A Digital Security Baseline for 2026

You don’t have to outrun the bear. You only have to outrun the other campers.

That’s the single most important idea in personal digital security, and it’s the one every “how to stay safe online” post seems to bury. The bar for “not worth attacking” isn’t perfection. It’s being measurably harder to phish, credential-stuff, or SIM-swap than 90% of the internet. Most attacks are automated, and automation hunts the cheapest targets.

The catch: that bar is about to rise, fast. Anthropic just released Claude Mythos, a model powerful enough at finding novel software vulnerabilities that Anthropic decided not to make it publicly available at all. Nicholas Carlini, one of the world’s top AI security researchers, said that with Mythos he’d “found more bugs in the last couple of weeks than in the rest of my life combined,” pointing to a 27-year-old flaw in OpenBSD and privilege-escalation bugs in Linux as examples. Anthropic’s Project Glasswing is a coordinated effort with 40+ security partners to patch critical infrastructure before capabilities like this diffuse into the general model ecosystem. Because — barring some kind of coordinated moratorium nobody is seriously expecting — they will diffuse. Other frontier labs are months behind. The moment Mythos-class capability lands in the general model ecosystem, every opportunistic attacker on the internet gets an on-tap exploit factory, and the “easy target” threshold moves sharply higher.

Now is the time to lock down. Not in a paranoid build-a-bunker way. In a “raise your personal bar above the easy-target threshold before the bar rises for everyone” way. Two hours of setup, thirty minutes a year to maintain, results by Sunday night.

Who this guide is for

You, if you’re a competent adult who uses a laptop, a phone, and the internet. No technical background required.

This guide protects you against:

Credential stuffing. Attackers take leaked username/password pairs from one site’s data breach and try them automatically against every other site you’ve signed up for. Works because people reuse passwords.
Phishing. Fake login pages that look real, designed to steal your password and your MFA code at the same time.
Lost or stolen devices. Someone finds your laptop on the train and tries to read everything on it.
Opportunistic malware. Drive-by downloads, malicious browser extensions, unpatched software being exploited by automated scanners.
SIM-swap attacks. An attacker convinces your phone carrier to port your number to a SIM they control, and starts intercepting your SMS codes.

This guide does not protect you against: a determined, well-resourced attacker who is specifically targeting you. If you’re a journalist, activist, politically exposed person, or you hold life-changing amounts of cryptocurrency, treat this as a starting point and see Beyond the baseline.

Format note. This guide is ordered by security-gained-per-minute-spent. If you stop halfway, you still get the biggest wins. Do Tier 1 this weekend, Tier 2 next weekend, come back for 3 and 4 when you can.

A note on terminology. I use MFA (multi-factor authentication) as the generic term throughout. You’ll also see 2FA (two-factor authentication) and 2SV (2-Step Verification, Google’s marketing name). They all mean the same thing: proving who you are in more than one way (something you know, something you have, something you are). I use MFA because it’s the most general and doesn’t hard-code an assumption about how many factors there are.

The stack at a glance

Everything in this guide, in one 2×2. If you remember only the four quadrants and come back for the details later, you have the mental model.

Four-quadrant format borrowed from Andrej Karpathy’s Digital Hygiene, which also seeded several specific sections of the guide below — see Further reading for the inventory.

Tier 1: The 30-minute baseline

Time: ~30 minutes. Cost: ~AU$10/month. Security gained: 80% of the total benefit of this entire guide.

If you only ever do Tier 1, you’re already in the top 10% of internet users for security. Do Tier 1.

1.1 Install 1Password

Get 1Password. The Family plan is US$5.99/month (≈ AU$10) for up to five people across every device. Use it.

Yes, there are free alternatives. Bitwarden is open-source and free. Proton Pass is free with a Proton account. Both are fine. If you’re already on one of them, stay there and don’t churn; you already have 95% of the benefit of this section.

I recommend 1Password because it has the best-polished UX in the category, excellent family sharing, a cleanly-aligned business model (you pay for the product, so you’re not the product), and the best passkey support in consumer software. When a non-technical family member asks me what to install, the answer is 1Password, every time, because the chance they actually use it day-to-day is higher than the alternatives. A password manager you don’t use is worthless.

Setup:

Sign up for a Family plan at 1password.com.
Install the desktop app, phone app, and browser extension.
Print your Emergency Kit. When you sign up, 1Password generates a PDF called the Emergency Kit. It contains your sign-in email, your Secret Key (a 34-character code unique to your account), a setup QR code that lets another device sign in without retyping the Secret Key, and a blank field for your master passphrase. Print this PDF and store the printed copy in your Home Kit (which you’ll build in Tier 3). Do not write your master passphrase on the Emergency Kit. Your passphrase lives in your head, and separately in a Break-Glass envelope stored off-site. Keeping them apart is the whole point of Tier 3’s architecture. Treat the Emergency Kit as sensitive: the setup QR is as valuable as the Secret Key itself, and anyone holding both the Emergency Kit and your passphrase can sign into your vault. Shred any extra printed copies.
Set a strong master passphrase. Use five random words from the EFF diceware list, not thematically chosen, actually random. Something like tremor salsa outpour rental vertical. At five words you’re at ~64 bits of entropy, enough to resist every realistic attacker. This is the one password you have to memorise. In week one, write it on a single sheet of paper, fold it, and hide it somewhere inconvenient (inside a book on a high shelf is a classic). Say it out loud twice a day, every day. By the end of the week you’ll be typing it without looking. At that point, take the paper and fold it into your Break-Glass Envelope (Tier 3). Don’t keep it anywhere else.

Everything else goes in the vault.

Critical for solo users: set up a second signed-in device now. Your Tier 3 Recovery Kit will protect you against almost any single disaster, but there’s one scenario it can’t fully cover on its own: your house burns down with both your primary device AND your Home Kit inside. In that case the only ways to recover your Secret Key are (a) from another device you’re already signed in on, or (b) via 1Password Families recovery through a trusted family member. If you live alone and you’re on a Solo plan with no trusted person to add to a Families plan, add at least one secondary signed-in device to your 1Password account that lives somewhere other than your home: a work laptop, an old phone at a family member’s house, a tablet in your travel kit, a cheap spare phone tucked into a friend’s drawer. This is your house-fire insurance, and it’s load-bearing. Don’t skip it.

