Once upon a time, you could assume you were pretty safe on the internet, so long as you were careful. But that’s changed. Through no fault of your own, your data can leak, your passwords can become compromised, and you can more easily fall prey to malware.
In 2025, you should assume online attacks are commonplace. The continued rise in use of AI is only accelerating their speed and sophistication, and that shift won’t slow.
To help, we previously outlined 10 simple security tweaks that keep you from getting hacked. But if it’s not clear what software or gear to arm yourself with overall, not to worry, the list below tells you the basics I recommend for broad protection.
Antivirus
Jim Martin / Foundry
As mentioned above, even if you’re careful, the potential of being exposed to phishing sites, malware, ransomware, and other threats is higher than ever. So having good antivirus software at your back is vital.
At the most basic level, you should have Microsoft’s built-in Windows Security antivirus suite active. (Which it should be, so long as you haven’t messed with its settings.) These days, Microsoft’s antivirus protection can be trusted and it runs unobtrusively in the background.
Paid antivirus software like Norton 360 Deluxe (our current favorite pick for antivirus) offers an extra helping hand. It simplifies the wider branches of security defense by providing additional features like dark web monitoring, VPN service, and a password manager, then integrating them into a single interface.
Password manager
Martyn Casserly / Enpass
Whether part of an antivirus suite or an independent service, a password manager is necessary to track strong, unique logins across the web. But equally important, they can help minimize how much of your personal data is saved across the web.
For example, instead of allowing individual shopping sites to keep your credit card info or physical address on file, you can maintain privacy (and security) by storing those details in your password manager. You’ll be less at risk for basic fraud if someone gets unauthorized access to your account (no ability to use your credit card to buy things), or personalized scams based on leaked data through breaches.
The simplest choice is the password managers offered by Google or Apple, though Google has the edge due to being available on more platforms. While on the basic side, they’ve come a long way, and work well to combat the temptation of using weak passwords (or worse, reusing them).
Upgrading to an independent service like Bitwarden or Dashlane opens up more features, like unrestricted password sharing, shared vaults for families, emergency access, and monitoring for compromised passwords. The two services named here are our top picks for best free password manager and best password manager, respectively, but you can check out our full recommendations for more options.
Two-factor authentication app
PCWorld
These days, you want more than just a lone password standing between you and a bad actor. Two-factor authentication (aka multi-factor authentication) adds a second checkpoint to clear before you can access an account—meaning that even if a hacker steals or deduces your password, they won’t have all the info needed to log in successfully.
If you have the option, the simple way to use 2FA is through app-generated one-time codes. They’re more secure than codes sent over text message (SMS), which have a risk of being intercepted. Authy is popular among our staff, as you can use it across multiple platforms, limit access to new devices, and restrict app access with a PIN or biometric authentication.
Google Authenticator is also another alternative, though it’s not quite so full-featured and requires a Google account to back up your codes to the cloud. For the more cautious, Aegis and Raivo allow you to store your codes locally on your device (though you’ll need to back these up, in case your phone bites the dust).
While you can store 2FA tokens in a password manager, I recommend two separate apps—just on the off chance your vault is compromised, the attacker won’t get full access to all your accounts.
Your phone (or PC)
Mark Hachman / IDG
Yep, what you have in your pocket (or on your desk) can be a powerful security tool. If you hate passwords and 2FA, you can use your phone or PC to log into your accounts in a different way—via passkeys.
Passkeys are fast, easy, and arguably simpler than passwords. You don’t have to memorize them—you just save the passkey to your device. Plus, they’re tied to the device you’ve stored them on, so they can’t be stolen and used by hackers the way passwords can. And all you need is biometric authentication or PIN to authorize a passkey’s use.
Mobile devices and computers alike support passkeys—you can save them to your phone, PC, or both. They’re uniquely generated per device, but you can generate as many as the website will allow.
Sadly, not every every site or service supports passkeys yet. Many major ones do, like Google, Apple, Microsoft, Facebook, Best Buy, Target, etc, but integration is still rolling out across the web. So for those other sites—you’ll still want to use the combo of good password + 2FA.
Email masks
PCWorld
You know to use unique (and strong) passwords for your accounts. But random unique user names are now a good idea, too.
With all the data breaches, credential stuffing is barely work for an attacker. They just plug your usual username (or email address) into login forms, along with the stolen password, and see what takes.
A good password manager can generate unique usernames for you. For sites that use email addresses as your userID, an email masking service will create disposable email addresses that forward to your main account.
Email masks differ from email aliases offered by Gmail and ProtonMail, which let you add additional text after your username (e.g., username+randomaddition@gmail.com). Those address variations, while helpful for filtering incoming messages, don’t give you true privacy. It’s easy to deduce what the real email address is.
Free email masking sites exist—DuckDuckGo lets you create as many as you like while Firefox Relay offers five free masks. For paid options, Apple iCloud+ subscribers get access to the company’s Hide My Email feature while SimpleLogin offers a wider array of features (including integration with password managers like Bitwarden and ProtonPass). Select email providers like Fastmail also offer masked email as an integrated feature.
If you’re on a budget, at least consider email masks for your most sensitive accounts (financial, medical, etc).
Optional bonus: Google Voice number
Jared Newman / IDG
Not every website supports software-based codes for two-factor authentication. Some only support SMS codes, which aren’t as secure. (Banks are the worst offenders.) Hackers know this, which means they sometimes resort to SIM jacking to steal codes.
To lower this risk, some people only share their real phone number with valuable or sensitive services like financial and medical institutions. For everything else, they give out their Google Voice number—a service available to anyone with a personal Google account. You get a US-based phone number that you can use for calls and texts through Google’s desktop website or mobile apps. You can also forward any calls to your real number. No one knows it’s not the number issued by your cell phone carrier.
Why not do the reverse? Many banks won’t send 2FA one-time codes to a VOIP number, so Google Voice numbers don’t qualify. It’s a pity, too, since Google Voice numbers can’t be SIM jacked.
