You don’t have to outrun the bear. You only have to outrun the other campers. Most attacks are automated and hunt the cheapest targets, so you don’t need to be perfect โ€” just harder work than 90% of people. This page is the fastest way to get there.

It’s the short version of my full Digital Security Baseline. If that guide felt like a lot, do these six things first โ€” five you can finish in an afternoon, plus a pair of hardware keys to order now and set up when they arrive โ€” and you’ve already killed the most common ways ordinary people get hacked. When you want the depth (recovery kits, travelling, Australian banks, the why behind each step), the full guide is waiting.

1. Get a password manager

Install 1Password โ€” the Family plan (~AU$10/month for up to five people), or the Individual plan if it’s just you. It generates and remembers a different strong password for every site, so you never reuse one and never have to remember them. Set one strong master passphrase โ€” five random words โ€” and print the Emergency Kit it gives you. That master passphrase is the only password you’ll memorise; everything else lives in the vault.

Free alternatives (Bitwarden, Proton Pass) are also fine. If you’re already on one, stay there.

2. Stop reusing passwords

Go to haveibeenpwned.com and type your email โ€” it shows which known breaches your address has turned up in. Assume any password you reused on those sites is now public. Then let 1Password set a fresh, unique password on your four most important accounts first: email, bank, phone carrier, main social account. Do the rest over the following week. Reused passwords are how one leaked website quietly becomes all of them.

3. Turn on passkeys wherever they’re offered

A passkey is a login that can’t be phished โ€” there’s no code to type and no password to steal, and it simply refuses to work on a fake lookalike site. (That kills fake-website phishing; it won’t stop the phone-call scams in step 6 โ€” that’s what the safe word is for.) Apple, Google, Microsoft and a growing list of others support them now. Switch them on wherever you see the option. When a site asks where to save the passkey, choose 1Password โ€” not your phone or browser โ€” so the same passkey works across all your devices. This is the single biggest upgrade on this list.

Where a site doesn’t offer passkeys yet, turn on its MFA instead โ€” an authenticator app (1Password’s built-in codes are fine), not SMS.

4. Add hardware keys for the door that matters

Passkeys protect your individual accounts. Two things still deserve a stronger lock: 1Password itself, and your primary email โ€” because every other account recovers through those two. A YubiKey is a small physical key that guards them: once you’ve registered it on those two accounts, even someone who tricks you out of your master passphrase can’t get in without the key in your pocket.

Get two (~AU$30 each) โ€” one you carry, one spare in a drawer. Here’s why two: if you lose your only key, a printed recovery code won’t fully get you back into 1Password on its own, so the spare is your way back in. (On a 1Password Families plan? One key is enough โ€” whoever organises your plan can recover you.)

Order them now โ€” they’re the one item here that arrives by post, so ordering early means they’re on your desk when you set them up. (Passkeys already cover you in the meantime.) The full guide walks through the setup.

5. Turn on auto-updates, and lock your screen

Most real-world hacks are just unpatched software โ€” “someone didn’t install an update” stories. Turn on automatic updates on your phone, your computer, and your apps, and set your screen to lock after a minute of inactivity. Two minutes of toggles, outsized payoff.

6. Agree a family safe word

The scariest modern scam is a cloned voice โ€” your child or your parent calling in a panic, asking for money to be sent right now. Agree a word or question with the people who’d be impersonated to you; anyone calling in an emergency has to say it first. A cloned voice won’t know it. It’s free, and nothing above protects you from this one.

Don’t get locked out

This is the part most guides skip, and the reason people are scared to start. The floor is three things, about ten minutes:

  1. A second device signed into 1Password (your everyday laptop counts). If you lose your phone, this is how you get back in.
  2. Print your recovery codes for 1Password and your email, and keep them in a drawer at home.
  3. Keep your spare YubiKey and printed Emergency Kit somewhere safe โ€” not in the same spot as your laptop.

On your own? That second signed-in device and your spare key are your lifelines โ€” don’t skip them, because there’s no one else who can let you back in. On a 1Password Families plan with someone you trust? They can recover your account for you too, so one key plus the second device is enough.

That’s the floor. The full guide’s Recovery Kit turns “I lost my phone” from a catastrophe into a mild annoyance โ€” including what to carry so a lost phone overseas isn’t a lockout.

When you’re ready for more

You’ve done the part that matters. The full Digital Security Baseline goes deeper on:

  • The complete Recovery Kit and a once-a-year “fire drill,” so you can lose your phone without losing your life
  • Travelling safely โ€” what to pack so a lost phone abroad isn’t a disaster
  • Australian banks, phone carriers, and myGov
  • Full-disk encryption, Signal, and backups that actually work
  • A long FAQ for the specific “but what aboutโ€ฆ” questions

No rush. Do these six, and you’re already past the easy-target line.