The Calm Guide to Personal Digital Security (Without Becoming Paranoid)

Most personal security advice falls into two camps. One camp is casual: "use a long password, you'll be fine". The other is wildly over-scoped: Tor, hardware keys in every pocket, burner phones, threat models that assume a state-level adversary. Neither matches what most people actually need.

The honest version is quieter. For an ordinary adult — founders, freelancers, families, anyone who's not being personally targeted — a small set of habits covers something like 95% of real-world risk. The remaining 5% is specialized, and you'll know if you're in it. This guide is the 95%, without the fear-mongering and without pretending everyone needs a YubiKey in three drawers.

If you've already read the digital inheritance piece, some of this will feel familiar. That article was about access when you're not here; this one is about access when you are.

What you're actually defending against

A useful security mindset starts with being honest about what can go wrong. For most people it's a short list:

• Credential stuffing. A site you signed up to a decade ago got breached. The attacker takes the email + password combo and tries it on your bank, your email, your everything. This is the overwhelming majority of real account compromise.
• SIM swapping. An attacker convinces your carrier to port your phone number to a SIM they control, then resets accounts that use SMS for recovery. Rare but expensive when it happens.
• Phishing. A well-crafted email or text gets you to type credentials into a fake page. The good ones are genuinely hard to spot in a rushed moment.
• Device theft or loss. A stolen laptop or phone with bad defaults can compromise dozens of accounts in an afternoon.
• Yourself, losing access. Forgotten password, lost 2FA device, phone died abroad. The second-most-common way people lose accounts is locking themselves out.

Notice what's not on this list: sophisticated malware, nation-state actors, zero-days. Those exist. They're not what ordinary adults are up against on a Tuesday.

The five habits that cover 95% of risk

If you only do five things, do these. In roughly decreasing order of impact:

1. Use a password manager for everything. One strong master password, unique long random passwords per site, generated by the manager. This single change alone eliminates almost all credential stuffing.
2. Turn on two-factor on accounts that matter. Email first, then banking, then anything else where the cost of compromise is real. Prefer an authenticator app over SMS.
3. Protect your recovery email. Your recovery email is the master key to everything else. Its own password should be long and unique, and its own 2FA should be bulletproof.
4. Lock your devices and keep them patched. Screen lock, FileVault / BitLocker, auto-updates on. A stolen but locked device is merely a stolen device; an unlocked one is a compromised identity.
5. Have a written recovery plan for yourself. Where backup codes live, who your legacy contact is, what happens if your phone dies in a foreign airport. You'll use this more than you think — and without it, step 2 above becomes risky.

That's the whole list. Every additional habit is diminishing returns — still positive, often worth it, but not at the level of these five. Get these right first.

The password manager question

The single most common objection to password managers is "but what if the password manager itself gets hacked?" It's a reasonable question and has a calm answer: it still makes you vastly safer than not using one.

The math is easy. Without a manager, most people reuse passwords across 20+ sites, so any single site breach can compromise them all. With a manager, even a catastrophic manager breach gives attackers an encrypted vault, not plaintext passwords — and most password managers encrypt on-device using a key the manager never has.

Which one? Any of the established choices is fine. 1Password, Bitwarden, Proton Pass, Apple iCloud Keychain if you're all-in on Apple. The specific pick matters less than actually using one for everything. Half-using a password manager is barely better than not using one.

One rule that matters regardless of tool: the master password has to be strong and unique. A long passphrase you can remember, not a reused pattern from somewhere else. The rest of the system rests on that one secret.

Two-factor, done in a way you'll keep using

Two-factor authentication (2FA) is the single most over-explained piece of personal security. The short version:

• Authenticator app beats SMS. SMS 2FA is better than nothing but vulnerable to SIM swapping. Apps like Aegis, 1Password's built-in TOTP, Authy (with caveats), or Google Authenticator are meaningfully safer.
• Hardware keys beat apps for your most critical accounts. If you're going to own one hardware key, put it on your primary email. Two hardware keys (one backup) is the sweet spot; three is cosplay.
• Back up your 2FA. Almost every authenticator app has an export or backup option. Use it. The most common way people lose accounts is losing access to their authenticator app itself.
• Save recovery codes somewhere you'll actually find them. Most accounts give you eight-digit codes when you enroll in 2FA. They're the emergency exit. Put them in your password manager, not screenshotted on your phone.

The recovery paths people forget

This is where most real headaches happen. You didn't get hacked — you locked yourself out of your own account. A few things worth auditing:

• Recovery email addresses. Many people have a recovery email pointed at an old address they no longer use. Fix it. Point it at your current primary.
• Recovery phone numbers. Same issue. Numbers change, carrier accounts close, phones get lost abroad. Verify and update.
• Authenticator app migration. When you replace your phone, you have to re-enroll every account that used the authenticator. Most people do ten of them and forget the rest. Keep a list of which accounts have 2FA so you know what to re-enroll.
• Trusted contacts / legacy contacts. Apple, Google, Facebook, and most password managers let you designate someone. Takes two minutes. See the inheritance guide.

Phishing and social engineering, calmly

Phishing is the attack you're most likely to see. Modern phishing is good — AI has made the text convincing, brand-mimicry is near-perfect, and a well-timed message will catch even careful people. Two practical rules do most of the work:

• Never enter credentials from a link. If an email says your bank wants you to log in, close the email and go to the bank the way you normally do. Type the URL, use your bookmark, open the app. The link is the risk, not the fact that the bank emailed you.
• Slow down when rushed. Phishing works on urgency. "Your account will be closed in 24 hours" is the tell. If something demands immediate action, pause and verify through a separate channel.

A password manager quietly helps here too — it won't autofill credentials on a lookalike domain, which is often the first clear signal that you're on a fake page.

How Livdock fits this

Livdock is not a security tool. It's not a password manager, it doesn't store your vault, and it doesn't generate 2FA codes. What it does is give you an honest inventory of the accounts, subscriptions, domains, and devices you have — which is a surprisingly important prerequisite for good security hygiene.

You can't secure accounts you forgot you own. You can't rotate credentials for domains you haven't thought about in three years. You can't protect the recovery paths if you don't know which services are pointed at which backup email. The inventory problem comes before the security problem. If you've been working through the hub idea, you already have the foundation for a security pass.

Knowing when to stop

The final habit — the one almost nobody talks about — is knowing when you're done. Personal security has diminishing returns. Once you've done the five things above, most additional effort is either specialized (you're a journalist, a public figure, a custodian of crypto) or theater. Hardware keys on your Pinterest account are theater.

The goal isn't to achieve a perfect posture; it's to raise the floor enough that you're no longer low-hanging fruit, then get on with your life. Spending an hour on the five habits beats spending a weekend on an elaborate setup you'll abandon in two months.

If you want a starting point for the inventory half of this, create a free Livdock account, list your accounts and subscriptions, and use that as the checklist for a security pass this weekend. An hour on security, once or twice a year, is almost always enough.