Most of the security advice aimed at individuals is either too basic to be useful or too technical to be actionable. The too-basic version — use strong passwords, don’t click suspicious links — has been repeated so many times that people have stopped hearing it. The too-technical version — run your own mail server, use Qubes OS, route all traffic through Tor — describes a threat model and a time investment that most people don’t have.
The useful version is somewhere in the middle, and it’s also the boring version. A password manager used consistently. Two-factor authentication on accounts that matter, using an authenticator app rather than SMS. A separate email address for account registrations that aren’t your primary inbox. Keeping software updated. A full-disk encryption passphrase on your laptop that you’d actually use under pressure. These things are not exciting and they don’t protect against nation-state adversaries, but they protect against the adversaries that most people actually face: credential stuffing from data breaches, phishing, physical device theft, and the casual account takeover that happens when someone uses the same password everywhere.
What makes these habits hard to maintain isn’t the technical complexity — a password manager is not technically demanding — it’s the friction at adoption time. The first week of using a password manager is annoying. After that it becomes invisible. The same is true of most of the useful boring habits. They have an upfront cost and then they run in the background.
I’ve written before about more technical approaches to privacy and security, and I think those are worth understanding. But the baseline boring habits are more valuable in aggregate than any number of more sophisticated measures that don’t get consistently applied. Consistency is the mechanism. The specific tools matter less than the decision to actually use them every time.
Doug Alexander 