You don’t have to outrun the bear. You only have to outrun the other campers.

That’s the most important idea in personal digital security, and the one every “how to stay safe online” post buries. The bar for “not worth attacking” isn’t perfection; it’s being measurably harder to fool, break into, or hijack than 90% of the internet. Most attacks are automated, and automation hunts the cheapest targets.

The catch: that bar is about to rise, fast. Anthropic recently released Claude Mythos 5, a model that can find brand-new flaws in software on its own, and within days the US government forced it offline. Nicholas Carlini, one of the world’s top AI security researchers, said that with it he’d “found more bugs in the last couple of weeks than in the rest of my life combined.” Its general-release sibling, Fable 5, ships with those abilities deliberately walled off behind safeguards โ€” but the capable model is built, the bar has already moved, and the walls won’t hold everywhere. Project Glasswing is Anthropic’s effort with a fast-growing coalition of security partners to patch critical infrastructure before that kind of capability spreads to AI tools anyone can use. It will spread; other labs are months behind.

The headline-grabbing part of this (an AI finding brand-new flaws in software itself) is a problem for the companies that write that software, not for you, and no amount of personal hygiene stops it. What the same wave does to you is cheaper and more certain. Picture the call you’d actually fall for: your son’s voice, panicked, saying he’s been in an accident and needs money sent now, the cloned timbre lifted from thirty seconds of a podcast he was on. Or an email in your boss’s exact cadence, naming the project you’re really working on, asking you to approve a single payment. Both used to need a skilled human and a lucky guess. Now they’re generated fluent, personalised, and at infinite scale. That’s the part of the curve this guide is built for, and it’s already moving.

So lock down now, while it’s cheap. Not in a paranoid build-a-bunker way: a few hours of setup over a couple of weekends, thirty minutes a year to maintain, and the biggest wins land by the first Sunday night.

New here, or want the short version? Start with the 30-minute version โ€” the six steps that matter most โ€” then come back here for the depth. Either way, one thing has a lead time: if you’re going to use hardware keys (Tier 2), order them now. They’re the one item in this guide that arrives by post, so ordering early means the shipping wait never stalls you; passkeys cover you in the meantime.


Who this guide is for

You, if you’re a competent adult who uses a laptop, a phone, and the internet. No technical background required.

This guide protects you against:

  • Credential stuffing. Attackers take leaked username/password pairs from one site’s data breach and try them automatically against every other site you’ve signed up for. Works because people reuse passwords.
  • Phishing. Fake login pages that look real, designed to steal your password and your MFA code at the same time.
  • Lost or stolen devices. Someone finds your laptop on the train and tries to read everything on it.
  • Opportunistic malware. Drive-by downloads, malicious browser extensions, unpatched software being exploited by automated scanners.
  • SIM-swap attacks. An attacker convinces your phone carrier to port your number to a SIM they control, and starts intercepting your SMS codes.

This guide does not protect you against: a determined, well-resourced attacker who is specifically targeting you. If you’re a journalist, activist, politically exposed person, or you hold life-changing amounts of cryptocurrency, treat this as a starting point and see Beyond the baseline.

Format note. This guide is ordered by security-gained-per-minute-spent. If you stop halfway, you still get the biggest wins. Do Tier 1 this weekend, Tier 2 next weekend, come back for 3 and 4 when you can.

A note on terminology. I use MFA (multi-factor authentication) as the generic term throughout. You’ll also see 2FA (two-factor authentication) and 2SV (2-Step Verification, Google’s marketing name). They all mean the same thing: proving who you are in more than one way (something you know, something you have, something you are). I use MFA because it’s the most general and doesn’t hard-code an assumption about how many factors there are.


The stack at a glance

Everything in this guide, in four categories. If you remember only these four and come back for the details later, you have the mental model.

Several specific picks below are borrowed from Andrej Karpathy’s Digital Hygiene. See Further reading for the inventory. The four-bucket grouping is my own.


Tier 1: The 30-minute baseline

Time: ~30 minutes. Cost: ~AU$10/month. Security gained: the biggest single jump in this entire guide.

If you only ever do Tier 1, you’ve killed the most common ways ordinary people get compromised: reused passwords and no MFA. Do Tier 1.

1.1 Install 1Password

Get 1Password. The Family plan is US$5.99/month (โ‰ˆ AU$10) for up to five people across every device. Use it.

Yes, there are free alternatives. Bitwarden is open-source and free. Proton Pass is free with a Proton account. Both are fine. If you’re already on one of them, stay there and don’t churn; you already have 95% of the benefit of this section.

I recommend 1Password because it has the best-polished UX in the category, excellent family sharing, a cleanly-aligned business model (you pay for the product, so you’re not the product), and the best passkey support in consumer software. When a non-technical family member asks me what to install, the answer is 1Password, every time, because the chance they actually use it day-to-day is higher than the alternatives. A password manager you don’t use is worthless.

Setup:

  1. Sign up for a Family plan at 1password.com.
  2. Install the desktop app, phone app, and browser extension.
  3. Print your Emergency Kit. When you sign up, 1Password generates a PDF called the Emergency Kit. It contains your sign-in email, your Secret Key (a 34-character code unique to your account), a setup QR code that lets another device sign in without retyping the Secret Key, and a blank field for your master passphrase. Print this PDF and store the printed copy in your Home Kit (which you’ll build in Tier 3). Do not write your master passphrase on the Emergency Kit. Your passphrase lives in your head, and separately in a Break-Glass envelope stored off-site. Keeping them apart is the whole point of Tier 3’s architecture. Treat the Emergency Kit as sensitive: the setup QR is as valuable as the Secret Key itself, and anyone holding both the Emergency Kit and your passphrase can sign into your vault. Shred any extra printed copies.
  4. Set a strong master passphrase. Use five random words from the EFF diceware list, not thematically chosen, actually random. The reliable way to get “actually random” without trusting your own brain or a website: grab one ordinary six-sided die, roll it five times to get a five-digit number, look that number up on the EFF list to get one word, and repeat five times. The linked page walks you through it. Something like tremor salsa outpour rental vertical. At five words you’re at ~64 bits of entropy, enough to resist every realistic attacker. This is the one password you have to memorise. In week one, write it on a single sheet of paper, fold it, and hide it somewhere inconvenient (inside a book on a high shelf is a classic). Say it out loud twice a day, every day. By the end of the week you’ll be typing it without looking. At that point, take the paper and fold it into your Break-Glass Envelope (Tier 3). Don’t keep it anywhere else.

Everything else goes in the vault.

Critical: set up a second signed-in device now. This is the keystone of recovery, not optional polish. Here’s the trap most guides miss: signing into 1Password on a brand-new device asks you to approve it from a device you’re already signed in on. If your only signed-in device is the phone you just lost, you’re stuck unless you’ve printed your recovery code (Tier 3), because the Emergency Kit and your passphrase alone won’t get you back in (the full explanation is in FAQ 19 and the fire drill). The fix is to always have a second device signed in: a laptop, an old phone, a tablet. On a Families plan a trusted family organiser can also recover you. If you live alone on a Solo plan, this is the only thing standing between “lost phone” and “locked out of everything,” so don’t skip it, and keep that second device somewhere other than your home, which doubles as house-fire insurance. If you’re going to stop after Tier 1, this step and printed email recovery codes (1.3) are the two that keep a lost phone from becoming a lockout.

1.2 Stop reusing passwords

Go to haveibeenpwned.com. Type your email. This is Troy Hunt’s free service that catalogues many billions of leaked credentials across hundreds of known data breaches. If your email appears (it almost certainly will), every password you’ve ever reused on those sites is public knowledge.

