How paranoid should the average user be?

It seems many people on here travel a lot and/or are in business and/or metropolitan areas. Understandably, then, there are lots of questions and suggestions about VPNs, browser extensions, email security, etc. I find myself intrigued by all of it and periodically jump into exploring options. Then, once I get mired in all those options and concerns, I remind myself that I am none of the above – do not travel a lot, am no longer in business, and live in a quiet very rural community of 10,000 at least 100 miles from anything resembling metropolis.

SO … what are the practical measures a user such as me should take? I do shop online a lot of necessity (even Home Depot is 2 hours away), and I bank online as well. I use 1Password, lengthy unique passwords, often but not always 2FA, and have weaned myself almost entirely away from gmail accounts (switched to Fastmail a few years ago). I turn off wi-fi connection on my Macs when I do not need to connect. I use Safari and Apple Mail. Have used Ghostery for years and added 1Blocker more recently. Search with StartPage or DuckDuck. Use Facebook only as a connection to internet Scrabble, with strictest privacy options enabled there. And use Cloudflare on all devices. Our Fastmail accounts get virtually no spam.

Is all that enough? Do I need a VPN and/or other controls? I have never enabled any firewalls.

Perhaps more important (and probably more typical), my (extremely) less tech oriented partner, with iPad and iPhone but no Mac, has trouble remembering even simple passwords and thus reuses them frequently, and never 2FA. (This is a guy who refuses to learn how to use cruise control in his car.) I have his devices on Cloudflare, and I periodically make sure location services are turned off for virtually all apps except Tile and a few other important ones. He spends large portions of his day on YouTube. What is really scary is that he is lightyears ahead of other friends of ours who do not even passcode their phones.

Anyway, should I do more to protect myself? And what steps can I take to protect non-techy partner without burdening him or his limited patience?

One question in particular about online banking – is there a security difference between using a bank’s website or its standalone app?


I’m replying because no one else has. I have no special knowledge.

While at home, I do not use VPN. I do set up 2FA when it is available. I am gratified to learn that you turn off wi-fi when you are not using the internet (as do I), although I suspect that we are in the minority. I also use StartPage or DuckDuckGo, except when I want to use Google’s Advance Search. I have enabled the built-in Firewall. In summary, my behavior is much like yours, and I do not believe you need to do more (except maybe turn on Firewall, since it’s so simple).

I have no advice for how to protect your partner.

I do not use banking apps, only web sites, so no advice there.

Sorry I couldn’t help more, and I will read other responses (if any) with interest.

This is a tough question because paranoia isn’t a positive state of being. You can take sensible precautions without worrying that some ill-defined evil is out to get you. Frankly, from what you describe, I think you’re already on the high end of taking more precautions than most. As long as you don’t feel that they’re significantly impinging on your usage patterns, that’s fine.

The question of what the average user should do is a different one (since you’re clearly not an average user). I’d say that the average user should use strong, unique passwords with a password manager, whether that’s 1Password or just iCloud Keychain these days. The average user should still change default passwords on things like routers. The average user absolutely should have a passcode on every iOS device and should have a login password on every Mac (but it doesn’t need to be super strong). It would be nice if average users would use 2FA, but apart from a very few super important systems (like Apple and Google), I doubt most would see the utility.

I wouldn’t trouble an average user who doesn’t see a cause of concern with custom DNS settings, VPNs, or things like alternative search engines. I also wouldn’t stress about turning off location services everywhere. It’s not that there’s anything wrong with these approaches, just that they’re probably going to cause more frustration than they’re worth to an average user.

It might be helpful to distinguish between security and privacy. For the average user who doesn’t understand any of this and doesn’t much care, such that you’re imposing behavior on them, security (as represented by things like having strong passwords in a password manager) is more important than privacy (doing things like turning off location services or using an ad blocker).

There’s no way of saying in general—it would be a case-by-case basis. In all likelihood, both are pretty good since banks are aware that they can’t get away with lax security.

I’m a big fan of DuckDuckGo. It’s just as comfortable as Google, but without dealing with all kinds of Google nasty. And if you’re concerned Google’s search results are better, then the DDG bangs are exactly what you need: !g will get you Google results without the usual Google baloney. In fact, considering all the great DDG bangs available, I’d have trouble going back to Google search. These days I search all the time using !i, !w, !imdb, !wes. I wouldn’t want to miss that level of convience anymore.

The average user absolutely should have a passcode on every iOS device and should have a login password on every Mac (but it doesn’t need to be super strong).

Could you please explain “it doesn’t need to be super strong” a little?

Thank you,


The average user absolutely should have a passcode on every iOS device and should have a login password on every Mac (but it doesn’t need to be super strong).

Could you please explain “it doesn’t need to be super strong” a little?

I usually tell my clients that the password to their Mac can be weaker as it’s a physical device that has to be manually poked at, versus a web site that can be attacked from anywhere or a phone that can be lost / stolen as you wander through your day.

If I can get physical access to your computer I can probably change the password to your account… it just depends on how much time there is and what levels of security you have enabled.

