want to keep yourself secure online.

“If your passwords are compromised for whatever reason, whether it’s a website being compromised or you’ve just slipped up, having that second factor of authentication makes it a lot harder for someone to get into your account,” Williams explains.

You know when you try to sign into a service and it sends you a text message with a code that you need to enter? That’s two-factor authentication, and it prevents anyone from getting into your account even if they’ve figured out your password.

That said, if you’re still using SMS text messages to get your codes, then you’re exposing yourself to a pretty serious vulnerability.

Google Authenticator is a great free app for all your two-factor authentication needs

As Williams explains, “You shouldn’t be using two-factor authentication with SMS because SMS isn’t a secure protocol.” This potentially makes your code vulnerable to snoopers.

Instead, it’s much better to use a dedicated authentication app, and there are plenty of options out there. Williams recommends Google Authenticator for its simplicity, but we also like Duo because certain sites will support push notifications, which drastically reduces the amount of time it takes to log in.

Getting set up with these apps is a simple matter of using the app to scan a QR code on the website you want to enable 2FA on, and searching for the website’s two-factor authentication details using Google will usually get you to the relevant help page.

Once you’ve logged in using 2FA once, most sites will allow you to save your browser for a certain amount of time, meaning you won’t have to constantly reach for your phone just to get on Twitter.

3) Get your browser set up for security

Ed Williams’ effectiveness ranking − 3-5/5

The browser is your gateway to the internet, so it makes sense to make it as secure as possible.

There are dedicated secure browsers out there like Tor or Avast Secure Browser, but when we asked Williams about these he thought most users would be far better served by kitting out their existing mainstream browser of choice with carefully selected privacy-focused extensions.

There are four of five different tasks that these extensions need to accomplish, and depending on which extensions you choose, you might be able to get one extension that does everything, or pick a separate extension for each task. A couple of these settings can be handled with the browser itself, without the need for any third-party software.

The most important of these is to block third-party software like Flash and Javascript from automatically running (a move that Williams ranks 5/5 for effectiveness). New security vulnerabilities are constantly being discovered in software like this, and although they’re frequently patched you can still find yourself exposed.

Williams even warns that these plugins can be compromised to the extent that they’d allow someone to take control of your laptop.

Image Credit: Dmitry Baranovskiy / Flickr

This is a setting you can change from within Chrome or Firefox, and you should always have your browser set to block plugins by default. Certain useful web applications do rely on them, but in these cases it’s always better to enable them on an individual basis once you know they’re using the plugin for a useful purpose.

Next is an adblocker (which Williams gives a 4.5/5 rating) for much the same reason. Ads are frequently the source of malicious code on websites, which makes an adblocker a useful tool for staying safe online.

That said, a large portion of the web relies solely on advertising to generate revenue, and blocking every single advert would destroy the internet as we know it. Thankfully, extensions like Adblock allow you to let through adverts which are deemed to be non-intrusive. We’d recommend turning this option on.

The third most important browser tweak to make is to force it to use HTTPS rather than HTTP wherever possible (rated 4/5). HTTPS is a much more secure protocol for browsing the web, but many sites don’t use it by default. Although it’s impossible to force every site to use HTTPS, with the right extension you can make sure that it’s always used when there’s a possibility of doing so.

The final two steps you can take are more optional than necessary, but since they’re free you might still find them helpful.

The first is to obscure location data (rated 3/5 by Ed). While you move across the internet there are relatively few legitimate reasons for a website to know where you’re accessing it from (for example, Google Maps needs to know where you are in order to provide directions), so it’s best to leave that off by default.

Finally, certain extensions will allow you to mask further information about yourself, for example hiding the type and version of the browser that you’re using. Yes, this allows you to further anonymise yourself online, but the benefit is fairly minimal at this point.

That’s a long list of things to accomplish, but depending on what you opt for, you use you might be able to cover them off with just one or two extensions.

We initially liked the DuckDuckGo extension because it includes much of what we’ve discussed above, plus a couple of additional features like blocking advertising trackers (“You can just enable it and not have to think about it too much,” says Williams). It works well, but we grew frustrated by the way it forced us to use DuckDuckGo’s own search engine by default.

As a result, for the majority of the options above we’d actually advise just tweaking your Chrome or Firefox settings, while using a third-party adblocker like Adblock on the latter browser. The extension HTTPS Everywhere is a good option on Chrome if you want to force sites to support the encrypted protocol where possible.

4) Use a secure DNS

Ed Williams’ effectiveness ranking − 4/5

You may never heard of DNS before. It’s one of those incredibly unsexy parts of how the web works, and it’s basically responsible for turning the words www.trustedreviews.com into the specific IP address that will allow your browser to show the contents of our site.