Credential-stuffing attacks test those leaked passwords against every other site you’ve ever signed up for, automatically, millions of attempts per second. The only defence is a unique, random password for every site, generated and stored by 1Password. You’ll never type these passwords; 1Password fills them for you. You won’t memorise them, and you won’t need to.

Start with your four most valuable accounts:

  1. Your primary email (Gmail / iCloud / Outlook). This one matters most. Every other account’s password reset goes through it.
  2. Your bank.
  3. Your phone carrier account. This one matters for SIM-swap defence (see 1.3 for the carrier-specific twist).
  4. Your main social account (Facebook / Instagram / etc). They hold a surprising amount of personal information and are the path of least resistance for account recovery flows.

Change each to a 1Password-generated password this weekend. Migrate everything else over the following week.

Security questions are passwords in disguise. Some older services still force you to set up “security questions” like “What is your mother’s maiden name?” or “What street did you grow up on?”, answers which are usually findable with five seconds of public search. Treat them as additional passwords: generate a random string as the answer, store the question and the answer in the 1Password entry for that site, and ignore the premise of the question. Never give a truthful answer.

1.3 Turn on MFA

For your primary email and social account, enable MFA right now using an authenticator app, not SMS. Avoid SMS if you have any other option; it’s vulnerable to SIM swap. (TOTP = time-based one-time password, the six-digit code that rolls over every 30 seconds.) For your social account, 1Password’s built-in TOTP (add it while editing the same vault entry) is the convenient choice. For your primary email, use a separate authenticator app instead; the reason is the simple rule below.

This is a deliberate temporary step. In Tier 2 we’ll replace the authenticator code with a hardware key for your primary email (and for 1Password itself). Once the key is working, delete the TOTP from those two accounts. For everything else, TOTP-in-1Password is your permanent MFA.

The simple rule: every account’s TOTP can live in 1Password except the two that 1Password’s own recovery depends on: your 1Password account and your primary email. Those two go in a separate authenticator app (Aegis on Android, Raivo OTP or Ente Auth on iPhone) so a lost-vault or lost-phone moment can’t lock you out of the very thing you’d recover with. Tier 2 mostly makes this moot by replacing both with a hardware key โ€” though on a solo/Individual plan, keep the 1Password TOTP in that separate app as a both-keys-lost fallback (FAQ 19); until then, keep them separate. (Full reasoning in FAQ 19.)

If you intend to stop before Tier 2, also print your primary email’s one-time recovery codes (account security settings) and keep them somewhere safe at home. Combined with the separate-app email TOTP and a second signed-in device (1.1), that’s the minimum that keeps a lost phone from becoming a permanent lockout.

Your bank and phone carrier are special cases in Australia and are covered in the Australia-specific section. Short version: Australian banks use their own in-app MFA or SMS fallbacks (not TOTP, not hardware keys), and Australian phone carriers rely on SMS plus carrier-specific identity checks (biometrics, account PIN, or security word, depending on the carrier). You’ll set both up there, not here.

1.4 Turn on autoupdates everywhere

Unpatched software is how most real-world compromise actually happens. The “hack” stories you read in the news are really “someone didn’t install a security update” stories.

  • iPhone: Settings โ†’ General โ†’ Software Update โ†’ Automatic Updates โ†’ both toggles on.
  • Mac: System Settings โ†’ General โ†’ Software Update โ†’ (i) โ†’ turn everything on.
  • Windows: Settings โ†’ Windows Update โ†’ Advanced options โ†’ turn everything on, including “Receive updates for other Microsoft products”.
  • Android: Settings โ†’ System โ†’ System update โ†’ Auto-download.
  • Browsers: Chrome, Firefox, Safari, Edge autoupdate by default. Don’t turn it off.
  • Apps: an outdated PDF reader or chat app is just as exploitable as an outdated OS. On phones, turn on automatic app updates (App Store / Play Store settings). On desktop, prefer apps that self-update, and install from the OS app store where you can so updates are handled for you.

1.5 Agree a family safe word

The scams in the opening โ€” a cloned voice begging for money, an email in your boss’s exact cadence approving a payment โ€” don’t touch your passwords, so nothing above stops them. The defence is a verification habit, and it’s free:

  • A family safe word. Agree a word or question with the people who’d plausibly be impersonated to you โ€” kids, parents, partner. Anyone calling in a money-or-emergency panic has to give it. A cloned voice won’t know it.
  • Call back on a number you already have. Never act on an urgent request โ€” money, gift cards, a password, a code โ€” straight off an inbound call or message. Hang up and call the person back on the number already saved in your phone. The manufactured urgency is the attack.
  • At work, confirm payments on a second channel. Any request to approve, redirect, or change a payment gets verified through a different channel than the one it arrived on (a known phone number, in person), no matter how exactly it matches your boss’s voice or a supplier’s email.

Tier 2: Hardware keys and passkeys

Time: ~60 minutes. Cost: ~AU$100 (two YubiKey Security Key C NFCs). Security gained: phishing resistance on the accounts that matter.

Why hardware keys?

App-based MFA stops password reuse. It does not stop phishing. If an attacker sends a convincing email linking to a fake Gmail login page, you’ll type your password, type the six-digit code from your authenticator app, and hand both to the attacker in real time. Smart people fall for this every day.

There are two behavioural layers worth adopting regardless.

Never click login links in emails, SMS, or chat. Email sender addresses are trivially spoofable, and even a careful reader can be fooled by a well-made fake. When you get a message that wants you to sign into a service, open a new browser tab and type the service’s address yourself (or use a bookmark, or a URL you’ve deliberately chosen from a guide like this one; the rule is about links pushed at you, not links you type by hand). That habit alone defeats most phishing.

Never install remote-access software at the request of a caller or email. “Install AnyDesk/TeamViewer so I can help you” is the opening line of almost every tech-support and “Hi Mum” scam that empties Australian bank accounts. Real banks, real Microsoft, real Apple will never ask you to install remote-access software. If someone on the phone insists, hang up and call the official number yourself.

The hardware key is the next layer, because eventually even perfect behaviour slips.

Hardware keys are the fix, and here’s why, in one sentence:

The key won’t work on a site it’s not registered for.

Your YubiKey uses a protocol called FIDO2/WebAuthn. When you register it with Gmail, it records that this key is for accounts.google.com, and only for accounts.google.com. When you try to sign in on a phishing page at accounts-google.com-secure.ru, the key refuses. The attacker gets nothing. You don’t have to spot the bad URL yourself; the key does it for you.

This is the single biggest leverage point in consumer security. Everything else teaches humans to be less gullible. Hardware keys remove the human from the loop.

What to buy

Get two YubiKey Security Key C NFCs. About AU$100 total (US$29 each direct from Yubico, or ~AU$50 each at Australian resellers).

Order only from Yubico directly or an authorised reseller. Skip Amazon third-party listings, eBay, and unknown marketplaces. A hardware security key is the one purchase where supply-chain tampering really matters, and a tampered unit defeats its own point. Yubico’s own product page names authorised resellers for your region.

Not the fancy YubiKey 5 Series (around AU$95โ€“120 each). The Security Key line is the FIDO-only, roughly-half-price version, purpose-built for logging into websites and unlocking 1Password. 99% of the 5 Series’s extra features (TOTP storage, PGP, SSH, PIV smart-card auth) are for corporate IT you’ll never touch.