1.2 Stop reusing passwords

Go to haveibeenpwned.com. Type your email. This is Troy Hunt’s free service that catalogues billions of leaked credentials from past data breaches (over 17 billion at last count, across nearly a thousand known breaches). If your email appears (it almost certainly will), every password you’ve ever reused on those sites is public knowledge.

Credential-stuffing attacks test those leaked passwords against every other site you’ve ever signed up for, automatically, millions of attempts per second. The only defence is a unique, random password for every site, generated and stored by 1Password. You’ll never type these passwords; 1Password fills them for you. You won’t memorise them, and you won’t need to.

Start with your four most valuable accounts:

Your primary email (Gmail / iCloud / Outlook). This one matters most. Every other account’s password reset goes through it.
Your bank.
Your phone carrier account. This one matters for SIM-swap defence (see 1.3 for the carrier-specific twist).
Your main social account (Facebook / Instagram / etc). They hold a surprising amount of personal information and are the path of least resistance for account recovery flows.

Change each to a 1Password-generated password this weekend. Migrate everything else over the following week.

Security questions are passwords in disguise. Some older services still force you to set up “security questions” like “What is your mother’s maiden name?” or “What street did you grow up on?” — answers which are usually findable with five seconds of public search. Treat them as additional passwords: generate a random string as the answer, store the question and the answer in the 1Password entry for that site, and ignore the premise of the question. Never give a truthful answer.

1.3 Turn on MFA

For your primary email and social account, enable MFA right now. Use an authenticator app, either 1Password’s built-in TOTP (add it while editing the same vault entry) or Google Authenticator. Avoid SMS if you have any other option. SMS is vulnerable to SIM swap. (TOTP = time-based one-time password — the six-digit code that rolls over every 30 seconds.)

This is a deliberate temporary step. In Tier 2 we’ll replace the authenticator code with a hardware key for your primary email (and for 1Password itself). Once the key is working, delete the TOTP from those two accounts. For everything else, TOTP-in-1Password is your permanent MFA.

If you intend to stop before Tier 2, move the TOTP for your primary email out of 1Password and into a separate authenticator app (Aegis on Android, Raivo OTP or Ente Auth on iPhone). See FAQ 19 for why. The halfway configuration otherwise lands you in exactly the state FAQ 19 warns against.

Your bank and phone carrier are special cases in Australia and are covered in the Australia-specific section. Short version: Australian banks use their own in-app MFA or SMS fallbacks (not TOTP, not hardware keys), and Australian phone carriers rely on SMS plus carrier-specific identity checks (biometrics, account PIN, or security word, depending on the carrier). You’ll set both up there, not here.

1.4 Turn on autoupdates everywhere

Unpatched software is how most real-world compromise actually happens. The “hack” stories you read in the news are really “someone didn’t install a security update” stories.

iPhone: Settings → General → Software Update → Automatic Updates → both toggles on.
Mac: System Settings → General → Software Update → (i) → turn everything on.
Windows: Settings → Windows Update → Advanced options → turn everything on, including “Receive updates for other Microsoft products”.
Android: Settings → System → System update → Auto-download.
Browsers: Chrome, Firefox, Safari, Edge autoupdate by default. Don’t turn it off.

Tier 2: Hardware keys and passkeys

Time: ~60 minutes. Cost: ~AU$100 (two YubiKey Security Key C NFCs). Security gained: phishing resistance on the accounts that matter.

Why hardware keys?

App-based MFA stops password reuse. It does not stop phishing. If an attacker sends a convincing email linking to a fake Gmail login page, you’ll type your password, type the six-digit code from your authenticator app, and hand both to the attacker in real time. Smart people fall for this every day.

There are two behavioural layers worth adopting regardless.

Never click login links in emails, SMS, or chat. Email sender addresses are trivially spoofable, and even a careful reader can be fooled by a well-made fake. When you get a message that wants you to sign into a service, open a new browser tab and type the service’s address yourself (or use a bookmark, or a URL you’ve deliberately chosen from a guide like this one — the rule is about links pushed at you, not links you type by hand). That habit alone defeats most phishing.

Never install remote-access software at the request of a caller or email. “Install AnyDesk/TeamViewer so I can help you” is the opening line of almost every tech-support and “Hi Mum” scam that empties Australian bank accounts. Real banks, real Microsoft, real Apple will never ask you to install remote-access software. If someone on the phone insists, hang up and call the official number yourself.

The hardware key is the next layer, because eventually even perfect behaviour slips.

Hardware keys are the fix, and here’s why, in one sentence:

The key won’t work on a site it’s not registered for.

Your YubiKey uses a protocol called FIDO2/WebAuthn. When you register it with Gmail, it records that this key is for accounts.google.com, and only for accounts.google.com. When you try to sign in on a phishing page at accounts-google.com-secure.ru, the key refuses. The attacker gets nothing. You don’t have to spot the bad URL yourself; the key does it for you.

This is the single biggest leverage point in consumer security. Everything else teaches humans to be less gullible. Hardware keys remove the human from the loop.

What to buy

Get two YubiKey Security Key C NFCs. About AU$100 total (US$31.90 each direct from Yubico, or ~AU$50 each at Australian resellers).

Not the fancy YubiKey 5 Series (around AU$95–120 each). The Security Key line is the FIDO-only, roughly-half-price version, purpose-built for logging into websites and unlocking 1Password. 99% of the 5 Series’s extra features (TOTP storage, PGP, SSH, PIV smart-card auth) are for corporate IT you’ll never touch.

Why two? The real failure mode isn’t “my key got hacked.” It’s “I lost my key and I’m now locked out of everything.” One key lives on your keyring. One lives in your Home Kit (Tier 3). Lose one, the backup gets you in, and you buy a replacement the same day. Apple also requires two security keys to set up Apple ID hardware-key protection — their documentation explicitly says “you must add and maintain at least two security keys” — so if you’re an iPhone user, one key literally isn’t enough to complete enrolment.

