In this article, we will look at 10 things you should avoid doing if you want to stay safe online. The goal is to avoid common mistakes and develop simple, better habits. By doing so, you can strengthen your own cybersecurity and enjoy a safer, more relaxed browsing experience on the internet.
1️⃣ Using the Same Password for Everything
A “good” password for all accounts may seem practical in everyday life, but in reality it poses a significant security risk. If that single password is ever lost or stolen by hackers, all accounts become compromised. It becomes especially critical if credentials for email or online banking are affected, since these accounts often serve as central keys to many other services. How a single password can still work is explained in this blog article: Here is the password blog
A frequently underestimated problem is data breaches at online services. Although they regularly make the news, in everyday life people rarely take them seriously. Again and again, entire databases containing personal data and passwords are stolen and sold on the dark web. Attackers then use these lists to automatically try the same credentials across other services. This approach is called credential stuffing, and it works even if a password appears complex at first glance.
This means that the strength of a single password is only of limited value if it has already appeared in a leak and is reused elsewhere. The key factor is therefore that each account has its own unique password.
However, different passwords alone are not enough if they are too simple. Variations such as the same word with numbers added at the end or slightly modified patterns are often easy for attackers to guess or crack automatically. A typical example would be the name of a pet or child combined with a birth date or year and a special character, such as “Kittycat2026!”. Such passwords may meet technical minimum requirements, but in practice they do not provide strong protection. Each password should therefore not only be unique, but also sufficiently complex and unpredictable.
Of course, this sounds like an impossible task, after all, no one can remember dozens of complex passwords. This is exactly where password managers help. They generate secure and individual passwords for each account and store them in encrypted form. You only need to remember a single strong master password. Combined with two-factor authentication, this creates a significantly higher level of security in everyday use.
There are now countless password managers available, so there is something for everyone. To make the choice easier for beginners, we present three of them:
- KeePassXC is a local application with a browser extension for Firefox or Chrome. Passwords are stored in an encrypted file that you manage yourself and can transfer or synchronize between devices as needed.
- Bitwarden is a cloud-based password manager with apps and browser extensions that allows easy access across multiple devices. For many users it is very convenient, but its evaluation varies depending on security and privacy requirements.
- For Apple users, there is also the built-in Passwords app, which is automatically available on all Apple devices and synchronizes via iCloud.
If you want to check whether accounts associated with your email address have already been affected by a data breach, you can use services such as “Have I Been Pwned”. There you can quickly see whether your credentials have appeared in known leaks. If that is the case, those passwords should be changed immediately.
2️⃣ Falling for Phishing
Phishing is often so successful because it does not look like a traditional attack. At first glance, the messages appear normal, sometimes even familiar, and that is exactly what makes them dangerous. They end up among real emails, parcel notifications, or account updates and therefore often go unnoticed.
A typical tactic is to create a sense of urgency. Something is supposedly urgent, an account is said to be locked, or a payment needs to be confirmed. In such moments, people who do not pay close attention often click faster than they actually intend to.
The problem is not just the click itself, but what happens afterward.
Depending on the type of attack, either login credentials are stolen or malware is installed on the device. It becomes particularly critical when email or online banking accounts are involved, as these accounts are often centrally connected to many other services.
Such messages are rarely obviously suspicious at first glance. Small details such as a slightly altered web address, unusual wording, or behavior that does not match the normal process of the service are often the only clues.
The safest approach is therefore to generally avoid clicking links in such messages and instead open the service directly via the known website or app. In many cases, this immediately clarifies whether the message is genuine or not.
Over time, this develops into a kind of reflex. Anyone who learns to avoid opening such messages immediately and instead takes a moment to check significantly reduces their risk, without needing any technical expertise.
3️⃣ Not Creating Backups
Many people store their data in only one place, young people mostly on their smartphone, older users on a laptop or computer. As long as everything works, this seems completely unproblematic. It only becomes frustrating when that single device breaks or gets lost. That is when you quickly realize how valuable your data really is. In IT, there is a classic saying: “No backup, no pity!”
Backups ensure that a second copy of your data exists, which you can fall back on in case of emergency. Today, this is relatively easy to achieve through automatic cloud backups such as iCloud or OneDrive. These run in the background, and you hardly need to worry about them. If you want more control, you can create backups yourself, for example on an external hard drive. This requires a bit more effort, but keeps your data completely in your own hands.