Why two? The real failure mode isn’t “my key got hacked.” It’s “I lost my key and I’m now locked out of everything.” One key lives on your keyring. One lives in your Home Kit (Tier 3). Lose one, the backup gets you in, and you buy a replacement the same day. Apple also requires two security keys to set up Apple ID hardware-key protection: their documentation explicitly says “you must add and maintain at least two security keys”, so if you’re an iPhone user, one key literally isn’t enough to complete enrolment.

Why NFC specifically? So you can tap the key against your iPhone or Android. Even if you never use the NFC flow, it costs next to nothing extra. Get NFC.

What to enrol

Enrol both keys on, at minimum:

  • Primary email (Gmail / iCloud / Outlook)
  • 1Password (Security โ†’ Two-Factor Authentication โ†’ Security Key)
  • Any Google / Apple / Microsoft accounts you have
  • GitHub if you have one

Official enrolment guides beat anything I can write here:

After enrolling both keys on an account, remove TOTP and SMS as MFA options on that account. The key is stronger than SMS; leaving SMS enabled means your weakest link is still SMS, and that defeats the whole point. (Keep the printed backup / recovery codes for these accounts, which go in your Home Kit.)

One exception: 1Password itself on a solo/Individual plan. If your only second factor is two YubiKeys and you lose both, a recovery code can’t get you back in on its own โ€” so keep a separate-app TOTP on your 1Password account as the both-keys-lost fallback (why). On a Families plan you don’t need it: a family organiser’s recovery resets your 2FA.

Passkeys, in one paragraph

Passkeys are FIDO2 credentials (the same phishing-proof technology YubiKeys use), stored in your password manager or phone secure enclave rather than on a physical key. Apple, Google, Microsoft, and 1Password are pushing them hard, and they’re gradually replacing passwords on major sites. Use them wherever offered. The mental model: 1Password is where your passkeys live day-to-day; your YubiKey guards the door to 1Password itself. If 1Password’s servers are ever breached, what saves you is that your vault is encrypted with your master passphrase and Secret Key โ€” neither of which ever leaves your devices (FAQ 5). The YubiKey adds the other half: phishing-proof sign-in, so even someone who tricked you out of your passphrase can’t complete a new login without the physical key. One clean hierarchy.


Tier 3: The Recovery Kit and Fire Drill

Time: 60 minutes to build, 30 minutes a year to rehearse. Security gained: you can lose your phone without losing your life.

This is the section every other consumer security guide skips, and it’s the reason most people never bother with the rest of the list. “What if I lose my phone in an Uber overseas?” “What if I forget my master passphrase?” “What if my laptop is stolen on day two of a three-week holiday?”

The answer isn’t “be more careful.” The answer is: build a Recovery Kit, and rehearse using it once a year.

If the full kit feels like a lot, do the 80/20 version first. The minimum that turns a lost phone from a catastrophe into an annoyance is two things, ten minutes total: a second device signed into 1Password (your everyday laptop counts; an old phone, tablet, or spare laptop kept somewhere other than your main living space is better still, doubling as house-fire insurance) and your printed recovery codes for 1Password and primary email in a drawer at home. That’s the floor โ€” do it today. Everything below โ€” the tamper-evident off-site envelope, the labelled Home Kit, the birthday fire drill โ€” is the completionist build that makes recovery robust rather than merely possible. Come back for it when you have an afternoon; don’t let its size stop you banking the floor now.

The architecture

1Password’s security model is deliberately two-factor-at-rest. Even an attacker who steals an encrypted vault needs both your master passphrase (something you know) and your Secret Key (something you have, stored as the printed Emergency Kit). Our Recovery Kit has to preserve that separation. Otherwise a single burgled envelope hands the attacker everything.

Design principle: silent failure is unacceptable, loud failure is recoverable. You want this system to break visibly, not invisibly. That’s why the Break-Glass Envelope uses a tamper-evident seal (so you notice if it’s been opened), why the Home Kit lives in a labelled envelope in a known location (so you notice if it’s missing), and why the Fire Drill is rehearsed annually (so you notice if a recovery step is broken). A silent failure is one you discover on the day you desperately need the system to work. Design against them at every step.

The Kit has two pieces in two different physical locations:

Piece 1: The Home Kit

A labelled envelope in a specific drawer at home. Contains:

  1. Your printed 1Password Emergency Kit (the PDF from 1.1), with the master passphrase field left blank on the form. The official PDF 1Password generates has a field literally labelled “Master Password”; you are going to fight the form design and leave that box empty. The passphrase lives in your head, not on paper in the same envelope as the Secret Key.
  2. Your spare YubiKey, the second Security Key you bought in Tier 2. The one rule that resolves every “which key goes where” question: one key is always within reach, the other is always somewhere you’d still have it if the first were lost or stolen. At home that means one on your keyring, one in this Home Kit. Travelling, it means one on your person and the spare in a separate bag, and for trips longer than a few weeks, you buy a third key so the Home Kit slot is never left empty while you’re away (the overseas recovery scenario in the next section assumes you can physically tap a key; you can’t photograph a YubiKey to yourself from Tokyo).
  3. Printed backup / recovery codes for the accounts that offer them โ€” and note they come in two flavours. Your primary email (Gmail / iCloud / Outlook) gives a numbered list of one-time backup codes: each is single-use, so regenerate the set once you’ve spent one. 1Password gives a single reusable recovery code instead โ€” one code, stays valid after use, so you print it once and don’t regenerate annually. Generate and print each when you set the account up, and store them here. (Note: a 1Password recovery code doesn’t switch off your 2FA, which is why a solo-plan user also keeps a separate-app TOTP โ€” see FAQ 19.)
  4. A reference sheet listing, for your four most-valuable accounts, the recovery email and phone number currently on file. If you’re locked out, you need to know what the recovery flow expects. Include international (+61-format) support phone numbers for your bank, phone carrier, and Services Australia; 1300/1800 numbers often fail when dialled from overseas.

What is NOT in the Home Kit: your master passphrase. That lives in your head. Your passphrase is what makes the Secret Key secret. Putting them in the same envelope collapses the two-factor architecture and gives a burglar full access.

Piece 2: The Break-Glass Envelope

A tamper-evident bag (Officeworks sells them for a few dollars), sealed, signed and dated across the seal. Contains only your master passphrase, printed on a single sheet.

That’s it. No Secret Key, no backup of the Home Kit, just the passphrase.

Why so minimal? The Break-Glass Envelope is the single most exposed piece of your recovery plan, by design: it’s off-site, you rarely visit it, and it’s much harder to notice tampering than with a drawer at home. Keeping only one factor in it means that compromise of the envelope alone is not enough to unlock your vault. An attacker who steals the Break-Glass Envelope gets the passphrase, but not the Secret Key, not the backup YubiKey, not the recovery codes. They can’t log in.

Stored at, in descending order of preference:

  • A bank safe deposit box (โ‰ˆAU$150/year, genuinely secure, survives house fires, requires ID to access)
  • A fireproof home safe bolted to the floor (one-off cost, defeats opportunistic burglary)
  • A trusted family member’s house, sealed in a tamper-evident bag (free, less secure, but vastly better than nothing)

The principle: an attacker needs to invest meaningful effort to reach this envelope. A drawer next to your laptop doesn’t count. The tamper-evident seal means you’ll notice if it’s been opened.

You only open the Break-Glass Envelope if you’ve genuinely forgotten your passphrase. Once opened, change your passphrase to a new one, reseal a fresh envelope, and put it back.

What if my house burns down with the Home Kit inside?

