Frequently Asked Questions

Yes. Cyber attacks affect everyone, not just large corporations or high-profile individuals. Most attacks are automated and indiscriminate—criminals cast wide nets hoping to catch anyone with weak security. Your email account, social media, and financial information are all valuable to attackers. Even if you think you have "nothing to hide," compromised accounts can be used to attack your contacts, steal your identity, or access accounts linked to the same credentials.

Use a password manager and enable two-factor authentication on all important accounts. These two practices alone protect against the majority of common attacks. Here's why they matter:

Password Manager: Stores strong, unique passwords for every account without you memorizing them. This prevents password reuse—the #1 reason accounts get compromised. Popular options include Bitwarden (free), 1Password (paid), or KeePass (self-hosted).

Two-Factor Authentication (2FA): Adds a second verification step. Even if attackers steal your password, they can't access your account without the second factor. Use authenticator apps (Google Authenticator, Authy) instead of SMS when possible—they're much more secure against SIM swapping attacks.

For Windows users, yes—but the built-in Windows Defender is generally sufficient for most people as of 2026. Modern operating systems have significantly improved their built-in protections. Third-party antivirus can provide additional features but isn't strictly necessary if you practice good habits.

Why Windows Defender is enough:

• Modern malware detection uses cloud intelligence and AI
• Real-time monitoring catches threats before they execute
• Integration with Windows security updates is smooth
• Performance overhead is minimal on modern hardware

More important than antivirus:

• Keep Windows Update, browsers, and applications patched (most infections exploit unpatched software)
• Don't download files from untrusted sources or suspicious links
• Use browser security extensions (uBlock Origin blocks malware, HTTPS Everywhere prevents interception)
• Be cautious with email attachments from unknown senders
• Maintain backups in case of ransomware attacks (this matters more than antivirus if an infection happens)

Watch out for these red flags that indicate compromise:

• Unexpected password reset emails from accounts you didn't touch
• Login notifications from unfamiliar cities or device types
• Friends reporting strange messages or friend requests from your accounts
• Unfamiliar charges or transactions on credit cards or bank accounts
• Device running unusually slow or heating up constantly
• New apps or programs you didn't install appearing on your device

Check Have I Been Pwned to see if your email appears in known data breaches. If you suspect compromise, immediately change passwords from a clean device (borrowed phone/computer) and enable 2FA everywhere. Consider running a full antivirus scan, but don't trust the results completely—fresh OS installation is the nuclear option.

OPSEC (Operational Security) is the practice of protecting sensitive information by thinking about how adversaries might gather intelligence about you. It involves minimizing your digital footprint, compartmentalizing identities, and being mindful of what information you reveal. Good OPSEC means considering: who might want information about you, what information could harm you if exposed, and how that information might be obtained. See our OPSEC Basics guide for more.

Phishing is still one of the most effective attack vectors in 2026. Most data breaches involve some element of social engineering. Here's what to watch for:

Red flags:

• Urgent language ("Verify your account NOW!" or "Suspicious activity detected")
• Requests for passwords, 2FA codes, or personal information
• Links that don't match the sender's domain (check before clicking)
• Grammar/spelling errors in official-looking emails
• Generic greetings instead of your actual name
• Attachment files with unusual extensions (.exe, .scr, .zip)

What to do: Hover over links to see the actual URL before clicking. Go directly to websites by typing the address or using bookmarks. Never enter credentials after clicking an email link—banks and legit services never ask for passwords via email. When in doubt, contact the organization using a number from their official website, not from the email.

No. A VPN hides your IP address and encrypts your traffic from your ISP, but it doesn't make you anonymous. The VPN provider can see your traffic (though reputable ones claim not to log it). You can still be identified through:

• Browser fingerprinting (unique hardware/software combinations)
• Account logins (Gmail, Facebook, Twitter accounts identify you)
• Cookies and tracking pixels
• DNS requests (use DNS over HTTPS or Tor to hide these)
• WebRTC leaks that expose your real IP

VPNs are good for privacy from your ISP. For true anonymity, combine Tor with careful operational security—avoid logging into personal accounts while using Tor.

Generally, no. Running VPN infrastructure is expensive, and free VPNs need to make money somehow. The risks include:

• Logging your activity and selling data to advertisers
• Injecting ads into your browsing (and tracking you to show targeted ads)
• Embedding malware or tracking code in their apps
• Selling bandwidth by using your connection as an exit node for others
• Using outdated encryption protocols

If budget is tight, ProtonVPN offers a generous free tier with unlimited bandwidth. For serious privacy needs, Tor Browser is completely free and highly secure. Never compromise security for cost—a bad VPN is worse than no VPN.