The important thing is that backups are kept as up to date as possible and are also tested. An old backup is of little use if important new data is missing. From time to time, you should check whether your data can actually be restored. A backup that does not work is, of course, useless in an emergency.
4️⃣ Ignoring Updates
Software updates are often something people like to postpone. “Not now” or “Remind me later” sounds harmless, which is exactly why updates are frequently delayed longer than is actually safe. The problem is that known security vulnerabilities remain open during this time.
Many of these weaknesses are not just theoretical risks, they are actively exploited. Attackers rely on systems not being updated immediately. This is especially critical for smartphones, browsers, or frequently used software, as these provide direct access to a large amount of personal data.
Updates are not only about new features or visual changes. In many cases, they specifically fix security issues that are already known and sometimes publicly documented. An unupdated system therefore often remains vulnerable, even if no active misconfiguration has been made by the user.
In everyday use, the problem usually arises from procrastination. An update gets postponed because there is no time at the moment or because the device is still in use. This is especially common with Windows updates, where many users are used to delaying them for as long as possible, since updates have occasionally caused issues in the past. However, this behavior leads to important security patches being installed much later or eventually being forgotten altogether.
The simplest solution: enable automatic updates
This ensures that important updates are installed in the background without requiring any manual action.
Otherwise, the rule is: install updates as soon as possible
Especially for devices and applications with internet access.
In the end, the risk does not arise from a lack of knowledge, but from postponed decisions.
5️⃣ Allowing All App Permissions
Directly after opening a new app, you are often asked for access to the camera, microphone, contacts, or location. Most people quickly tap through these prompts just to get the app working.
The problem is not a single permission, but the combination of many access rights and the fact that not every app downloaded from an app store is 100% safe. If an application has security flaws or is compromised in the worst case, extensive permissions can significantly increase the potential damage.
Many apps also request permissions that are not actually necessary for their core function. A simple game usually does not need access to contacts, and a flashlight app rarely has a legitimate reason to request location data. In everyday use, such requests are often approved without much thought and then forgotten. That is why it is worth reviewing app permissions from time to time and revoking unnecessary access. This usually only takes a few minutes and can be done directly in the smartphone settings.
If certain features, such as location, are actually required, it is possible to allow permissions only while the app is in use. This ensures that apps can only access specific data when they are actively being used.
Taking a few minutes to clean this up not only reduces unnecessary data sharing but also helps ensure that potential vulnerabilities in individual apps have less severe consequences.
6️⃣ Using Public Wi-Fi Without Protection
Public Wi-Fi networks are of course convenient, but you never really know who else is lurking in the same network. In cafés, at train stations, or in hotels, it feels like you are simply online as usual, but in the background, your data traffic may under certain conditions be easier to intercept than in your own home network.
A VPN can help here.
It encrypts the connection between your device and the internet, making it significantly harder for others to eavesdrop on your data.
And that brings us to today’s sponsor of this article: Nord… just kidding. But in fact, VPN services are a useful extra layer of protection when you are online on the go. Providers like NordVPN or ExpressVPN tend to focus on ease of use and broad accessibility, while Mullvad (recommended 👍) is more geared toward privacy and minimal data collection. Depending on your needs, these solutions can differ quite noticeably, and there is now likely a suitable option for almost everyone.
Regardless of the provider, a VPN is not a free pass for careless behavior, but it is a very helpful tool if you want an extra layer of security while being online on the move.
7️⃣ Leaving Old Accounts Behind
Old accounts are quickly forgotten. For example, an old Hotmail or GMX address from the past, a long-unused social media profile (does anyone still remember Netlog?), or a forum you may have registered for decades ago.
Old email accounts in particular are a real problem. They are often unused for years, have weak passwords, or may already have been part of a data breach.
And it is not just about the email account itself. Email addresses are often the central key to other services. Password resets are usually still linked to those old email addresses that were used when the accounts were originally created. If an attacker gains access to them, they can try to take over other connected accounts.
In addition, old inboxes often contain a surprising amount of personal information. Old registrations, orders, addresses, or even documents may have been sitting there for years and can be misused for example for fraud or identity theft.
Social media accounts are not harmless either. Compromised profiles are often used to send spam, contact people, or make scams appear more credible because they come from a “real” account.