By default, you’re almost certainly using your ISP’s default DNS service, and in terms of your online security this is a pretty bad idea.

“There have been a number of issues and a number of vulnerabilities around DNS across the last 25 years,” Williams explains, “The primary reason for that is that everything is just clear text, so ISPs are large organisations are very quickly able to work out what you’re looking at and what you’re doing online.”

Thankfully, your DNS is the easiest thing to solve about your internet setup, and you’ll even get a nice little speed boost in the process.

Cloudfire’s 1.1.1.1 DNS service is a small but effective step you can take to protect your online privacy

The DNS service that’s been making waves recently with its commitment to security and privacy is CloudFire’s service. The Primary DNS address that you want to be using here is 1.1.1.1, while the secondary one is 1.0.0.1. Google’s own DNS service (8.8.8.8 / 8.8.4.4) will also encrypt your traffic, but CloudFire has also committed to purging its logs every day to limit the amount of your data it holds over time.

The most effective way to change your DNS settings is to go into your router’s settings and change the settings there. You can log into your router by typing in the IP address that’s usually printed on a sticker on the router, and navigating to the advanced options. After this point, anything device you connect to your home network will access the internet via this secure DNS.

You can also change your DNS settings on a device-by-device basis, which is helpful if you have a phone or a laptop that connects to different Wi-Fi hotspots throughout the day. Changing these DNS settings varies based on your operating system, so you’re best off seeking that information out yourself.

Of all the options on this list, changing your DNS settings takes the least amount of time and gives the biggest privacy benefit.

5) Turn on your antivirus

Ed Williams’ effectiveness ranking − 4/5

Using some form of antivirus software is essential the moment you connect your computer to the internet, but Williams is less convinced that you need to install third-party software in addition to what already comes built into your operating system.

“There’s been a lot of issues and a lot of vulnerabilities associated with antivirus software because it creates an additional interface. Antivirus software will need to run with big privileges on your machine, because it needs to see everything,” Williams warns. “Personally I would just stick with what’s inbuilt.”

However, just because your operating system has antivirus built in, that doesn’t mean you can just turn it on and forget about it.

He recommends making sure it’s set to scan everything your computer downloads from the internet, to avoid any malicious code finding its way onto your device. Also, be sure to actually act on the notifications your system sends you.

As Williams puts it, “Antivirus isn’t a silver bullet by any stretch, but it’s better than nothing in this day and age.”

6) Use a VPN if you’re serious

Ed Williams’ effectiveness ranking − 2-3/5

VPNs have exploded in popularity in recent years, and with good reason. The technology essentially acts as an encrypted tunnel, taking your traffic in and delivering it to anywhere in the world you’ve specified.

If someone’s snooping on your traffic, they’ll be able to see that you’re connecting to a VPN, but they won’t be able to see where your traffic is going.

However, while Williams agrees that VPNs are very good at what they do, he believes they’re less useful for your average consumer.

Today's Best VPN Deals

ExpressVPN | $99.95/£70.53 per year ($6.67/£5.12 per month)

ExpressVPN provides a fast, stable and feature-packed service that did well in our speed tests and proved useful for international media streaming.

Private Internet Access | $69.95/£52 per 2 years ($2.91/£2.17 per month)

One of the least expensive, most feature-packed services around and has a tested no-logging policy.

NordVPN | $69/£49 per year ($5.75/£4 per month)

NordVPN consistently performs well in our tests, with an excellent range of features at a low cost.

“I know that VPNs are really good, but are they reasonable for most users? I’d probably say they’re not,” Williams cautions, “If you put everything else in place such as a password manager and two-factor authentication, then I’d say that a VPN is less important.”

As a result, unless you’re using a VPN to access content from another country, you probably don’t need to worry about paying for one to protect your privacy and security online.

Final thoughts: Encrypted messaging

So far we’ve mainly been discussing steps you can take to browse the internet securely, but of course a large part of what we use the internet for is messaging, which isn’t necessarily encrypted by default.

The good news though, is that an increasing number of messaging apps are encrypting your conversations.

The most prominent of these is WhatsApp, which has offered end-to-end encryption for its messages since 2016. That means that no one, not even WhatsApp itself, can see what you’re sending to your friends. Apple’s iMessage is also similarly encrypted.

If you want an even more secure messaging app, you might want to consider using Signal, which not only encrypts your messages but also discards your metadata whenever it can, offering an additional layer of privacy.

In an ideal world everyone would be using Signal, but in reality you’re likely going to need to make compromises in order to be on the same platform as your contacts. In these instances we think WhatsApp is an acceptable compromise.

Try to avoid using SMS to send sensitive information, as it’s entirely unencrypted. You have been warned.

Have you got any tips for staying safe online? Get in touch with us on Twitter or Facebook @TrustedReviews.