Why NFC specifically? So you can tap the key against your iPhone or Android. Even if you never use the NFC flow, it costs essentially nothing extra. Get NFC.

What to enrol

Enrol both keys on, at minimum:

Primary email (Gmail / iCloud / Outlook)
1Password (Security → Two-Factor Authentication → Security Key)
Any Google / Apple / Microsoft accounts you have
GitHub if you have one

Official enrolment guides beat anything I can write here:

After enrolling both keys on an account, remove TOTP and SMS as MFA options on that account. The key is stronger than SMS; leaving SMS enabled means your weakest link is still SMS, and that defeats the whole point. (Keep the printed one-time recovery codes, which go in your Home Kit.)

Passkeys, in one paragraph

Passkeys are FIDO2 credentials (the same phishing-proof technology YubiKeys use), stored in your password manager or phone secure enclave rather than on a physical key. Apple, Google, Microsoft, and 1Password are pushing them hard, and they’re gradually replacing passwords on major sites. Use them wherever offered. The mental model: 1Password is where your passkeys live day-to-day; your YubiKey is the root of trust that unlocks 1Password itself. If 1Password is ever compromised, your YubiKey is the wall. One clean hierarchy.

Tier 3: The Recovery Kit and Fire Drill

Time: 60 minutes to build, 30 minutes a year to rehearse. Security gained: you can lose your phone without losing your life.

This is the section every other consumer security guide skips, and it’s the reason most people never bother with the rest of the list. “What if I lose my phone in an Uber overseas?” “What if I forget my master passphrase?” “What if my laptop is stolen on day two of a three-week holiday?”

The answer isn’t “be more careful.” The answer is: build a Recovery Kit, and rehearse using it once a year.

The architecture

1Password’s security model is deliberately two-factor-at-rest. Even an attacker who steals an encrypted vault needs both your master passphrase (something you know) and your Secret Key (something you have, stored as the printed Emergency Kit). Our Recovery Kit has to preserve that separation. Otherwise a single burgled envelope hands the attacker everything.

Design principle: silent failure is unacceptable, loud failure is recoverable. You want this system to break visibly, not invisibly. That’s why the Break-Glass Envelope uses a tamper-evident seal (so you notice if it’s been opened), why the Home Kit lives in a labelled envelope in a known location (so you notice if it’s missing), and why the Fire Drill is rehearsed annually (so you notice if a recovery step is broken). A silent failure is one you discover on the day you desperately need the system to work. Design against them at every step.

The Kit has two pieces in two different physical locations:

Piece 1: The Home Kit

A labelled envelope in a specific drawer at home. Contains:

Your printed 1Password Emergency Kit (the PDF from 1.1), with the master passphrase field left blank on the form. The official PDF 1Password generates has a field literally labelled “Master Password” — you are going to fight the form design and leave that box empty. The passphrase lives in your head, not on paper in the same envelope as the Secret Key.
Your spare YubiKey, the second Security Key you bought in Tier 2. Travel carve-out: if you’re on the road for more than a few weeks at a time, the key that’s in your day bag is the spare, and this slot in the Home Kit holds a third key (or stays empty until the trip ends and the travel key returns). The overseas recovery scenario in the next section assumes you can physically tap this key; you can’t photograph a YubiKey to yourself from Tokyo.
Printed one-time recovery codes for your primary email, 1Password, and any other account that offers them. Each service generates a set in account settings; print them when you set the account up, and regenerate them once a year.
A reference sheet listing, for your four most-valuable accounts, the recovery email and phone number currently on file. If you’re locked out, you need to know what the recovery flow expects. Include international (+61-format) support phone numbers for your bank, phone carrier, and Services Australia — 1300/1800 numbers often fail when dialled from overseas.

What is NOT in the Home Kit: your master passphrase. That lives in your head. Your passphrase is what makes the Secret Key secret. Putting them in the same envelope collapses the two-factor architecture and gives a burglar full access.

Piece 2: The Break-Glass Envelope

A tamper-evident bag (Officeworks sells them for a few dollars), sealed, signed and dated across the seal. Contains only your master passphrase, printed on a single sheet.

That’s it. No Secret Key, no backup of the Home Kit, just the passphrase.

Why so minimal? The Break-Glass Envelope is the single most exposed piece of your recovery plan, by design: it’s off-site, you rarely visit it, and it’s much harder to notice tampering than with a drawer at home. Keeping only one factor in it means that compromise of the envelope alone is not enough to unlock your vault. An attacker who steals the Break-Glass Envelope gets the passphrase, but not the Secret Key, not the backup YubiKey, not the recovery codes. They can’t log in.

Stored at, in descending order of preference:

A bank safe deposit box (≈AU$150/year, genuinely secure, survives house fires, requires ID to access)
A fireproof home safe bolted to the floor (one-off cost, defeats opportunistic burglary)
A trusted family member’s house, sealed in a tamper-evident bag (free, less secure, but vastly better than nothing)

The principle: an attacker needs to invest meaningful effort to reach this envelope. A drawer next to your laptop doesn’t count. The tamper-evident seal means you’ll notice if it’s been opened.

You only open the Break-Glass Envelope if you’ve genuinely forgotten your passphrase. Once opened, change your passphrase to a new one, reseal a fresh envelope, and put it back.

What if my house burns down with the Home Kit inside?

Fair question. The Secret Key isn’t in the Break-Glass Envelope, so you can’t retrieve it that way. Your recovery paths are:

Another signed-in device. If you have an existing 1Password session anywhere else (a phone, a tablet, a work laptop, a spare device at a family member’s), you can retrieve your Emergency Kit from Settings → Account. Reprint, rebuild the Home Kit.
1Password Families recovery. If you’re on a Family plan with other members, any organiser can initiate an account recovery for you, which restores access without the Emergency Kit.