Fair question. The Secret Key isn’t in the Break-Glass Envelope, so you can’t retrieve it that way. Your recovery paths are:

  1. Another signed-in device. If you have an existing 1Password session anywhere else (a phone, a tablet, a work laptop, a spare device at a family member’s), you can retrieve your Emergency Kit from Settings โ†’ Account. Reprint, rebuild the Home Kit.
  2. 1Password Families recovery. If you’re on a Family plan with other members, any organiser can initiate an account recovery for you, which restores access without the Emergency Kit.

This is another argument for 1Password Families over Solo: you effectively get an “account-level” recovery mechanism via your family members. If you live alone, add a second device to 1Password now (an old phone, a spare laptop, a tablet), and keep it somewhere other than your main living space. That’s your house-fire insurance.

Travelling: the recovery pack that leaves home with you

Your Home Kit is the centre of this whole design, and it’s at home, which is exactly where you aren’t when you lose a phone in an Uber in another country. So a trip longer than a couple of weeks needs its own miniature, carried recovery kit. This is not optional polish; without it, the verify-this-new-device step (next section) can leave you genuinely locked out abroad with the Home Kit a fifteen-hour flight away. The non-negotiable items:

  1. A spare phone with 1Password already signed in before you leave. This is the single most load-bearing item. It’s the already-linked device that approves a sign-in on anything else, so it collapses the lockout scenario into “recover to a known-good device in my hotel room.” A previous-gen phone from a drawer is fine.
  2. A YubiKey on your person, in a different pocket or bag from your phone, so losing one isn’t losing both.
  3. Printed recovery / backup codes for 1Password (its reusable recovery code) and your primary email (its one-time backup codes) โ€” copies from the Home Kit, not the originals.
  4. A wallet card with your bank’s and carrier’s international support numbers, and (treated like cash, unlabelled) your 1Password Secret Key.

The full pre-trip checklist is FAQ 1; these four are the ones that, missing, turn an inconvenience into a lockout.

The annual fire drill

Pick a day you’ll remember (your birthday works well). Once a year, on that day, run this drill:

Before the drill. Use a computer you’ve never signed in on before, so the drill genuinely tests a cold device โ€” but choose it carefully, because you’re about to type your Secret Key and master passphrase into it. Best is a spare personal device that’s been factory-reset; a friend’s personal laptop is an acceptable fallback. Don’t use a managed work computer โ€” the same endpoint software that surfaces your activity to IT (the reason Tier 4 says keep personal accounts off work machines) can capture both secrets, and unlike a password those are painful to rotate. Whatever the machine, use a Chrome Guest Profile (File โ†’ New Guest Window) or a fresh Firefox profile, not plain Incognito: a guest profile disables browser extensions entirely, so a hostile extension in the host’s normal profile can’t keylog everything you type into 1Password. (That stops extension-level snooping, not OS-level malware โ€” another reason a reset personal device beats a borrowed one.) You’ll sign into 1Password via its web interface at my.1password.com, not the desktop app. Have your Home Kit physically with you. Leave the Break-Glass envelope sealed (unless you’ve actually forgotten your passphrase, in which case this drill just became real).

The script:

  1. 1Password recovery (target: vault open within 10 minutes)

    • Go to my.1password.com on the new device.
    • Enter your email, your Secret Key (from the printed Emergency Kit in your Home Kit), and your memorised master passphrase.
    • Expect a “verify this new device” step, and rehearse it the hard way. 1Password’s sign-in on a brand-new browser asks you to approve the device from an already-linked device. The instinct is to grab your everyday phone and tap approve, but that phone is exactly the thing a real emergency takes away, so approving from it teaches you nothing. Do the drill as if that phone is gone: approve from your second signed-in device instead: the spare laptop, tablet, or pre-signed-in travel phone you set up in 1.1. If that device gets you in, you’ve proven the path that actually saves you. If it doesn’t, you’ve found your single biggest gap on a calm afternoon instead of at 2am abroad. (The branch with no linked device at all โ€” phone lost, no second device โ€” is what your printed recovery code is for: enter it at my.1password.com, verify through your account email, and 1Password generates a fresh Secret Key and lets you set a new passphrase, all locally, with no already-linked device required. Two catches keep it a fallback rather than the main path: it runs through your email, so you have to recover email access first, and it only exists if you generated and printed it ahead of time (Piece 1). If you have neither a linked device nor a recovery code, you’re down to the slow 1Password account recovery flow, which on a Families plan means another family organiser initiates recovery for you, and on a Solo plan means a support process measured in hours. That is why the second signed-in device in 1.1, the recovery code in your Home Kit, and the pre-signed-in travel phone in FAQ 1 are load-bearing, not optional.)
    • Complete MFA with your backup YubiKey.
    • Confirm you can see and decrypt your vault. Everything below depends on this working, so do it first.
  2. Primary email recovery (target: inbox within 5 minutes)

    • Go to accounts.google.com/signin (or the iCloud / Outlook equivalent).
    • Use the email password from 1Password (which you just unlocked in Step 1).
    • For MFA, use your backup YubiKey from the Home Kit, or a printed recovery code as a fallback.
  3. Bank access (target: 5 minutes)

    • Log into your banking app or website on the new device.
    • Expect this to fail. Australian banks don’t support hardware keys or standard authenticator apps. Their in-app MFA is device-bound, so recovering to a new device requires an SMS OTP, a phone call to support, or a branch visit with ID. That’s useful to know now, not on the day you lose your phone. Note exactly what the flow demanded and write the international customer support number on your Home Kit reference sheet.
  4. Phone carrier (target: 5 minutes)

    • Log into your carrier account. Same story as the bank: Australian carriers don’t support authenticator apps on consumer accounts, so you’re either logging in with SMS or calling customer support. This is why you set a port protection PIN (see the Australia section). If you set one, rehearse quoting it.

After the drill. Note what didn’t work. Fix it before you close the laptop. The first year you run this you’ll find two or three things that would have locked you out in a real emergency: a recovery code you never printed, a phone number your bank still has on file from two moves ago, a step-up flow that wants to SMS the phone you just pretended to lose. That’s the entire point of the drill. Fix them now, not at 2am in a hotel in a country whose language you don’t speak.

Also re-test whenever the recovery chain materially changes. New phone, new laptop, new email provider, moved house, new bank, new password manager. The calendar catches drift; material-change re-tests catch whatever you just reconfigured. Both NIST’s contingency planning guide and the ACSC Essential Eight treat “post-change” as an independent trigger for this reason.

By year three, the drill takes ten minutes and you genuinely feel confident losing your phone. That confidence is the whole game. It’s also the reason the rest of this guide is worth doing: security you’re too afraid to commit to is security you don’t actually have.


Tier 4: Devices and communications

Time: ~30 minutes. Security gained: the tail risks.

Full-disk encryption

Turn it on everywhere. If someone steals your laptop, full-disk encryption is the difference between “I need a new laptop” and “I need a new identity.”

