Image: Lia Kantrowitz/Jason Koebler

The Motherboard Guide to Not Getting Hacked

Do you want to stop criminals from getting into your Gmail or Facebook account? Are you worried about the cops spying on you? We have all the answers on how to protect yourself.

Nov 12 2018, 3:00pm

Image: Lia Kantrowitz/Jason Koebler

Editors' note: This is Motherboard's comprehensive guide to digital security, which will be regularly updated and replaces some of our old guides. There is a version history at the bottom of this post.

Last update: November 12, 2018. This is also available as a plaintext file.

One of the questions we are asked most often at Motherboard is “how can I prevent myself from getting hacked?”

Because living in modern society necessitates putting an uncomfortably large amount of trust in third parties, the answer is often “not a whole lot.” We said that last year when we published this guide, and, since then, that reality has become even more obvious. Take, for example, the recent Facebook hack that affected nearly 30 million users worldwide, exposing the location and search history of 14 million of them. The hackers behind the breach took advantage of a useful privacy feature and leveraged it to steal digital “tokens” that gave the hackers full access to victims’ accounts. There was nothing those users did wrong, nor was there anything they could’ve done to prevent getting hacked aside from not having a Facebook account at all.

We live in a world where hackers steal hundreds of millions of passwords from companies in one swoop and occasionally cause large-scale blackouts . The future is probably not going to get better, with real-life disasters caused by internet-connected knick-knacks , smart home robots that could kill you , and your telecom providers who routinely lose customer data and unwittingly help hackers steal your phone number (and sometimes your money.) Meanwhile, an ever-growing and increasingly passive surveillance apparatus that has trickled down to state and local police is an ever-present threat to our digital privacy and increasingly uses technology that is developed by Silicon Valley giants who are supposedly consumer-focused.

That doesn’t mean it’s hopeless out there. There are lots of things you can do to make it much more difficult for hackers or would-be surveillers to access your devices and accounts, and the aim of this guide is to give you clear, easy-to-follow steps to improve your digital security. There are, broadly speaking, two types of hacks: Those that are unpreventable by users because of the trust we must place in third parties in order to live a normal life, and those you can generally prevent. We want to help you mitigate the damage of the first and prevent the second from happening.

You, as an individual user, can’t do anything to prevent your email provider, your cell phone provider, or the company that holds your financial details from getting hacked. But you can avoid phishing attacks that will let a hacker get into your individual email account, and you can also prevent a password obtained in a larger hack from being reused on another, separate account you have.

This guide isn’t comprehensive and it’s not personalized; there is no such thing as “perfect security” and there are no one-size-fits all solutions. Instead, we hope this will be a jumping-off point for people looking to batten down the hatches on their digital lives.

CYBER is Motherboard’s new podcast about cybersecurity. Subscribe on Apple Podcasts or any podcast app.

That’s why we’ve tried to keep this guide as accessible as possible, but if you run into any lingo you don’t know, there’s a glossary to help out.

The guide is the work of many people at Motherboard, both past and present. It has been vetted by several security experts, who we owe a great debt to. The tips and advice within it have grown out of years of writing and research on digital security by dozens of reporters and infosec professionals. Consider it a work-in-progress that will receive at least one big annual refresh, as well as smaller updates when major new vulnerabilities are exposed. Even if you read the guide last year, we think it’s worth it to read our new version, as lots of our advice has changed or become outdated as new threats have emerged and new tactics to keep yourself safe have become more accessible.

And so, we present you the Motherboard Guide To Not Getting Hacked 3.0, with updates throughout the whole guide, and entire new sections. In the next few days, we will also publish several subject-specific guides about how to use the iPod as a secure communications device, how to securely wipe your computers and smartphones, and how to tell whether your accounts have been hacked.

Stay safe, and stay vigilant.



Everything in this guide starts with “threat modeling,” which is hacker lingo for assessing how likely you are to get hacked or surveilled. When thinking about how to protect your digital communications, it is imperative that you first think about what you’re protecting and who you’re protecting it from. “Depends on your threat model” is a thing infosec pros say when asked questions about whether, say, Signal is the best messaging app or Tor is the best browser to use. The answer to any question about the “best” security decision is almost always “it depends.”

No security plan is identical to any other. What sort of protections you take all depend on who may try to get into your accounts or read your messages. The bad news is that there are no silver bullets (sorry!), but the good news is that most people have threat models in which they probably don’t have to live like a paranoid recluse to be reasonably safe online.

So before doing anything else, you should consider your threat model. Basically, what are you trying to protect, and who are you trying to protect it from?

The Electronic Frontier Foundation recommends asking yourself these five questions when threat modeling:

  • What do you want to protect?
  • Who do you want to protect it from?
  • How likely is it that you will need to protect it?
  • How bad are the consequences if you fail?
  • How much trouble are you willing to go through in order to try to prevent those?