This is another argument for 1Password Families over Solo: you effectively get an “account-level” recovery mechanism via your family members. If you live alone, add a second device to 1Password now (an old phone, a spare laptop, a tablet), and keep it somewhere other than your main living space. That’s your house-fire insurance.

The annual fire drill

Pick a day you’ll remember (your birthday works well). Once a year, on that day, run this drill:

Before the drill. Find a computer you’ve never signed in on before: a friend’s laptop, a work machine you’ve never used for personal accounts, or a spare device that’s been factory-reset. Use a Chrome Guest Profile (File → New Guest Window), not Incognito. The reason is that Guest Profile disables browser extensions entirely — which is exactly what you want on a machine you don’t control, because a hostile extension in the host’s normal profile could keylog everything you type into 1Password. You’ll sign into 1Password via its web interface at my.1password.com, not the desktop app. Have your Home Kit physically with you. Leave the Break-Glass envelope sealed (unless you’ve actually forgotten your passphrase, in which case this drill just became real).

The script:

1Password recovery (target: vault open within 10 minutes)
- Go to my.1password.com on the new device.
- Enter your email, your Secret Key (from the printed Emergency Kit in your Home Kit), and your memorised master passphrase.
- Expect a “verify this new device” step. 1Password’s sign-in on a brand-new browser will ask you to retrieve a short verification code from an already-linked device (typically your phone). This is the step most people discover for the first time in a real emergency — the drill is to discover it now. For the drill, use your phone to provide the code. (Real-emergency branch: if you don’t have any existing linked device — e.g. you’ve genuinely lost your phone and your home laptop is unreachable — cold sign-in is not possible. You need to go through 1Password account recovery, which on a Families plan means asking another family organiser to initiate recovery for you. This is exactly why pre-trip item 10 below — “pack a spare phone with 1Password already signed in” — is load-bearing, not optional, for long trips.)
- Complete MFA with your backup YubiKey.
- Confirm you can see and decrypt your vault. Everything below depends on this working, so do it first.
Primary email recovery (target: inbox within 5 minutes)
- Go to accounts.google.com/signin (or the iCloud / Outlook equivalent).
- Use the email password from 1Password (which you just unlocked in Step 1).
- For MFA, use your backup YubiKey from the Home Kit, or a printed recovery code as a fallback.
Bank access (target: 5 minutes)
- Log into your banking app or website on the new device.
- Expect this to fail. Australian banks don’t support hardware keys or standard authenticator apps. Their in-app MFA is device-bound, so recovering to a new device requires an SMS OTP, a phone call to support, or a branch visit with ID. That’s useful to know now, not on the day you lose your phone. Note exactly what the flow demanded and write the international customer support number on your Home Kit reference sheet.
Phone carrier (target: 5 minutes)
- Log into your carrier account. Same story as the bank: Australian carriers don’t support authenticator apps on consumer accounts, so you’re either logging in with SMS or calling customer support. This is why you set a port protection PIN (see the Australia section). If you set one, rehearse quoting it.

After the drill. Note what didn’t work. Fix it before you close the laptop. The first year you run this you’ll find two or three things that would have locked you out in a real emergency: a recovery code you never printed, a phone number your bank still has on file from two moves ago, a step-up flow that wants to SMS the phone you just pretended to lose. That’s the entire point of the drill. Fix them now, not at 2am in a hotel in a country whose language you don’t speak.

Also re-test whenever the recovery chain materially changes. New phone, new laptop, new email provider, moved house, new bank, new password manager. The calendar catches drift; material-change re-tests catch whatever you just reconfigured. Both NIST’s contingency planning guide and the ACSC Essential Eight treat “post-change” as an independent trigger for this reason.

By year three, the drill takes ten minutes and you genuinely feel confident losing your phone. That confidence is the whole game. It’s also the reason the rest of this guide is worth doing: security you’re too afraid to commit to is security you don’t actually have.

Tier 4: Devices and communications

Time: ~30 minutes. Security gained: the tail risks.

Full-disk encryption

Turn it on everywhere. If someone steals your laptop, full-disk encryption is the difference between “I need a new laptop” and “I need a new identity.”

macOS: System Settings → Privacy & Security → FileVault → Turn On. Store the recovery key in 1Password, not in iCloud.
Windows 11 Pro: BitLocker. Control Panel → System → BitLocker Drive Encryption. Copy the recovery key into 1Password.
Windows 11 Home: Device Encryption, same control panel. Requires a Microsoft account sign-in and a TPM; older Home installs may not qualify, and if it’s greyed out that’s why. Getting the recovery key: Windows automatically uploads it to your Microsoft account. Retrieve it from aka.ms/myrecoverykey and copy it into 1Password. Don’t rely on Microsoft as your only copy.
iPhone / Android: on by default once you set a passcode. Use six digits minimum. Not for brute-force resistance (modern phones rate-limit PIN attempts in hardware — Apple’s Secure Enclave and Google’s Titan M2 enforce exponential delays that make brute force infeasible even against a four-digit PIN) but because six digits are meaningfully harder to catch over someone’s shoulder than four.
Lock your screen every time you walk away from your laptop. FDE only protects you when the device is off or locked. An attacker with a few minutes of unattended physical access to your unlocked laptop can plant a keylogger, exfiltrate your 1Password vault, or install persistent malware. Set your screen to auto-lock after one minute of inactivity, and get in the habit of Ctrl+L (Linux) / Cmd+Ctrl+Q (macOS) / Win+L (Windows) whenever you stand up.

Signal for sensitive messaging

WhatsApp’s end-to-end encryption uses the Signal Protocol and is genuinely fine for message contents. The problem isn’t the cryptography. The problem is Meta:

Metadata. Who you talk to, when, how often, for how long, your full contact graph, your IP, your device, all go to Meta. Arguably more valuable than message contents.
Backups. WhatsApp’s default cloud backup (iCloud / Google Drive) is plaintext unless you’ve specifically enabled end-to-end encrypted backups with a separate passphrase. Most people haven’t.
Closed source. You can’t audit WhatsApp’s client. You can audit Signal’s.
Incentives. Signal is a non-profit funded by donations. WhatsApp is owned by the largest surveillance-advertising company on Earth, with a 15-year pattern of walking back privacy promises once users are locked in.

