10 Behaviors That Will Reduce Your Risk Online

I wrote an article recently on how to secure your home network in three different tiers of protection. In that piece I wanted to link to some safe internet practices—which some used to call Safe Hex—but I couldn’t find anything newer than nine years old.

These are the diet and exercise of the computer safety world.

So, I decided to update the advice myself. What follows is a set of basic security hygiene steps that will significantly reduce your risk online.

1. Use unique, strong passwords, and store them in a password manager

Automatic Logins Using Lastpass

Many people get hacked from having guessable or previously compromised passwords. Good passwords are long, random, and unique to each account, which means it’s impossible for a human to manage them on their own. A password manager is a piece of software that creates all these for you, keeps them stored safely, and then fills them in for you automatically when you need to log in.

Don’t overthink the choice between the two: they’re both solid options.

Using any of the top password managers is far better than using passwords alone.

Pick either 1Password or LastPass, go through all your accounts, and for each one…reset the password to something created by (and stored in) your password manager.

2. Keep your firmware and software updated

Keep all of your software and hardware religiously updated. Turn on automatic updates, install updates from the operating system when you’re asked to, and make a regular habit of updating everything in your technology ecosystem.

That means your computers, laptops, phones, gaming systems, smart home appliances, etc. Everything.

3. Enable two-factor authentication on all critical accounts

Setting up Google 2FA

Your email and phone accounts are critical because they’re used to reset passwords on most of your other accounts.

For your most important accounts—such as those controlling your email account, your bank, and your mobile phone account—you should enable two-factor authentication. This means even if you have the password, an attacker would still need an additional thing to be able to get into your account, such as your phone.

Text-based two-factor is not ideal, but it’s far better than having nothing.

Go to each of those high-priority accounts and ensure two-factor authentication (often called strong authentication) is turned on. If you have the option between using a 2-factor authentication application or using SMS (text messaging) for the second factor, the app option is more secure—but not enough to worry about. Text-based two-factor is still far better than having a password by itself.

4. Don’t click links or attachments in emails, text messages, or any other media—especially from untrusted sources

It’s hard to say what’s worse—re-using weak passwords across multiple important accounts, or being too click-happy when it comes to incoming content.

For example, instead of sending a link to a picture, ask them to send the picture itself.

Even if you are using good passwords and have all the updates installed, it’s still possible to get compromised by clicking on links.

Your best possible bet is to get in the habit of not clicking on things.

Read emails, don’t click links in them. Read text messages, don’t click links in them. Try to get in the habit of telling people not to send you links, because you won’t click them.

This one behavior will massively reduce your chance of being infected!

5. Use your operating system’s antimalware capabilities, keep them updated, and (optionally) use MalwareBytes in addition

Built-in security in Windows 10

It’s a little-known fact that Windows and Mac anti-malware systems are catching up to the dedicated offerings by third-parties. They are, and you should be taking advantage of that functionality.

Some say these tools are already redundant, but there’s no harm in having both.

In addition to turning on the native anti-malware and firewall features in your operating system, also consider installing MalwareBytes as an extra layer of protection.

6. Stay on reputable websites. The more fringe the site, the higher the risk of bad things happening while you’re there

website trust

Live footage of someone visiting a random website

When you visit a website, you are agreeing to have your computer execute thousands of lines of code from that site. They are dropping cookies on your computer, they’re serving you ads, and yes—you’re executing computer code written by them as well. It’s like being blindfolded and forced to eat random things put in your mouth.

Browsing random websites is like having someone blindfold you, put something in your hand, and say, “Eat this.”

You unfortunately have little choice about the blindfold when navigating the web, because it’s not possible for most people to inspect the thousands of lines of code on every page you visit. But you can choose to walk in friendly places as much as possible.

Try to stay on reputable sites, and be more cautious as you venture into bad web neighborhoods. Landing on a webpage is agreeing to eat whatever they feed you. Be careful who you do that with.

7. Don’t use filesharing sites to gain access to free content

A typical view when browsing filesharing sites

Filesharing sites are notorious for malware, and the reputation is deserved.

It’s remarkably easy to take a movie—or any type of media—wrap it up with ransomware, and share it to one of these sites. Then all the attackers have to do is wait for victims to show up, and collect their money.

Don’t be one of their victims. Don’t use filesharing sites.

8. Don’t install things like plugins, toolbars, extensions, or download managers when prompted online

don’t install software from random places on the internet

Don’t randomly install software, and definitely not while browsing some website. If something seems worthwhile, stop, open a different browser window, and investigate it by going to the official source.

If browsing a website is taking food from a stranger, then installing software is like taking medicine from one.

Try to only install software using your operating system’s official mechanism, such as its app store.

9. Don’t trust incoming offers; disconnect and go through the official channel instead

Now we’re getting into the more powerful and overarching advice.

Being able to sense what’s out of the ordinary comes with time.

We’ve learned to avoid clicking and installing things, and even browsing to sites that seem shady. We’re basically training ourselves to be extremely cautious in everything we do, and that’s a good thing.

But sometimes you are actually sent something interesting, and you’re really curious. Well, here’s what you do.

  1. Stop.
  2. If it’s a link, don’t click it.
  3. If it’s a phone offer, don’t say yes.
  4. Disconnect from that email/text/phone call.
  5. Open a separate window and investigate from the orginal source.

Example 1: Someone calls you and says they work for AT&T and they can give you 30% off your bill if you give your credit card right now. No. Ask them the name of the promotion and where you can find it online. If they tell you it’s only a phone offer, they’re lying. That’s not how legitimate businesses work. Get off the phone and investigate yourself by going to the AT&T site directly.

Example 2: Someone emails or texts you a link for a buy-1-get-one-free promotion for your favorite spa. Do not click it. Close and/or delete that message, and go to the spa website directly. If there’s a coupon code in the email/text, and you think it might be legitimate, write it down. And if you find it’s a real promotion when you look at the site directly, you can type the code in manually.

In both cases here, we STOPPED the flow that was happening. If you feel pressured to click, or pressure to say yes on the phone, you should sense danger. Break contact and do your own research!

When a trained security professional accidentally clicks a phishing link, they often tell me afterwards that they knew the whole time they were doing it that they had a bad feeling.

10. If you get a bad feeling, or something seems out of the ordinary, don’t give into curiosity

Respect your spider sense, and work to improve it using the behaviors above

And finally, as a general rule to number 9 above—never give in to curiosity, don’t let yourself supress warning signs, and never allow yourself to feel rushed.

If something feels strange, or smells bad, or you find yourself getting overly excited about how great a deal something seems to be—STOP! That’s dangerous.

Don’t click. Don’t accept. Don’t proceed.

Trust your Spidey-sense.


If you follow these 10 rules, and turn them into habits, you will quickly become one of the safest people on the internet. and here’s an infographic to help you remember them.

Stay safe out there!

An infographic of the 10 Safe Hex rules


  1. I didn’t include WiFi security in the list because it’s not an internet-based threat. Someone has to be near your house to take advantage, which is a completely different threat model. But all the same, you should have a long, strong, and unique password for your WiFi, which you store in a password manager. And for extra security, consider hiding your SSID so that people don’t even try to connect to you in the first place.
  2. The most important two things to take away from this article are: 1) the better you are at the basics, the safer you will be against 99.99% of threats you’ll face online, and 2) if you are truly targeted by someone with skill, these measures will only serve as an annoying speedbump.

If you get value from this content, you can support it directly by becoming a member. Being a member gets you access to the newsletter every week instead of just twice a month, access to the UL Slack Channel, the UL Book Club, the UL Archives, and access to future member-only content.