Old accounts therefore do not simply disappear. They remain and tend to become less secure over time.
That is why it is worth consciously reviewing such digital leftovers. Either secure them properly or delete them if they are no longer needed. Everything in between is, in essence, an open security risk.
8️⃣ Leaving Devices Unsecured
Anyone who quickly steps away from their desk in the office to go to the restroom without locking their screen might return to find a changed wallpaper. A small prank among colleagues, usually harmless and quickly fixed.
However, things are quite different when a laptop is left open in a café while you briefly go to get a drink. In that moment, the device is accessible to anyone sitting nearby.
At that point, it is no longer just about harmless jokes. Open emails can be read, and logged-in browser sessions can be used directly. On an unattended, unlocked smartphone, private messages or photos can be viewed. In the worst case, the device may even be taken outright, since an unlocked device is much easier to reset and resell.
A simple lock using a PIN, fingerprint, or automatic screen lock prevents exactly this and ensures that devices cannot be used when left unattended. Modern devices often require such security during setup. If this was skipped or not configured, it should definitely be set up afterward.
9️⃣ Clicking Without Thinking
On the internet, you often come across things that immediately tempt you to click or even put pressure on you. A pop-up might warn you about a supposed virus and urge you to ”REMOVE VIRUS NOW” or a banner claims “You have won an iPhone!” These are not coincidences, but deliberate attempts to get users to take action.
Behind such content there is usually a clear purpose: either to install software, steal data, or redirect you to websites that are not what they claim to be.
Even when using Google, caution is important. The first results are not always the best, but often simply the most heavily advertised.
Among these results, there can also be pages that imitate well-known services. Anyone who clicks the first link without thinking may end up on a fake website faster than expected.
Pop-up notifications should also be treated with caution. Real warnings usually come from your device itself or from installed antivirus software, not from random websites in the browser.
An ad blocker can work wonders. It automatically blocks many of these aggressive advertisements. While it does not replace careful behavior, it does make browsing significantly more pleasant and safer. One example of such an ad blocker is the reliable uBlock Origin, available for Firefox, Chrome, Edge, or Safari.
A brief moment of reflection before clicking is often the most effective protection on the internet.
🔟 Neglecting Security Culture
In almost every group of friends, there is someone who tends to say things like: “That won’t happen to me” or “I don’t have anything important on my device anyway.” It is exactly this mindset that often leads people to neglect their own security.
Most problems do not arise from a single major mistake, but from many small decisions that add up over time. A quick click here, a password reused across multiple accounts, an update postponed until later. It often happens in passing, without much thought, because there is no immediate consequence.
Over time, this creates a routine in which such small issues are no longer questioned, simply because nothing bad has happened so far.
Let’s look at a fictional example that combines several small and seemingly harmless issues:
Initial situation
- An old account from an online forum, long forgotten, was never deleted.
- An old email address, also unused for years, is linked to this account.
- Both accounts use the same password. After all, it was easier to remember.
- The old email address is also used as a recovery option for a current account.
Problem
The era of old online forums is long over. The administrators no longer maintain regular updates, and eventually an opportunistic hacker, following a YouTube tutorial, gains access to the forum’s user database with just a few clicks. Inside: the old email address and its corresponding password. Armed with this information, the attacker can now access the victim’s outdated email inbox. From the information stored in old emails, the hacker can learn a surprising amount about the person behind the account such as name, address, date of birth, names of family members and friends, hobbies, and more. From there, it is often easy to identify the victim’s current accounts. And as it turns out, at least one of them still uses the old email address as a recovery option. After trying a few password resets, a recovery link lands in the old inbox and a few clicks later, the current account is compromised. And if that does not work, the old inbox alone already contains enough information to craft a highly convincing phishing email.
Conclusion
No one starts out consistently and flawlessly following all recommendations to avoid the issues mentioned above and that is not necessary either. For most people, cybersecurity is not an everyday concern. This makes small adjustments in personal habits all the more important, as they can have a significant long-term impact. Measures such as using secure passwords, installing regular updates, or being mindful when dealing with suspicious emails and pop-ups can greatly improve your personal security level. Even if individual steps may seem minor at first, they can make a big difference over time and help effectively reduce digital risks.
Cybersecurity is not a one-time setup, but an ongoing process.
Just a few small changes in habits are enough to significantly increase your level of safety online.