Is your threat an ex who might want to go through your Facebook account? Then making sure they don't know your password is a good place to start. (Don't share critical passwords with people, no matter who they are; if we're talking Netflix or an account you create with the intention of sharing, make sure you never reuse that password elsewhere.) Are you trying to keep opportunistic people from pulling together your personal information—such as your birthday and the name of your high school—which in turn can be used to find other details? Well, keeping an eye on what sort of stuff you publish on social media would be a good idea. And two-factor authentication (more on that below) would go a long way to thwarting more serious criminals. If you are an activist, a journalist, or otherwise have reason to fear government, state, or law enforcement actors want to hack or surveil you, the steps you must take to protect yourself are significantly different than if you’re trying to keep plans for a surprise party secret from your best friend.

Overestimating your threat can be a problem too: if you start using obscure custom operating systems, virtual machines, or anything else technical when it's really not necessary (or you don't know how to use it), you’re probably wasting your time and might be putting yourself at risk. At best, even the most simple tasks might take a while longer; in a worst-case scenario, you might be lulling yourself into a false sense of security with services and hardware that you don’t need, while overlooking what actually matters to you and the actual threats you might be facing.

In certain places, this guide will offer specific steps to take if you have a threat model that includes sophisticated actors. But, in general, it’s designed for people who want to know the basics of how to strengthen their digital security. If your threat model includes NSA hackers or other state-sponsored groups like Fancy Bear, we recommend that you speak to a trained professional about your specific situation.


Probably the most important and basic thing you can do to protect yourself is to update the software you use to its newest version. That means using an updated version of whatever operating system you're using, and updating all your apps. It also means updating the firmware on your router, connected devices, and any other gadgets you use that can connect to the internet.

On your computer, you don't necessarily have to use the latest iteration of an operating system. In some cases, even slightly older versions of operating systems get security updates. (Unfortunately, this is no longer the case with Windows XP—stop using it!) What's most important is that your OS is still receiving security updates, and that you're applying them.

If you come away with one lesson from this guide, it should be update, update, update, or patch, patch, patch.

Many common cyberattacks take advantage of flaws in outdated software such as old web browsers, PDF readers, or spreadsheet and word-processing tools. By keeping everything up to date, you have a much lower chance of becoming a victim of malware because responsible manufacturers and software developers quickly patch their products after new hacks are seen in the wild.

Hacking is often a path of least resistance: you go after the easy, soft, targets first. For example, the hackers behind the destructive ransomware outbreak known as WannaCry hit victims who had not applied a security update that had been available for weeks. In other words, they knew they were going to get in because the victims had not changed the lock to their door even though their keys had already been made available to everyone.


We all have too many passwords to remember, which is why some people just reuse the same ones over and over. Reusing passwords is bad because if, for example, a hacker gets control of your Netflix or Spotify password, they can then use it to get into your ridesharing or online banking service to drain your bank account. Even though our brains aren't actually that bad at remembering passwords , it's almost impossible to remember dozens of unique, strong passwords.

The good news is that the solution to these problems is already out there: password managers. These are apps or browser extensions that keep track of passwords for you, automatically help you create good passwords, and simplify your online life. If you use a manger, all you have to remember is one password, the one that unlocks the vault of your other passwords.

That one password better be good though. Forget about capital letters, symbols, and numbers. The easiest way to make a secure master password is to make a passphrase: several random but pronounceable—and thus easier to memorize—words. For example: letdown birdie carbine mandrake alga gag (don’t use this one though, we just burned it.)

Once you have that you can use unique passwords made of a lot of characters for everything else, as long as you create them with a password manager and never reuse them. The master password is better as a passphrase because it's easier to memorize, and the other passwords don't need to be memorized because the manager will remember them.

Intuitively, you might think it's unwise to store your passwords on your computer or with a third-party password manager. What if a hacker gets in? Surely it's better that I'm keeping them all in my head? Well, not really: The risk of a crook reusing a shared password that has been stolen from somewhere else is far greater than some sophisticated hacker independently targeting your database of passwords. For example, if you used the same password across different websites, and that password was stolen in the massive Yahoo! hacks (which included 3 billion people), it could easily be reused on your Gmail, Uber, Facebook, and other accounts. Some password managers store your passwords encrypted in the cloud, so even if the company gets hacked, your passwords will be safe. For example, the password manager LastPass has been hacked at least twice, but no actual passwords were stolen because the company stored them securely. LastPass remains a recommended password manager despite those incidents. Again, it's all about understanding your own threat model.