Recommendation: use Signal for anything sensitive (finances, health, anything you’d regret Meta mining). Keep WhatsApp for family logistics if migrating your extended family is hopeless. Don’t fight a crusade; just move the stuff that matters. Set disappearing messages to 90 days as your default (Signal → Settings → Privacy → Default disappearing messages).

Backups

Back up data you’d cry over losing: photos, documents, creative work, tax records, notes. Follow 3-2-1: three copies, on two different kinds of storage, with one off-site. Easiest path for most readers is laptop drive + external USB drive + Backblaze Computer Backup (US$9/month unlimited, you install the consumer app and forget about it). If you’re comfortable in a terminal and want a more technical setup (cheaper, more flexible, more work) using Restic and Backblaze B2, see my automated backups guide.

It isn’t a backup until you’ve restored from it. Run your first restore test a week after setup, while the config is still fresh in your head. Pick a file you care about and actually retrieve it from your cloud backup onto a different computer than the one it normally lives on. The first time you try this, something will be broken: credentials forgotten, cloud app uninstalled, drive unmounted, permissions wrong. Fix it then, not on the day your laptop is stolen. After the first test, repeat every six months as ongoing maintenance, and also re-test whenever anything material changes (new computer, new backup tool, new cloud provider).

Retire old devices

If a phone or laptop no longer receives manufacturer security updates, it’s a liability. Stop using it for anything sensitive. Rough current guidance: iPhones get 5–7 years of updates (Apple’s formal commitment is 5), Pixel 8 and later and Galaxy S24 and later promise 7, older Android models get 3–5, Macs get ~7, Windows laptops are supported as long as Windows supports them. Check your specific model’s support window and plan replacement around it.

Don’t log into personal accounts on work computers

Corporate-managed laptops run endpoint management software that logs network traffic, takes periodic screenshots, records keystrokes, or surfaces browser activity to IT. All of this is legitimate for protecting company IP; it’s also deadly for your personal security posture. If you sign into your personal Gmail, 1Password, or banking from a corporate laptop, assume IT can see it, assume incident response can retrieve it months later, and assume it may show up in an audit log you’ll never know about.

Keep personal and work accounts on different devices. Use your own phone or laptop for personal business. This applies specifically to managed devices (ones where an employer’s IT department holds admin rights); a personal laptop you also use for freelance work is fine.

Honest limits: what this guide doesn’t cover

Defence in depth has a ceiling. I want you to finish this guide with your head around where the workflow ends and where genuine tradeoffs begin, not thinking you’re bulletproof. Six scenarios this guide does not cover:

1. Full compromise via parallel channels. If an attacker physically steals your Home Kit AND obtains your master passphrase through a separate channel (keylogging, phishing, or coercion), they have everything. FAQ 9’s rotation procedure is reactive: it shrinks the window of exposure after you notice, but it doesn’t prevent the period between compromise and detection. This is the inherent upper bound of the architecture you’ve chosen.

2. Determined targeted attackers. Nation-state adversaries, well-funded organised crime, a custom-tailored advanced persistent threat. These operators bring novel exploits, custom malware, surveillance budgets, and patience. The baseline here raises your bar enormously above opportunistic attackers, but it is not a defence against someone who specifically wants you. If that’s your threat model, EFF Surveillance Self-Defence (linked in Further Reading) is the right next step.

3. Supply-chain compromise of your tools. A malicious 1Password update, a backdoored Chrome extension, a compromised operating system image. Rare but real. Autoupdating from official sources is the best defence available this side of full manual auditing, which isn’t realistic for anyone.

4. Insider threat in your household. The Recovery Kit assumes the people you share your home with are trustworthy. If they aren’t, that’s a relationship problem this guide cannot solve.

5. Physical coercion and compelled disclosure. Someone holding a weapon, a border guard with a subpoena. If you’re compelled to unlock a device, you unlock it. The only real defence is not carrying the data in the first place, which is a separate craft (travel devices, compartmentalisation, wiping and restoring from backup) and out of scope here.

6. Total-loss disasters beyond double failures. Your house burns down, AND your off-site Break-Glass location is destroyed, AND every device you’re signed in on elsewhere is also gone. Tier 1’s “secondary signed-in device in a different physical location” requirement is the cheapest mitigation. Past that point, extreme tail risks are best handled by insurance, not security engineering.

You now have your head around the landscape. What you do with it is up to you.

Beyond the baseline

If you have a realistic targeted-attacker threat model (public-facing clinician, journalist, activist, politically exposed person), the baseline above is your starting point, not your ceiling. Consider:

Google Advanced Protection. Enforces security-key-on-every-login, restricts third-party app access, adds extra download scanning. Real gain, real friction (Apple Mail and some third-party apps break, recovery is harder). For a narrow population.
Compartmentalised email identities. Use an email aliasing service to mint a unique address for every account you sign up for. When a service is breached or starts spamming you, you kill the alias without affecting anything else. SimpleLogin (open source, Proton-owned) or Apple Hide My Email (Apple-only, bundled with iCloud+).
Virtual physical mail forwarding. A service receives your physical post, scans it, digitises it, and lets you decide per-item what to do (shred, forward, ignore). Your home address stops being given out to every merchant, subscription, or dinosaur institution. HotSnail is the Australian option; Earth Class Mail and Virtual Post Mail serve the US.
Virtual card numbers. Mint a unique credit card number per merchant so no single merchant breach compromises your actual card. privacy.com is the US gold standard (banks get very close in AU with Up, Wise, and Revolut).
Tor Browser for specific anonymous sessions.

Cryptocurrency custody, hot-wallet key management, hardware wallet hygiene, and seed-phrase backup strategy are all their own thing and out of scope for this post.