It depends on your threat model and what you're trying to protect against:

Use a VPN when:

• On public WiFi networks (airport, coffee shop, hotel)
• You don't trust your ISP or network admin
• You're in a country that heavily monitors internet usage
• You want to hide your browsing from your ISP
• Accessing services that are geo-blocked in your location

VPN drawbacks:

• Slows your connection (20-30% speed reduction typical)
• Some sites and services block VPN IP addresses (Netflix, banks)
• You're trusting a VPN company instead of your ISP
• Can introduce latency for gaming or video calls

Practical approach: Most people use VPN on untrusted networks and when traveling, then browse normally on their home networks. If you're always using a VPN, make sure you trust the provider—run their audit reports and privacy policy yourself.

They serve different purposes. VPNs are faster and hide your traffic from your ISP, but you trust the VPN provider. Tor is slower but distributes trust across multiple relays—no single entity sees both who you are and what you're accessing. Use VPN for everyday privacy (streaming, general browsing). Use Tor when you need true anonymity and are willing to accept slower speeds. Using both together (VPN then Tor, or Tor then VPN) has trade-offs covered in our guides.

Your ISP can see that you're connected to a VPN server and how much data you're transferring, but they cannot see the content of your traffic or which websites you visit. The traffic appears as an encrypted tunnel to the VPN server. However, some ISPs throttle VPN connections, and in some countries, VPN usage itself may attract attention.

In most countries, yes. Tor is legal and is used by journalists, activists, whistleblowers, and ordinary people who value privacy. However, some authoritarian regimes restrict or monitor Tor usage. While using Tor itself is legal, any illegal activities conducted over Tor remain illegal. The tool doesn't change the law—it just provides privacy.

Tor is slower than regular browsing because your traffic bounces through at least three volunteer-operated relays around the world. Each hop adds latency, and the encryption/decryption at each stage takes time. Speed reduction typically ranges from 50-90% depending on relay load and your connection quality.

What's usable:

• Text-based browsing and reading (fine)
• Checking email and instant messaging (fine)
• Loading web pages with images (slow but workable)
• Downloading files (very slow, takes much longer)

What's not practical:

• Streaming video (will constantly buffer)
• Video conferencing (expect freezing and lag)
• Gaming (high latency makes it unplayable)

You're trading speed for anonymity. It's a fair deal if you actually need anonymity.

Tor provides strong anonymity against most adversaries, but it's not perfect. A sufficiently powerful adversary (like a nation-state with global surveillance capability) might correlate traffic timing at entry and exit points. More commonly, users deanonymize themselves through poor OPSEC: logging into personal accounts, enabling JavaScript that fingerprints them, or revealing identifying information. Tor protects the network layer; you must protect the human layer.

.onion sites are services hosted within the Tor network. Unlike regular websites, both the user and the server are anonymous—traffic never leaves the Tor network. This provides strong privacy for both parties.

Legitimate examples of .onion sites:

• ProPublica (news outlet) investigates corruption and abuse
• Whistleblowing platforms (SecureDrop) for journalists
• Privacy-focused email and messaging services
• Libraries and knowledge archives for censored countries
• Support resources for activists and dissidents

To access .onion sites, download Tor Browser from torproject.org (official source only). Be cautious: .onion sites can host illegal content, just like the regular internet. The anonymity provided by Tor is neutral—it protects journalists and activists, but also those doing harmful things.

As of 2026, data breaches are extremely common—expect your information to appear in a breach at some point. Once your data is out there, you can't get it back. Here's what you should do:

Immediate steps:

• Check Have I Been Pwned to see which sites have leaked your data
• Change passwords for affected sites to unique, strong passwords
• Enable 2FA on important accounts immediately
• Monitor your credit report for 90 days (free at Equifax, Experian, TransUnion)

Long-term:

• Consider a credit freeze if you're worried about identity theft
• Use unique passwords for every account (password managers make this easy)
• Monitor your email for spam/phishing attempts (leaked emails get targeted)
• Consider paying for identity theft protection if the breach involved SSN or full address

PGP (Pretty Good Privacy) is a encryption standard for securing emails and files. It uses public-key cryptography: you share your public key for others to encrypt messages to you, while your private key decrypts them. You need PGP if you exchange sensitive information via email or need to verify someone's identity through signed messages. For casual use, encrypted messaging apps like Signal are simpler. See our PGP guide to get started.

When properly implemented, yes. End-to-end encryption (E2EE) means only the communicating parties can read messages—not the service provider, not governments, not hackers who breach the server. However, E2EE doesn't protect against: compromised devices (keyloggers, malware), screenshots, or someone looking over your shoulder. The encryption is strong; the endpoints are usually the weak points.