So, please, use one of the many password managers out there, such as 1Password, LastPass, or KeePass. You can also probably use the password-storage feature included in modern browsers such as Chrome and Safari (but be careful if you share your computer!) That’s better than not using a password manager at all, but a dedicated app is ideal. There's no reason not to do it. It will make you— and the rest of us —safer, and it'll even make your life easier because you won’t need to remember any passwords except your master password.

If your employer asks you to change passwords periodically in the name of security, please tell them that's a terrible idea. Research shows people are more likely to use weak, near identical passwords when forced to switch often. If you use a password manager, two-factor authentication (see the next section), and have unique strong passwords for every account there's no need to change them all the time—unless there’s a breach on the backend or your password is stolen somehow.


Having unique, strong passwords is a great first step, but even those can be stolen. So you should add an extra layer of protection known as two-factor authentication (also known as two-step or 2FA) to your accounts. You should do this for any account that offers two-factor authentication, but you should especially make sure you do it on your most important ones (your email, your Facebook, Twitter accounts, your banking and financial accounts.) Again, a lot of services these days offer two-factor, so it doesn’t hurt to turn it on in as many places as you can. See all the services that offer 2FA at .

By enabling two-factor you'll need something more than just your password to log into those accounts. Traditionally, this has been a numerical code sent to your cellphone via text message. But increasingly, the “second factor” is a code created by a specialized app, or a small, physical token like a USB key. Before talking about those options, however, we want to warn you that the specifics of using two-factor security have changed quite a bit since last year.

Though you may be most familiar with using text messages(SMS) as a second factor, this is no longer considered safe. Thousands of people have had their online accounts hacked by relatively low-skilled criminals who were able to bypass two-factor authentication by stealing their phone number and intercepting their text message-based security codes. And the National Institute of Standards and Technology (NIST), a part of the US government that writes guidelines on rules and measurements, including security, has discouraged the use of SMS-based 2FA.

The recent attacks on thousands of people were made possible by “social engineering.” In the increasingly common attack known as “SIM swapping,” a customer service rep at a telecom company is tricked by a criminal into making a victim vulnerable. The attack involves getting phone companies to issue a new SIM card to the attackers, allowing them to take over the targeted phone number. That means when hackers use someone’s first factor (the password) to login to the target’s account, the second factor code is sent directly to the hacker, rather than the victim who owns the account. What’s worse, in some cases hackers don’t even need the password because the service they’re targeting allows to reset password using the phone number provided as second factor. This is an increasingly common hack.

It's hard to defend against an attack like that, and it’s a sad truth that there is no form of perfect security. But there are steps you can take to make these attacks harder.

What this means for two-factor authentication is that you should, if the website allows it, use another 2FA option that isn't SMS-based, such as an authentication app on your smartphone. Users familiar with SMS-based two-factor shouldn’t have much trouble making the switch. When you try to login to an account with two-factor enabled, you’ll still need to enter a six-digit code, but the code will be generated by the app on your phone, rather than being sent as a text message. Authentication apps are easy to use, with straightforward setup processes once you install them. Some good options are Google Authenticator , DUO Mobile , and Authy . Besides offering better security than text message-based two factor, using these has the added advantage that they work offline, which means they work if your cellphone doesn't have coverage at the time you're logging in on another computer. This is especially great if you’re traveling internationally and logging into an account at, say, an internet cafe. Lots more sites now offer app-based 2FA, including Instagram and Twitter.

The best solution, however, is a physical token or security key such as a YubiKey or a Titan Security Key, which connect to a computer via USB or wirelessly. You can set up these keys as the second factor for many services (here’s a Google help page on it.) Then when you login you will have to provide your password and insert the token into your computer and press a small button on the key itself to login.

Security experts suggest using these keys because it’s virtually impossible for hackers to hack you using phishing attacks if you use them. Some hackers have been able to phish second factor codes by creating fake login pages. That doesn’t work if you use security keys. It’s important to remember, however, that you should be prepared in case you lose your security key. Buy and setup a backup key, setup the authenticator app, or store recovery codes in a safe place.


Don't use Flash: Flash is historically one of the most insecure pieces of software that's ever been on your computer. Hackers love Flash because it's had more holes than Swiss cheese. The good news is that a lot of the web has moved away from Flash so you don't really need it anymore to still enjoy a fully-featured and rich browsing experience. So consider purging it from your computer , or at least change the settings on your browser so you have to click to run Flash each time.