  • macOS: System Settings โ†’ Privacy & Security โ†’ FileVault โ†’ Turn On. Store the recovery key in 1Password, not in iCloud.
  • Windows 11 Pro: BitLocker. Control Panel โ†’ System โ†’ BitLocker Drive Encryption. Copy the recovery key into 1Password.
  • Windows 11 Home: Device Encryption, same control panel. Requires a Microsoft account sign-in and a TPM; older Home installs may not qualify, and if it’s greyed out that’s why. Two silent traps here, so verify both now rather than assume: (1) on a local account (no Microsoft account), Device Encryption is often simply off and your disk is unencrypted, so sign in with a Microsoft account and turn it on; (2) when it is on, Windows escrows the recovery key to your Microsoft account automatically, and people get locked out after a Windows update reboots into recovery and asks for a key they never knew existed. Go to aka.ms/myrecoverykey today, confirm a key is actually listed there, and copy it into 1Password. Don’t rely on Microsoft as your only copy.
  • iPhone / Android: on by default once you set a passcode. Use six digits minimum (a longer alphanumeric passcode is better still on a high-value phone). On a modern phone the main reason isn’t online brute force; Apple’s Secure Enclave and Google’s Titan M2 hardware-rate-limit guess attempts, which already makes blind guessing impractical (though the exact protection varies by device and OS). The reason to go past four digits is the shoulder-surfing case: six digits are meaningfully harder to catch watching you unlock than four.
  • Lock your screen every time you walk away from your laptop. FDE only protects you when the device is off or locked. An attacker with a few minutes of unattended physical access to your unlocked laptop can plant a keylogger, exfiltrate your 1Password vault, or install persistent malware. Set your screen to auto-lock after one minute of inactivity, and get in the habit of Ctrl+L (Linux) / Cmd+Ctrl+Q (macOS) / Win+L (Windows) whenever you stand up.

Signal for sensitive messaging

WhatsApp’s end-to-end encryption uses the Signal Protocol and is genuinely fine for message contents. The problem isn’t the cryptography. The problem is Meta:

  1. Metadata. Who you talk to, when, how often, for how long, your full contact graph, your IP, your device, all go to Meta. Arguably more valuable than message contents.
  2. Backups. WhatsApp’s default cloud backup (iCloud / Google Drive) is plaintext unless you’ve specifically enabled end-to-end encrypted backups with a separate passphrase. Most people haven’t.
  3. Closed source. You can’t audit WhatsApp’s client. You can audit Signal’s.
  4. Incentives. Signal is a non-profit funded by donations. WhatsApp is owned by the largest surveillance-advertising company on Earth, with a 15-year pattern of walking back privacy promises once users are locked in.

Recommendation: use Signal for anything sensitive (finances, health, anything you’d regret Meta mining). Keep WhatsApp for family logistics if migrating your extended family is hopeless. Don’t fight a crusade; just move the stuff that matters. Set disappearing messages to 90 days as your default (Signal โ†’ Settings โ†’ Privacy โ†’ Default disappearing messages).

Backups

Back up data you’d cry over losing: photos, documents, creative work, tax records, notes. Follow 3-2-1: three copies, on two different kinds of storage, with one off-site. Easiest path for most readers is laptop drive + external USB drive + Backblaze Computer Backup (US$9/month unlimited, you install the consumer app and forget about it). If you’re comfortable in a terminal and want a more technical setup (cheaper, more flexible, more work) using Restic and Backblaze B2, see my automated backups guide.

It isn’t a backup until you’ve restored from it. Run your first restore test a week after setup, while the config is still fresh in your head. Pick a file you care about and actually retrieve it from your cloud backup onto a different computer than the one it normally lives on. The first time you try this, something will be broken: credentials forgotten, cloud app uninstalled, drive unmounted, permissions wrong. Fix it then, not on the day your laptop is stolen. After the first test, repeat every six months as ongoing maintenance, and also re-test whenever anything material changes (new computer, new backup tool, new cloud provider).

Retire old devices

If a phone or laptop no longer receives manufacturer security updates, it’s a liability. Stop using it for anything sensitive. Rough current guidance: iPhones get 5โ€“7 years of updates (Apple’s formal commitment is 5), Pixel 8 and later and Galaxy S24 and later promise 7, older Android models get 3โ€“5, Macs get ~7, Windows laptops are supported as long as Windows supports them. Check your specific model’s support window and plan replacement around it.

Don’t log into personal accounts on work computers

Corporate-managed laptops run endpoint management software that logs network traffic, takes periodic screenshots, records keystrokes, or surfaces browser activity to IT. All of this is legitimate for protecting company IP; it’s also deadly for your personal security posture. If you sign into your personal Gmail, 1Password, or banking from a corporate laptop, assume IT can see it, assume incident response can retrieve it months later, and assume it may show up in an audit log you’ll never know about.

Keep personal and work accounts on different devices. Use your own phone or laptop for personal business. This applies specifically to managed devices (ones where an employer’s IT department holds admin rights); a personal laptop you also use for freelance work is fine.


Honest limits: what this guide doesn’t cover

Defence in depth has a ceiling. I want you to finish this guide with your head around where the workflow ends and where genuine tradeoffs begin, not thinking you’re bulletproof. Six scenarios this guide does not cover:

1. Full compromise via parallel channels. If an attacker physically steals your Home Kit AND obtains your master passphrase through a separate channel (keylogging, phishing, or coercion), they have everything. FAQ 9’s rotation procedure is reactive: it shrinks the window of exposure after you notice, but it doesn’t prevent the period between compromise and detection. This is the inherent upper bound of the architecture you’ve chosen.

2. Determined targeted attackers. Nation-state adversaries, well-funded organised crime, a custom-tailored advanced persistent threat. These operators bring novel exploits, custom malware, surveillance budgets, and patience. The baseline here raises your bar enormously above opportunistic attackers, but it is not a defence against someone who specifically wants you. If that’s your threat model, EFF Surveillance Self-Defence (linked in Further Reading) is the right next step.

3. Supply-chain compromise of your tools. A malicious 1Password update, a backdoored Chrome extension, a compromised operating system image. Rare but real. Autoupdating from official sources is the best defence available this side of full manual auditing, which isn’t realistic for anyone.

4. Insider threat in your household. The Recovery Kit assumes the people you share your home with are trustworthy. If they aren’t, that’s a relationship problem this guide cannot solve.

5. Physical coercion and compelled disclosure. Someone holding a weapon, a border guard with a subpoena. If you’re compelled to unlock a device, you unlock it. The only real defence is not carrying the data in the first place, which is a separate craft (travel devices, compartmentalisation, wiping and restoring from backup) and out of scope here.

6. Total-loss disasters beyond double failures. Your house burns down, AND your off-site Break-Glass location is destroyed, AND every device you’re signed in on elsewhere is also gone. Tier 1’s “secondary signed-in device in a different physical location” requirement is the cheapest mitigation. Past that point, extreme tail risks are best handled by insurance, not security engineering.

You now have your head around the landscape. What you do with it is up to you.


Beyond the baseline

If you have a realistic targeted-attacker threat model (public-facing clinician, journalist, activist, politically exposed person), the baseline above is your starting point, not your ceiling. Consider:

  • Google Advanced Protection. Enforces a security-key-or-passkey on every login, restricts third-party app access, and adds extra download scanning plus a hardened account-recovery hold. Enrolment is much lower-friction now (a passkey works, where it once took two physical keys), but the ongoing restrictions still break some older apps and make recovery slower and stricter. Tier 2 already gave you the headline win (phishing-resistant Google login); APP’s extra is the app-access lockdown and recovery hardening. Real gain, still real friction. For a narrow population.
  • Compartmentalised email identities. Use an email aliasing service to mint a unique address for every account you sign up for. When a service is breached or starts spamming you, you kill the alias without affecting anything else. SimpleLogin (open source, Proton-owned) or Apple Hide My Email (Apple-only, bundled with iCloud+).
  • Virtual physical mail forwarding. A service receives your physical post, scans it, digitises it, and lets you decide per-item what to do (shred, forward, ignore). Your home address stops being given out to every merchant, subscription, or dinosaur institution. HotSnail is the Australian option; Earth Class Mail and Virtual Post Mail serve the US.
  • Virtual card numbers. Mint a unique credit card number per merchant so no single merchant breach compromises your actual card. privacy.com is the US gold standard (banks get very close in AU with Up, Wise, and Revolut).
  • Tor Browser for specific anonymous sessions.