Yes, especially for laptops and devices that could be lost or stolen. Full-disk encryption (FDE) ensures that if someone gains physical access to your device, they can't read your data without your password. Windows has BitLocker, macOS has FileVault, and Linux has LUKS. Enable it—the performance impact on modern hardware is negligible, and the protection is significant.

No, Bitcoin is pseudonymous, not anonymous. All transactions are recorded on a public blockchain that anyone can analyze. Blockchain analysis firms can now trace most Bitcoin movements—they match wallet addresses to identities through:

• Exchange records (when you buy/sell Bitcoin, your identity is recorded)
• Transaction patterns and clustering analysis
• IP address logging at network entry points
• Timing correlations between transactions

For financial privacy:

• Use privacy coins like Monero (XMR) instead—transactions are private by default
• CoinJoin services can mix Bitcoin, but they're not foolproof
• Remember: US tax law treats crypto transactions as taxable events regardless of privacy methods

If you lose access to your wallet and don't have your seed phrase (recovery phrase) backed up, your funds are lost forever. There's no "forgot password" option in cryptocurrency—that's the trade-off for being your own bank. This is why proper backup procedures are critical. Store your seed phrase securely offline, preferably in multiple locations, and never share it with anyone.

Monero (XMR) is a privacy-focused cryptocurrency where transactions are private by default. It was designed specifically to address Bitcoin's traceability problem. Here's how it works:

Privacy technologies:

• Ring signatures: Mix your transaction with others, so observers can't tell which output belongs to you
• Stealth addresses: One-time addresses for each transaction, preventing address reuse
• RingCT: Hides transaction amounts (Bitcoin amounts are public)
• Kovri: Anonymizes IP addresses (upcoming feature)

Result: Monero transactions cannot be traced or linked to you. The trade-off is larger transaction sizes and slower confirmation times. As of 2026, Monero remains the most private cryptocurrency available, though regulatory scrutiny is increasing.

Hardware wallets are significantly safer for storing significant amounts. They keep your private keys offline, immune to malware on your computer. Here's the comparison:

Hardware Wallets (Ledger, Trezor, Coldcard):

• Private keys stored on isolated device, never exposed to computer
• Physical button confirms transactions—malware can't authorize transfers
• Immune to computer viruses and malware
• Cost: $50-300 depending on model
• Best for: Holding significant amounts (thousands+)

Software Wallets (MetaMask, Exodus, Blue Wallet):

• Private keys stored on your computer or phone
• Convenient for frequent transactions
• Vulnerable to malware, keyloggers, and device theft
• Cost: Free to low-cost
• Best for: Small amounts for regular spending

Strategy: Use hardware wallet for cold storage (savings), software wallet for hot wallet (spending). Backup your seed phrase from the hardware wallet in a secure offline location—this is your only recovery option if the device breaks.

At least 16 characters for important accounts. Length matters more than complexity—"correct horse battery staple" is stronger than "P@ssw0rd!" because of the vastly larger search space. Here's why:

Password length explained:

• Each additional character exponentially increases the time to crack
• An 8-character password takes minutes to crack with modern hardware
• A 16-character password takes centuries with the same hardware
• A 20-character random password is virtually uncrackable

Best practices: With a password manager, use 20+ character random passwords for every account. For memorable master passwords, use 5-6 random words (not from song lyrics or famous quotes—make them up). Avoid patterns, personal information, dictionary words, or common substitutions like @ for A or 1 for I.

SMS 2FA is better than no 2FA, but it's the weakest form. SMS can be intercepted through SIM swapping (attackers convince your carrier to transfer your number), SS7 network vulnerabilities, or malware on your phone. For important accounts, use authenticator apps (TOTP) or hardware keys (FIDO2/WebAuthn). Reserve SMS 2FA for less critical accounts where it's the only option.

This is why backup codes exist. When you enable 2FA, most services provide one-time backup codes—store these securely offline. Some authenticator apps (like Authy) support cloud backup of your tokens. Hardware key users should have a backup key enrolled. Without backups, you'll need to go through each service's account recovery process, which may require identity verification and take days.

The security hierarchy for 2FA methods is clear:

Best: Hardware security keys (FIDO2/WebAuthn like Yubikey, Titan Key)
Why? They're resistant to phishing, account takeover, and don't rely on time synchronization

Good: TOTP apps (Google Authenticator, Authy, Microsoft Authenticator)
Why? Time-based codes that generate offline, immune to SIM swapping

Acceptable: SMS 2FA (text messages)
Why? Better than nothing, but vulnerable to SIM swapping and SS7 attacks

Don't use: Call-based 2FA (voice calls)
Why? Most vulnerable to attacks and social engineering

Start with TOTP if you can't afford hardware keys. Always store backup codes somewhere safe—a password manager is fine.