Australia-specific

myGov (ATO / Medicare / Centrelink)

myGov is the gateway to the ATO, Medicare, Centrelink, and your My Health Record. Protect it like a primary email:

Unique 1Password-generated password.
In myGov sign-in settings, choose “Use an authenticator app” and set up TOTP. You can store this TOTP in 1Password for convenience; myGov isn’t critical enough to need the separate-app treatment that 1Password itself gets (FAQ 19).
Add a passkey as a sign-in method if myGov offers you one (rollout is in progress through 2026). Passkeys avoid the TOTP chicken-and-egg entirely.
Link your myGov to a primary email you fully control and have MFA on.

Don’t install or use the old “myGov Code Generator” standalone app. Services Australia is retiring it in favour of standard authenticator apps and passkeys. If you already have it installed, switch to a standard TOTP authenticator before the Code Generator is removed from the stores.

Fallback if you lose your phone overseas: if your myGov TOTP is in 1Password and you’ve recovered your vault using your Home Kit + backup YubiKey, you already have it. If for some reason you don’t, your only fallback is calling Services Australia’s international line to verify identity manually, which can take hours. Write the Services Australia international support number on your Home Kit reference sheet.

Australian banking

The big four (CBA, ANZ, NAB, Westpac) use their own in-app MFA delivered through their own banking apps. They do NOT support hardware keys, standard authenticator apps, or passkeys as of early 2026. Their MFA is device-bound: once you’ve registered your phone with the app, logging in on that phone is painless. But recovering to a new phone is where the friction lives. The standard new-device flow requires, in some combination:

An SMS OTP to the mobile number on file.
A phone call to customer support from the number on file.
Your physical debit/credit card number plus in-branch ID verification.

What to actually do:

Set a unique password in 1Password.
Enable the in-app MFA that your bank offers (it’s usually on by default when you install their app).
Keep the international customer-support phone number for your bank on your Home Kit reference sheet. You’ll need it if you lose your phone overseas.
Keep a spare phone number on your bank profile if possible, one that you control from a different SIM (an eSIM on a backup travel phone, or a Google Voice / international line).
Tell your bank when you travel, via their app or website, so they don’t block legitimate logins.

Australian phone carriers (Telstra, Optus, Vodafone, etc.)

Consumer carrier accounts in Australia don’t support authenticator apps or hardware keys. Your carrier login itself is still largely SMS-based. That sounds bad, and it is. But the real risk at the carrier layer isn’t “someone logs into my carrier dashboard.” It’s SIM swap, where an attacker calls your carrier impersonating you and convinces the support agent to port your number to a SIM they control. From there, every SMS-based MFA flow (including your bank’s) falls over.

The good news: since the ACMA Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, every Australian carrier is required to apply multi-factor identity checks before any SIM port, replacement SIM, or high-risk account change. This is no longer an opt-in customer feature, it’s a regulated baseline. Each carrier implements it differently:

Telstra: biometric verification via the MyTelstra app, plus an account PIN.
Optus: an account PIN you set in your My Account.
Vodafone: an account password / security word.

What to actually do:

Log into your carrier’s app or website, set whatever PIN / security word / biometric option they require, and enable it.
Call customer support from the number on your account, confirm what’s on file, and ask explicitly that no SIM port or replacement-SIM request be authorised without that check.
While you’re on the phone, ask what the override flow is if you lose your phone overseas (so you know what to expect).

Different carriers call this different things. The regulation requires it; the configuration is on you.

Card-not-present fraud

Your card details get leaked by merchants, not by you. The fix is virtual card numbers. Up, Wise, and Revolut all offer one-tap generation. Traditional banks are catching up slowly.

Troy Hunt is your Australian voice

Troy Hunt, who runs Have I Been Pwned, is Gold Coast-based and has been the definitive writer on passwords and breaches for over a decade. Subscribe to HIBP notifications with your primary email, it’s free, and it pings you the moment your address shows up in a new breach dump so you know to change that site’s password immediately.

FAQ

1. I’m about to travel for three weeks. What’s the pre-flight checklist?

Rehearse the Tier 3 fire drill once this week, using your target travel device.
Tell your bank, credit card companies, and travel card providers your dates via their app or website. Prevents false-positive fraud locks when you start using your card overseas. Australian banks usually let you do this in-app; some still require a phone call. Some expire after 30 days and need re-notification if the trip is longer.
Test your backup restore path before you go. Pull a file down from your cloud backup onto a different computer. If you can’t do that today, you don’t have a working backup today.
Carry your backup YubiKey on your person, in a different bag or pocket from your phone, ideally attached to something you always have (wallet, keys). Losing your phone and losing your key should be independent events.
Memorise your master passphrase and at least two key phone numbers (your own, and a trusted contact’s).
Brief a trusted person at home on where your Home Kit is and how to reach you if the worst happens. Important: if your phone is the thing you’ve lost, Signal and WhatsApp will both be unreachable — linking either on a borrowed computer requires the mobile app you no longer have. The fallback channel is a voice call. Expect to dictate the 34-character Secret Key digit-by-digit over the phone while writing it onto a scrap of paper at the other end. That’s also why item 11 below exists — if you’re travelling, the paper-in-wallet copy sidesteps this entire problem.
Make sure your primary email recovery phone isn’t the one you’re about to lose. Add your trusted contact’s number, or an eSIM number you’ll keep working.
Install your banking, messaging, and 1Password apps on a backup device if you have one: a spare phone, a travel tablet. Verify they work before you fly.
Write your bank’s and your carrier’s international customer support numbers on the reference sheet in your wallet.
(Load-bearing for trips longer than a couple of weeks — not optional) Pack a spare phone with 1Password installed and already signed in before you leave. A previous-gen phone in a drawer, a cheap second-hand Android, anything that boots. Test it before you go. This isn’t a nice-to-have: 1Password’s sign-in flow on a new device requires a verification code from an existing linked device, so if you lose your only signed-in device overseas, cold-recovery on a borrowed computer is impossible — your only recourse is the slower 1Password account recovery flow. A pre-signed-in spare phone collapses that entire problem: you’re now recovering to a known-good device in a hotel room instead of trying to cold-start in a panic.
(Optional, supplementary to item 10) Carry an unlabelled paper copy of your 1Password Secret Key in your wallet. Treat the paper like cash: not in your phone case, not in your bag, in your wallet. This does NOT by itself let you sign in from scratch — see item 10 for why. What it does do is save you from having to call home and have someone dictate a 34-character Secret Key to you over the phone when you’re recovering to your pre-linked spare phone after a factory reset. It’s a convenience during recovery, not a substitute for the spare device.