Cryptocurrency custody, hot-wallet key management, hardware wallet hygiene, and seed-phrase backup strategy are all their own thing and out of scope for this post.


Australia-specific

myGov is the gateway to the ATO, Medicare, Centrelink, and your My Health Record. Protect it like a primary email:

  1. Unique 1Password-generated password.
  2. Add a passkey. myGov already supports them (including physical security keys), and they sidestep the TOTP chicken-and-egg entirely. This is now the best option; set up two if you can (e.g. one on your phone, one on your YubiKey).
  3. If you’d rather use an authenticator app, choose “Use an authenticator app” and set up TOTP. You can store this TOTP in 1Password for convenience; myGov isn’t critical enough to need the separate-app treatment that 1Password itself gets (FAQ 19). One gotcha: myGov rejects some authenticators on a technical requirement, and Microsoft Authenticator notably isn’t accepted; 1Password, Google Authenticator, Aegis, and the Apple/Ente apps work.
  4. Link your myGov to a primary email you fully control and have MFA on.

Don’t install or use the old “myGov Code Generator” standalone app. Services Australia is retiring it in favour of standard authenticator apps and passkeys. If you already have it installed, switch to a standard TOTP authenticator before the Code Generator is removed from the stores.

Fallback if you lose your phone overseas: if your myGov TOTP is in 1Password and you’ve recovered your vault using your Home Kit + backup YubiKey, you already have it. If for some reason you don’t, your only fallback is calling Services Australia’s international line to verify identity manually, which can take hours. Write the Services Australia international support number on your Home Kit reference sheet.

Australian banking

The big four (CBA, ANZ, NAB, Westpac) lean on their own in-app MFA delivered through their own banking apps. None of them let you enrol a YubiKey or a standard authenticator app for consumer login as of mid-2026. That part hasn’t changed. Passkeys, though, are starting to arrive unevenly across the big banks and their app-based offshoots, so check your own bank’s current options. Either way, their MFA is device-bound: once you’ve registered your phone with the app, logging in on that phone is painless. But recovering to a new phone is where the friction lives. The standard new-device flow requires, in some combination:

  • An SMS OTP to the mobile number on file.
  • A phone call to customer support from the number on file.
  • Your physical debit/credit card number plus in-branch ID verification.

What to actually do:

  1. Set a unique password in 1Password.
  2. Enable the in-app MFA that your bank offers (it’s usually on by default when you install their app).
  3. Keep the international customer-support phone number for your bank on your Home Kit reference sheet. You’ll need it if you lose your phone overseas.
  4. Keep a spare phone number on your bank profile if possible, one that you control from a different SIM (an eSIM on a backup travel phone, or a Google Voice / international line).
  5. Tell your bank when you travel, via their app or website, so they don’t block legitimate logins.

Australian phone carriers (Telstra, Optus, Vodafone, etc.)

Overseas readers: the carrier names and the ACMA rule below are Australian, but the principle is universal. Every carrier worth using offers some account-level lock, a port-out PIN, a SIM lock, a security word, or a “no port without in-person ID” flag. Find yours and turn it on; that’s the SIM-swap defence wherever you are.

Consumer carrier accounts in Australia don’t support authenticator apps or hardware keys. Your carrier login itself is still largely SMS-based. That sounds bad, and it is. But the real risk at the carrier layer isn’t “someone logs into my carrier dashboard.” It’s SIM swap, where an attacker calls your carrier impersonating you and convinces the support agent to port your number to a SIM they control. From there, every SMS-based MFA flow (including your bank’s) falls over.

The good news: since the ACMA Telecommunications Service Provider (Customer Identity Authentication) Determination 2022, every Australian carrier is required to apply multi-factor identity checks before any SIM port, replacement SIM, or high-risk account change. This is no longer an opt-in customer feature, it’s a regulated baseline. Required isn’t the same as flawless. Carriers have been penalised for failing it (Telstra copped a A$1.5m fine in 2024 for breaches of exactly these rules), so treat it as raising the bar, not closing the door: still keep SMS off your critical accounts and set the carrier PIN below. Each carrier implements it differently:

  • Telstra: biometric verification via the MyTelstra app, plus an account PIN.
  • Optus: an account PIN you set in your My Account.
  • Vodafone: an account password / security word.

What to actually do:

  1. Log into your carrier’s app or website, set whatever PIN / security word / biometric option they require, and enable it.
  2. Call customer support from the number on your account, confirm what’s on file, and ask explicitly that no SIM port or replacement-SIM request be authorised without that check.
  3. While you’re on the phone, ask what the override flow is if you lose your phone overseas (so you know what to expect).

Different carriers call this different things. The regulation requires it; the configuration is on you.

Card-not-present fraud

Your card details get leaked by merchants, not by you. The fix is virtual card numbers. Up, Wise, and Revolut all offer one-tap generation. Traditional banks are catching up slowly.

If the worst happens: identity-theft recovery (Australia)

Account takeover often turns into identity-fraud cleanup, and Australia has specific machinery for it. Keep these on your Home Kit reference sheet so you’re not googling them mid-panic:

  • IDCARE (1800 595 160), the free national identity and cyber support service. They build you a tailored response plan and talk to the institutions on your behalf. This is the first call after a serious compromise.
  • Place a credit ban. You can request a free 21-day ban (extendable) with each of the three credit bureaus (Equifax, Experian, and illion), which stops fraudsters opening accounts or loans in your name. Do all three; they don’t talk to each other.
  • ReportCyber, the official channel to report cybercrime to police; generates a report reference banks and insurers will ask for.
  • Cancel and reissue any exposed cards through your banking app, and if your Medicare or driver-licence numbers were exposed, replace those documents (Services Australia and your state transport authority both have compromised-credential processes).

Troy Hunt is your Australian voice

Troy Hunt, who runs Have I Been Pwned, is Gold Coast-based and has been the definitive writer on passwords and breaches for over a decade. Subscribe to HIBP notifications with your primary email, it’s free, and it pings you the moment your address shows up in a new breach dump so you know to change that site’s password immediately.