Enabling Filevault, for example, makes it that much harder to access your information on your Mac if I don’t already know the password… but it increases the risk that if you lose the password you can not get into it either. It does not matter how complex the password is.

A client of mine had a stroke and could no longer remember the password for his machine… and had the drive encrypted with Filevault. Fortunately I had his password noted in my password manager… and was able to help his son get into the Mac, which allowed him to access online banking and so forth.

It’s all about your level of acceptable risk.

Hope that helps!



As Adam said, that would be a case-by-case matter, but in general browser use reveals a huge amount of information about your computer while clients can be less apt to do so, depending on whether or not they use a browser rendering engine or not. Most such clients are developed by a few common developers and adapted to specific banking institutions. They likely only collect sufficient information needed to positively identify you as an authorized user.

VPN’s can be an even bigger threat to privacy than non-use. The only perfectly safe ones are those where you can personally trust both ends of the connection, which generally means the VPN server is either in your home or at your place of work. If anywhere else, all your traffic is subject to harvesting by the VPN provider or anybody between that provider and the ultimate destination of said traffic.

I realize there are some folks that need to shield their actual IP address for certain site access or for political reasons. Those users should conduct thorough do-diligence on both the provider’s business history and privacy policy, then keep your fingers crossed that they won’t betray you. Avoid all free VPN services. If it’s free, then you are their product and they make money by selling information about their users.

I’m shocked by that, considering all the other less dangerous features you are resorting to (e.g. turning WiFi off when not needing to connect).

In addition to turning the macOS firewall on, I have been a long-time user of Little Snitch. Have been using Pi-Hole to protect my entire network from ads and malicious sites for about a year now, with great results.

1 Like

I am not. I tried using it for about a year, but continually disappointed that it failed to quickly find what I knew was out there somewhere (and what a Google search quickly found) as well as some of the features it lacks when trying to home in on shopping, images, videos, etc.

So I recently started using StartPage which is much more Google like with the same promise of privacy. I may have even received that recommendation here on TidBITS Talk.

The passwords for Macs and iPhones need physical access. No one is going to download a hash table of passwords and crack them. If you use passwords that are too long and complex, you might simply decide to setup your device, so you only have to log in once and not every time you leave the system alone.

A short password works better simply because you’re more likely to use it when your Mac or iPhone is idle after a few minutes.

Of course, if you’re a top executive, a top political operative, or someone a government may be interested in, you might need a more secure password for your Macs and iPhones.

My iPhone has a six digit passcode and that’s it. My Mac’s password is very short and easy to type. Maybe if I had Face ID or my AppleWatch could more dependably unlock my Mac, I could use a longer and more convoluted password. But, my Mac needs a password if left idle for just a minute or two, so I may have to type it in a lot.

Along with what @theconsultant said, security is an onion, with multiple layers. When it comes to physical access, there should be other layers (locked doors, etc) that prevent an attacker from getting to the computer and being able to try passwords. It’s just overkill for an average user to have every layer of security be super strong, given that security strength always carries expense or hassle with it.

Obviously, if we’re talking about a laptop that you carry with you regularly (and could thus lose control of easily), the password should be stronger.

I’m also not suggesting the password be stupid easy, like 1234, but for an average user, the password should be easy to remember and type so that they aren’t tempted to turn it off entirely.

It depends on who you are, what you do, what you need to protect and why, and your comfort levels with different kinds of risks/creepiness. This is often called a threat model.

EFF has a good and comprehensive guide explaining different threat/security models, and how to deal with them.

Security Planner is a much quicker “select what you care about and this is what you might want to do about it”:

For people with extra risks, such as journalists, there’s “Security for the High-Risk User: Separate and Unequal”:


I used to work for a company that handled extremely confidential material - trade secrets, SEC filings. They were EXTREMELY security conscious. I don’t remember what VPN they used, but they did require that it be used on company devices, and it was not a free one. For personal usage, the top security guy recommended using a VPN in Starbucks, McDonalds, hotels, esp. if you are going to do some online ordering there. He also recommended a VPN 100% of the time for personal travel outside the US. But for everyday usage, very strong passwords and a password manager should be sufficient. It should be fine to order from Starbucks, etc. away from the store, but it is a little risky to order online inside without the VPN.

Thanks for all the good input. I figured I’m fairly secure and private. There is so much talk, not just here, about VPNs, I was curious about the need for one. Doesn’t seem necessary in my situation, Will keep encouraging non-tech buddy to let keychain create (and remember) better passwords, but am not hopeful — old dog, new tricks :woozy_face: Thanks again!

A family friend just lost $8000 out of her bank account because she hadn’t been checking her statement every month as soon as it arrived – and the bank only covers losses for the previous month or two.

Apparently six months or more ago someone cracked her bank account and set up several autopays, starting small and increasingly large when she didn’t notice them.

All the money’s gone.

Here’s another reason not to use VPN until this is fixed: Tricky VPN-busting bug lurks in iOS, Android, Linux distros, macOS, FreeBSD, OpenBSD, say university eggheads.