While travelling: any time you’re about to hand a device to a border officer or security checkpoint, restart it first. A restart forces the phone to require its passcode (not face/fingerprint) on the next unlock, which makes compelled biometric unlock much harder. This is a five-second action and should become a reflex.

2. I think I’m locked out right now. What do I do first?

Triage in this order:

Get to a trusted computer. A friend’s laptop in a Chrome Guest Profile is ideal. Avoid hotel business centres, airport kiosks, and internet cafés. Shared computers may be keylogged or running hostile extensions. If you absolutely must use one as a last resort, change every password you typed on it, immediately afterwards.
Recover your primary email first. Every other recovery flow goes through email. Use your backup YubiKey and a printed recovery code if you have them. If not, most providers have a “verify my identity” flow that asks increasingly personal questions; be patient.
Recover 1Password second. The cleanest path is recovering to your pre-signed-in spare phone (travel prep item 10). Factory-reset it if you have to, reinstall 1Password, and sign in using the Secret Key. If the Secret Key is in your wallet already (item 11), type it directly; otherwise call your trusted person on a voice line (not a messaging app — if your phone is gone, Signal and WhatsApp are also gone, because both require the mobile app to activate a desktop session) and have them read the 34-character Secret Key to you out loud. If you have no pre-signed-in device at all (you weren’t prepared, or the spare is also lost), the only remaining path is 1Password account recovery — on a Families plan, another family organiser can initiate recovery for you; on an Individual plan, 1Password support will walk you through it but it takes longer. Budget hours, not minutes, for this branch.
Bank and carrier third. Carrier is often the longest; plan for a phone call, not a web form. Many require a branch visit with ID, or an international call to their support line.
Only after those are back, start worrying about everything else.

3. What if I forget my 1Password master passphrase?

You don’t recover the passphrase, 1Password can’t reset it for you. You recover access, by retrieving the Break-Glass Envelope from its off-site location, which contains the passphrase on paper. Then you immediately change to a new passphrase, generate a fresh envelope, and reseal it.

4. What if I lose both YubiKeys?

Use the printed recovery codes from your Home Kit to get into the accounts that matter, then order replacement keys and re-enrol them. You’re exposed until the new keys arrive, so prioritise ordering.

5. What if 1Password itself gets breached?

This is the real reason most people don’t use a password manager. Troy Hunt’s framing is the best one: “password managers don’t have to be perfect, they just have to be better than not having one.”

1Password’s architecture is designed so that even if their servers are fully compromised, attackers get an encrypted blob they can’t decrypt without your master passphrase and your Secret Key (neither of which ever leaves your devices). 1Password has been independently audited multiple times and has never had a breach that exposed plaintext vaults. Contrast this with the reality without a password manager: you reuse passwords, one of the hundreds of sites breached each year leaks yours, and your credentials are in a public dump within days. The password manager isn’t the single point of failure. Your brain is.

6. What if 1Password goes out of business, or gets acquired by someone I don’t trust?

1Password supports exporting your entire vault to standard formats (1PUX and CSV). Migrating to Bitwarden, Proton Pass, or another manager is an afternoon’s work, and every serious password manager supports importing from 1Password. You are not locked in. The lock-in risk is real in principle but low in practice, because the export ecosystem is mature.

7. If I store passkeys in 1Password, isn’t 1Password the single point of failure? And are passkeys really replacing passwords?

Passkeys are replacing passwords, slowly. Use them wherever offered. 1Password stores them alongside passwords with zero extra friction, and sites that support passkeys tend to have above-average security posture generally.

On the SPOF question: your YubiKey is the root of trust that unlocks 1Password. The hierarchy is YubiKey → 1Password → everything else. An attacker needs both the YubiKey (physical theft) and your master passphrase (phishing, keylogging, coercion) to get in. That’s a vastly harder attack than guessing a password you reused on LinkedIn in 2012.

8. My whole digital life is in 1Password. Doesn’t that terrify you?

A little, yes. But my digital life is also in my memory, my Home Kit, my backup YubiKey, my Break-Glass envelope, and my email recovery flow. 1Password is the most convenient layer. It isn’t the only layer. Single-layer security is what should terrify you. Defence in depth is what lets you sleep.

9. My Home Kit got stolen in a burglary. Now what?

Treat this as a full compromise. Regenerate your 1Password Secret Key (Settings → Account → Regenerate), change your master passphrase, regenerate all printed recovery codes, reseal your Break-Glass Envelope with the new passphrase, and rebuild the Home Kit with fresh printed copies. Until you’ve done this, assume the burglar has the Secret Key and the backup YubiKey (they can’t actually get in without the passphrase, but you don’t want to keep the exposure open any longer than necessary). Buy a replacement backup YubiKey. This is the reason the passphrase is not stored in the Home Kit.

10. What if I die? How does my family access my accounts?

Three things: write a short letter explaining your Recovery Kit’s location and how to use it, store it with your will, and tell a trusted person it exists. Configure 1Password Families’ built-in Emergency Kit feature. Configure Apple’s Digital Legacy Contact and Google’s Inactive Account Manager. This is cheap, important, and the kind of thing survivors quietly thank you for.

11. Do I really need two YubiKeys? Isn’t that paranoid? What if one breaks?

The second key costs about AU$50. It’s the cheapest insurance you’ll ever buy. YubiKeys are passively powered (no battery) and rated for tens of thousands of uses. Breakage is rare, loss isn’t. Either way, the backup gets you in.