FAQ

1. I’m about to travel for three weeks. What’s the pre-flight checklist?

  1. Rehearse the Tier 3 fire drill once this week, using your target travel device.
  2. Tell your bank, credit card companies, and travel card providers your dates via their app or website. Prevents false-positive fraud locks when you start using your card overseas. Australian banks usually let you do this in-app; some still require a phone call. Some expire after 30 days and need re-notification if the trip is longer.
  3. Test your backup restore path before you go. Pull a file down from your cloud backup onto a different computer. If you can’t do that today, you don’t have a working backup today.
  4. Carry your backup YubiKey on your person, in a different bag or pocket from your phone, ideally attached to something you always have (wallet, keys). Losing your phone and losing your key should be independent events.
  5. Memorise your master passphrase and at least two key phone numbers (your own, and a trusted contact’s).
  6. Brief a trusted person at home on where your Home Kit is and how to reach you if the worst happens. Important: if your phone is the thing you’ve lost, Signal and WhatsApp will both be unreachable; linking either on a borrowed computer requires the mobile app you no longer have. The fallback channel is a voice call. Expect to dictate the 34-character Secret Key digit-by-digit over the phone while writing it onto a scrap of paper at the other end. That’s also why item 11 below exists: if you’re travelling, the paper-in-wallet copy sidesteps this entire problem.
  7. Make sure your primary email recovery phone isn’t the one you’re about to lose. Add your trusted contact’s number, or an eSIM number you’ll keep working.
  8. Install your banking, messaging, and 1Password apps on a backup device if you have one: a spare phone, a travel tablet. Verify they work before you fly.
  9. Write your bank’s and your carrier’s international customer support numbers on the reference sheet in your wallet.
  10. (Load-bearing for trips longer than a couple of weeks, not optional) Pack a spare phone with 1Password installed and already signed in before you leave. A previous-gen phone in a drawer, a cheap second-hand Android, anything that boots. Test it before you go. This isn’t a nice-to-have: 1Password’s sign-in flow on a new device normally needs a verification code from an existing linked device. Lose your only signed-in device overseas and you’re down to two cold paths, both with a catch: your printed recovery code (works from any browser via account-email verification and issues a fresh Secret Key, but means doing sensitive recovery on a borrowed, possibly-keylogged computer), or, failing that, the slower 1Password account recovery flow. A pre-signed-in spare phone collapses both: you’re now recovering to a known-good device in a hotel room instead of trying to cold-start in a panic.
  11. (Optional, supplementary to item 10) Carry an unlabelled paper copy of your 1Password Secret Key in your wallet. Treat the paper like cash: not in your phone case, not in your bag, in your wallet. This does NOT by itself let you sign in from scratch; see item 10 for why. What it does do is save you from having to call home and have someone dictate a 34-character Secret Key to you over the phone when you’re recovering to your pre-linked spare phone after a factory reset. It’s a convenience during recovery, not a substitute for the spare device.

While travelling: any time you’re about to hand a device to a border officer or security checkpoint, restart it first. A restart forces the phone to require its passcode (not face/fingerprint) on the next unlock, which makes compelled biometric unlock much harder. This is a five-second action and should become a reflex.

2. I think I’m locked out right now. What do I do first?

Triage in this order:

  1. Get to a trusted computer. A friend’s laptop in a Chrome Guest Profile is ideal. Avoid hotel business centres, airport kiosks, and internet cafรฉs. Shared computers may be keylogged or running hostile extensions. If you absolutely must use one as a last resort, change every password you typed on it, immediately afterwards.
  2. Recover your primary email first. Every other recovery flow goes through email. Use your backup YubiKey and a printed recovery code if you have them. If not, most providers have a “verify my identity” flow that asks increasingly personal questions; be patient.
  3. Recover 1Password second. The cleanest path is your pre-signed-in spare phone (travel prep item 10) โ€” and the whole point of it is that it’s already signed in, so don’t factory-reset it. Wiping it destroys the one property that makes it useful (it’s an approved device that can wave a new sign-in through), dropping you straight back into the cold-start lockout it was meant to prevent. Just open 1Password on it; you’re in. Only if the spare isn’t signed in โ€” you skipped that prep, or it got wiped โ€” do you cold-start: reinstall 1Password and sign in with your Secret Key (typed from your wallet copy, item 11) plus the YubiKey on your person. No wallet copy? Call your trusted person on a voice line (not a messaging app: if your phone is gone, Signal and WhatsApp are also gone, because both require the mobile app to activate a desktop session) and have them read the 34-character Secret Key to you out loud. If you have no pre-signed-in device at all (you weren’t prepared, or the spare is also lost), your next path is the printed recovery code from your Home Kit: enter it at my.1password.com, verify through your account email (so recover email first), and 1Password issues a fresh Secret Key and a new passphrase without any linked device. Only if you have no recovery code either are you down to 1Password account recovery: on a Families plan another family organiser can initiate recovery for you; on an Individual plan 1Password support will walk you through it but it takes longer. Budget hours, not minutes, for that last branch.
  4. Bank and carrier third. Carrier is often the longest; plan for a phone call, not a web form. Many require a branch visit with ID, or an international call to their support line.
  5. Only after those are back, start worrying about everything else.

3. What if I forget my 1Password master passphrase?

You don’t recover the passphrase, 1Password can’t reset it for you. You recover access, by retrieving the Break-Glass Envelope from its off-site location, which contains the passphrase on paper. Then you immediately change to a new passphrase, generate a fresh envelope, and reseal it.

4. What if I lose both YubiKeys?

Use the printed recovery codes from your Home Kit to get into the accounts that matter, then order replacement keys and re-enrol them. You’re exposed until the new keys arrive, so prioritise ordering.

The exception is 1Password itself. On a solo/Individual plan, with both keys gone, a recovery code can’t get you past the key prompt โ€” so keep a separate-app TOTP on 1Password as the fallback that gets you back in (FAQ 19 explains why). On a Families plan, a family organiser’s recovery resets your 2FA instead.

5. What if 1Password itself gets breached?

This is the real reason most people don’t use a password manager. Troy Hunt’s framing is the best one: “password managers don’t have to be perfect, they just have to be better than not having one.”

1Password’s architecture is designed so that even if their servers are fully compromised, attackers get an encrypted blob they can’t decrypt without your master passphrase and your Secret Key (neither of which ever leaves your devices). 1Password has been independently audited multiple times and has never had a breach that exposed plaintext vaults. Contrast this with the reality without a password manager: you reuse passwords, one of the hundreds of sites breached each year leaks yours, and your credentials are in a public dump within days. The password manager isn’t the single point of failure. Your brain is.

6. What if 1Password goes out of business, or gets acquired by someone I don’t trust?

1Password supports exporting your entire vault to standard formats (1PUX and CSV). Migrating to Bitwarden, Proton Pass, or another manager is an afternoon’s work, and every serious password manager supports importing from 1Password. You are not locked in. The lock-in risk is real in principle but low in practice, because the export ecosystem is mature.

7. If I store passkeys in 1Password, isn’t 1Password the single point of failure? And are passkeys really replacing passwords?

Passkeys are replacing passwords, slowly. Use them wherever offered. 1Password stores them alongside passwords with zero extra friction, and sites that support passkeys tend to have above-average security posture generally.

On the SPOF question: your YubiKey is the root of trust that unlocks 1Password. The hierarchy is YubiKey โ†’ 1Password โ†’ everything else. An attacker needs both the YubiKey (physical theft) and your master passphrase (phishing, keylogging, coercion) to get in. That’s a vastly harder attack than guessing a password you reused on LinkedIn in 2012.

8. My whole digital life is in 1Password. Doesn’t that terrify you?

A little, yes. But my digital life is also in my memory, my Home Kit, my backup YubiKey, my Break-Glass envelope, and my email recovery flow. 1Password is the most convenient layer. It isn’t the only layer. Single-layer security is what should terrify you. Defence in depth is what lets you sleep.

9. My Home Kit got stolen in a burglary. Now what?

Treat this as a full compromise. Regenerate your 1Password Secret Key (Settings โ†’ Account โ†’ Regenerate), change your master passphrase, regenerate all printed recovery codes, reseal your Break-Glass Envelope with the new passphrase, and rebuild the Home Kit with fresh printed copies. Until you’ve done this, assume the burglar has the Secret Key and the backup YubiKey (they can’t actually get in without the passphrase, but you don’t want to keep the exposure open any longer than necessary). Buy a replacement backup YubiKey. This is the reason the passphrase is not stored in the Home Kit.

10. What if I die? How does my family access my accounts?

Three things: write a short letter explaining your Recovery Kit’s location and how to use it, store it with your will, and tell a trusted person it exists. Configure 1Password Families’ built-in Emergency Kit feature. Configure Apple’s Digital Legacy Contact and Google’s Inactive Account Manager. This is cheap, important, and the kind of thing survivors quietly thank you for.

11. Do I really need two YubiKeys? Isn’t that paranoid? What if one breaks?

The second key costs about AU$50. It’s the cheapest insurance you’ll ever buy. YubiKeys are passively powered (no battery) and rated for tens of thousands of uses. Breakage is rare, loss isn’t. Either way, the backup gets you in.

12. Can I just use my phone as a YubiKey via Face ID?

Partly. Apple and Google support a flow called hybrid transport (cross-device passkeys). Your phone uses Bluetooth proximity to authorise a sign-in on a nearby laptop, with Face ID as the user check. It’s genuinely useful as a convenience. But it isn’t a substitute for a dedicated hardware key. Your phone is also the single most likely thing you’ll drop, lose, or have stolen. Use phone-as-key on top of your YubiKeys, not instead of them.

13. My partner shares my 1Password vault. If their phone is compromised, am I compromised?

Partially, yes, which is why 1Password Families has personal vaults and shared vaults, separately. Shared vaults hold joint things (household utilities, streaming, insurance). Personal vaults hold your own accounts. A compromise of your partner’s device exposes shared vaults but not personal ones. Keep your banking, email, and high-value accounts in your personal vault. Make sure both of you have Tier 2 (hardware keys) set up so “compromise of phone” doesn’t cascade to “compromise of vault.”

14. What happens to my Recovery Kit when I move house?

The Home Kit moves with you: pack it in a labelled, sealed envelope and carry it in your hand luggage on moving day, not in a moving truck. The Break-Glass Envelope stays put if it’s at a safe deposit box; update the trusted person on your new address if it’s at a family member’s. Treat Kit location as a datum you maintain. Add it to your pre-travel checklist.

15. Why do I need a password manager if Chrome already saves my passwords?

Chrome’s built-in manager is better than nothing. It’s worse than a dedicated one because (a) it’s tied to one browser and ecosystem, so passwords don’t follow you to native apps or other browsers, (b) its generated passwords are weaker, (c) passkey support is shallower, (d) it doesn’t support phishing-resistant MFA on the manager itself, (e) the whole thing is ultimately gated by your single Google password. If you use Chrome PWM and nothing else, the advice is: move to 1Password.

16. Why 1Password instead of free Bitwarden or Apple’s iCloud Keychain?

Bitwarden is excellent. If you’re technical enough to weigh the decision on the merits, pick it with my blessing. iCloud Keychain is genuinely good (especially for passkeys) but Apple-only. If you’ll ever touch a Windows laptop, Chromebook, Android, or any cross-platform service, it fails. I recommend 1Password to non-technical family members because its UX polish drives higher day-to-day usage, which is the only metric that matters for a password manager.

17. Is SMS MFA really that bad? My bank only supports it.

SMS MFA is better than no MFA, and worse than an authenticator app, which is worse than a hardware key. The risk is SIM swap: an attacker convinces your carrier to port your number and receives all your codes. For any account that supports a better option, switch. For SMS-only accounts like Australian banks: (1) use SMS anyway, (2) enable a port protection PIN with your carrier (see the Australia section), (3) keep an international customer support number for your bank in your Home Kit, (4) switch banks if it matters.

18. My bank demands an SMS to my (lost) phone to let me log in. What now?

You’re calling customer support. Have your photo ID, your physical card, your account number, and your most recent transactions ready. Expect a verification process measured in tens of minutes, not seconds. If you’re overseas, the call is international and the agent will ask questions designed to catch impostors.

This is why the pre-flight checklist says “keep a spare phone number on your bank profile”: a secondary number on a backup SIM, a Google Voice line, or a family member’s phone you’ve explicitly pre-authorised with the bank. If you’ve done this, the SMS goes to the spare number and you’re back in. If you haven’t, budget at least an hour for the phone call and have a backup plan for paying for things in the meantime (cash, a travel-specific card on a different bank, a family member who can front you money).

19. Is it OK to store MFA codes in 1Password alongside my passwords?

For most accounts, yes. 1Password stores TOTP codes in the same entry as the password. Slightly less secure than a separate authenticator app (an attacker who fully compromises your vault gets both factors) but vastly more convenient, which means you actually turn on MFA everywhere instead of only on three accounts. The convenience wins.

The one exception: never store 1Password’s own TOTP inside 1Password itself. That would create a chicken-and-egg: signing into 1Password on a new device would need a TOTP code you could only generate by signing into 1Password. If your only active 1Password session is on the phone you’ve just lost, you’re stuck.

If you’ve done Tier 2 (two YubiKeys enrolled on 1Password) the chicken-and-egg simply doesn’t happen, because 1Password’s MFA second factor is your hardware key, not a TOTP. Sign-in on a new device is: email, Secret Key, master passphrase, tap the backup YubiKey from your Home Kit. No TOTP in the flow at all. This is the clean path and the one I recommend.

If you haven’t done Tier 2 and are using TOTP-based MFA on 1Password, that TOTP must live in a separate authenticator app: Aegis on Android, Raivo OTP or Ente Auth on iPhone, Google Authenticator cross-platform. Never inside 1Password itself.

Belt-and-suspenders readers (myself included) keep a YubiKey as primary MFA on 1Password and the same TOTP in a separate app as a fallback in case both hardware keys are unreachable. On a Families plan that’s genuinely optional โ€” an organiser can recover you, which resets your 2FA. On a solo/Individual plan it’s load-bearing: a 1Password recovery code resets your passphrase and Secret Key but leaves account 2FA on, so without that separate-app TOTP, losing both keys locks you out of 1Password until support intervenes. If you’re solo, treat it as required, not optional.

The same logic applies to your primary email (Gmail / iCloud / Outlook). Hardware key first; if you also keep a TOTP fallback, keep it in a separate app, not in 1Password. Every other TOTP can live in the vault.

20. My partner and family won’t do any of this. How do I handle shared accounts?

You can’t force anyone; you can make it easy. 1Password Families lets you share a vault with your partner: set them up with the app, add a passkey, they never have to think about passwords again. For older parents who won’t install anything, the best you can do is give them a unique password for their email and their banking, turn on MFA (SMS if that’s all they’ll tolerate), and walk them through it in person. Anything is better than nothing.

21. What about my kids’ accounts?

Same basic rules, plus: set their accounts up on your 1Password Families plan so you as parent can help recover them. Teach them early that no legitimate service ever asks for a password. Phish-training conversations are this generation’s stranger-danger talk.

22. I already have decent passwords and SMS MFA. Isn’t that good enough?

It’s better than ~60% of the population today. The rising threat environment (see Claude Mythos 5) means good enough today is marginal tomorrow. The delta from where you are to Tier 2 of this guide is maybe two hours and AU$100. That’s the cheapest security upgrade you’ll ever make. Do it this weekend.


Further reading

If you’ve done Tiers 1โ€“3, you’re above the easy-target line. You can stop reading and be genuinely safe.

If you want to go deeper:

  • EFF Surveillance Self-Defence, the canonical non-profit guide, no product shilling.
  • Andrej Karpathy, Digital Hygiene, a technical person’s personal setup. Several sections of this guide are drawn directly from Karpathy: the “security questions are passwords in disguise” advice in Tier 1.2, the “never click email links” behavioural rule in Tier 2, and the work-computer warning in Tier 4. (His post is a flat list of topics; the four-bucket framing here is mine.) Read it in full for the privacy-maximalist extensions (NextDNS, Little Snitch, Brave, privacy.com, virtual mail forwarding) I deliberately left out of the baseline.
  • Troy Hunt’s blog, long-running, definitive voice on passwords and breaches.
  • Project Glasswing, Anthropic’s effort to harden critical software before that kind of capability spreads more widely.

Good luck. The bar is about to rise.