12. Can I just use my phone as a YubiKey via Face ID?

Partly. Apple and Google support a flow called hybrid transport (cross-device passkeys). Your phone uses Bluetooth proximity to authorise a sign-in on a nearby laptop, with Face ID as the user check. It’s genuinely useful as a convenience. But it isn’t a substitute for a dedicated hardware key. Your phone is also the single most likely thing you’ll drop, lose, or have stolen. Use phone-as-key on top of your YubiKeys, not instead of them.

13. My partner shares my 1Password vault. If their phone is compromised, am I compromised?

Partially, yes, which is why 1Password Families has personal vaults and shared vaults, separately. Shared vaults hold joint things (household utilities, streaming, insurance). Personal vaults hold your own accounts. A compromise of your partner’s device exposes shared vaults but not personal ones. Keep your banking, email, and high-value accounts in your personal vault. Make sure both of you have Tier 2 (hardware keys) set up so “compromise of phone” doesn’t cascade to “compromise of vault.”

14. What happens to my Recovery Kit when I move house?

The Home Kit moves with you: pack it in a labelled, sealed envelope and carry it in your hand luggage on moving day, not in a moving truck. The Break-Glass Envelope stays put if it’s at a safe deposit box; update the trusted person on your new address if it’s at a family member’s. Treat Kit location as a datum you maintain. Add it to your pre-travel checklist.

15. Why do I need a password manager if Chrome already saves my passwords?

Chrome’s built-in manager is better than nothing. It’s worse than a dedicated one because (a) it’s tied to one browser and ecosystem, so passwords don’t follow you to native apps or other browsers, (b) its generated passwords are weaker, (c) passkey support is shallower, (d) it doesn’t support phishing-resistant MFA on the manager itself, (e) the whole thing is ultimately gated by your single Google password. If you use Chrome PWM and nothing else, the advice is: move to 1Password.

16. Why 1Password instead of free Bitwarden or Apple’s iCloud Keychain?

Bitwarden is excellent. If you’re technical enough to weigh the decision on the merits, pick it with my blessing. iCloud Keychain is genuinely good (especially for passkeys) but Apple-only. If you’ll ever touch a Windows laptop, Chromebook, Android, or any cross-platform service, it fails. I recommend 1Password to non-technical family members because its UX polish drives higher day-to-day usage, which is the only metric that matters for a password manager.

17. Is SMS MFA really that bad? My bank only supports it.

SMS MFA is better than no MFA, and worse than an authenticator app, which is worse than a hardware key. The risk is SIM swap: an attacker convinces your carrier to port your number and receives all your codes. For any account that supports a better option, switch. For SMS-only accounts like Australian banks: (1) use SMS anyway, (2) enable a port protection PIN with your carrier (see the Australia section), (3) keep an international customer support number for your bank in your Home Kit, (4) switch banks if it matters.

18. My bank demands an SMS to my (lost) phone to let me log in. What now?

You’re calling customer support. Have your photo ID, your physical card, your account number, and your most recent transactions ready. Expect a verification process measured in tens of minutes, not seconds. If you’re overseas, the call is international and the agent will ask questions designed to catch impostors.

This is why the pre-flight checklist says “keep a spare phone number on your bank profile”: a secondary number on a backup SIM, a Google Voice line, or a family member’s phone you’ve explicitly pre-authorised with the bank. If you’ve done this, the SMS goes to the spare number and you’re back in. If you haven’t, budget at least an hour for the phone call and have a backup plan for paying for things in the meantime (cash, a travel-specific card on a different bank, a family member who can front you money).

19. Is it OK to store MFA codes in 1Password alongside my passwords?

For most accounts, yes. 1Password stores TOTP codes in the same entry as the password. Slightly less secure than a separate authenticator app (an attacker who fully compromises your vault gets both factors) but vastly more convenient, which means you actually turn on MFA everywhere instead of only on three accounts. The convenience wins.

The one exception: never store 1Password’s own TOTP inside 1Password itself. That would create a chicken-and-egg: signing into 1Password on a new device would need a TOTP code you could only generate by signing into 1Password. If your only active 1Password session is on the phone you’ve just lost, you’re stuck.

If you’ve done Tier 2 (two YubiKeys enrolled on 1Password) the chicken-and-egg simply doesn’t happen, because 1Password’s MFA second factor is your hardware key, not a TOTP. Sign-in on a new device is: email, Secret Key, master passphrase, tap the backup YubiKey from your Home Kit. No TOTP in the flow at all. This is the clean path and the one I recommend.

If you haven’t done Tier 2 and are using TOTP-based MFA on 1Password, that TOTP must live in a separate authenticator app: Aegis on Android, Raivo OTP or Ente Auth on iPhone, Google Authenticator cross-platform. Never inside 1Password itself.

Belt-and-suspenders readers (myself included) keep a YubiKey as primary MFA on 1Password and the same TOTP in a separate app as a fallback in case both hardware keys are unreachable. Harmless, slightly more resilient, strictly optional.

The same logic applies to your primary email (Gmail / iCloud / Outlook). Hardware key first; if you also keep a TOTP fallback, keep it in a separate app, not in 1Password. Every other TOTP can live in the vault.

20. My partner and family won’t do any of this. How do I handle shared accounts?

You can’t force anyone; you can make it easy. 1Password Families lets you share a vault with your partner: set them up with the app, add a passkey, they never have to think about passwords again. For older parents who won’t install anything, the best you can do is give them a unique password for their email and their banking, turn on MFA (SMS if that’s all they’ll tolerate), and walk them through it in person. Anything is better than nothing.

21. What about my kids’ accounts?

Same basic rules, plus: set their accounts up on your 1Password Families plan so you as parent can help recover them. Teach them early that no legitimate service ever asks for a password. Phish-training conversations are this generation’s stranger-danger talk.

22. I already have decent passwords and SMS MFA. Isn’t that good enough?

It’s better than ~60% of the population today. The rising threat environment (see Claude Mythos) means good enough today is marginal tomorrow. The delta from where you are to Tier 2 of this guide is maybe two hours and AU$100. That’s the cheapest security upgrade you’ll ever make. Do it this weekend.