Do use antivirus: Yes, you've heard this before. And it’s still true. While antiviruses are, in some ways, old technology, using one is still a good idea. If you run Windows 10 on your computer, you already have one, since Windows implemented its own antivirus engine, called Defender, in its latest operating system. Still, according to experts, there are some advantages to running a third-party one. Macs generally see less malware—though they do see it—so it’s not as necessary to have an antivirus on MacOS, but, again, it probably won’t hurt. There are no antivirus programs for iPhones, and on Android, if you have a Pixel phone that gets regular updates, you probably don’t need it. If you have an older device, then you should use a mobile AV. Be aware that antivirus software, by definition, can be invasive: it needs to reach deep into your computer to be able to scan and stop malware. This reach can be abused. For example, the US government accused Kaspersky Lab , which makes one of the best-known antiviruses in the world, of having passed sensitive documents from one of its customers to the Russian government. This, however, is a rare case and there’s almost no precedent in terms of cybercriminals targeting AVs to hack consumers.

Do use an adblocker...: Sometimes, all a hacker needs to pwn you is to get you to the right website—one laden with malware. That's why it's worth using a simple, install-and-forget-about-it adblocker , which should protect you from malware embedded in advertising presented by the shadier sites you may wander across on the web, and sometimes even legitimate sites. (We'd naturally prefer if you whitelisted Motherboard since web ads help keep our lights on.) The most popular desktop adblockers, such as uBlock Origin and AdBlock Plus, have correspondent mobile apps, we recommend you use an adblocker on your phone too.

...but don’t use dodgy plugins: Some plugins are great for privacy or security, but these little pieces of software sit in a very privileged place on your computer: right within your web browser. Depending on what the plugin is designed to do, it may need all sorts of access to your data, such as being able to see what websites you’re visiting, or perhaps even change how that data is displayed to you. That can be fine, but extensions can also pose a security risk. In September, someone planted malicious code in the plugin of popular file sharing service MEGA. This code could have stolen users’ cryptocurrency keys, as well as login details for Google, Github, and Amazon. That is just one of many examples of extensions that have been compromised, have security vulnerabilities, or are outright malicious. With that in mind, it’s worth only installing extensions that you know you really need, rather than unnecessarily increasing your attack surface with an assortment of them.

Do use a VPN: Virtual Private Networks are a secure channel between your computer and the internet. If you use a VPN, you first connect to the VPN, and then to the whole internet, adding a layer of security and privacy. If you're using the internet in a public space, be it a Starbucks, an airport, or even an Airbnb apartment , you are sharing it with people you don't know. And if some hacker is on your same network, they can mess up with your connection and potentially your computer. In the past, connecting to public Wi-Fi was riskier than it is today, due to increased use of HTTPS web encryption, which makes it harder for hackers on the same network to monitor and intercept data. Using a VPN doesn’t hurt though, it’s just not as essential as it used to be. Also, it’s worth doing some research on VPNs before getting one, because some are much better than others (most of the free ones don’t do a great job of protecting your privacy). We recommend F-Secure’s Freedome, Private Internet Access, or, if you’re a technical user, Algo. Particularly paranoid users might want to use a VPN at home as well, because Congress killed proposed rules that would have made it illegal for internet service providers to sell your browsing history.

Do disable macros: Hackers can use Microsoft Office macros inside documents to spread malware to your computer. It's an old trick, but it's back in vogue to spread ransomware. Disable them !

Do back up files: We're not breaking any news here, but if you're worried about hackers destroying or locking your files (such as with ransomware), then you need to back them up. Ideally, do it while you're disconnected from the network to an external hard drive that should be stored unplugged from the computer so that even if you get ransomware, the backup won't get infected.

Don't overexpose yourself for no reason: Lots of people love to share way too much about their lives on social media. But please, we beg you, don't tweet a picture of your credit card or your flight’s boarding pass , for example. A post on social media can often end up being a post to anyone on the internet, especially if your profile is public. But even if it’s not public, if you are Facebook friends with distant connections or people you don’t trust, or allow people you’ve lost touch with to continue following you on Instagram, it’s possible the things you post on social media could be screenshotted and shared more widely.

You should also consider the information you may unwittingly share on other apps. People could be able to guess your home address or your general whereabouts if you share your running or cycling routes on an app like Strava or RunKeeper (you should also turn geotagging off on sites like Twitter if you don’t want people to know where you are.) And if you keep your Venmo transactions public, anyone can learn who you’re hanging out with.

Remember, personal information such as your home address or high school (and the school’s mascot, which is only a Google away) can then be used to find more information via social engineering schemes. The more personal information an attacker has, the more likely they are to gain access to one of your accounts . With that in mind, maybe consider increasing the privacy settings on some of your accounts.

Another potential risk is having particular stickers on your laptop. Maybe you’re going into another country and that hacking sticker catches a border official’s attention. Or perhaps you’re working in a cafe, and the logo of your media organization plastered across your laptop lid makes the computer a juicy target to steal. It depends on your own particular threat model, but maybe think twice about announcing your affiliations in such a public manner.

Don't open attachments without precautions: For decades, cybercriminals have hidden malware inside attachments such as Word docs and PDFs. Antiviruses sometimes stop those threats, but it's better to just use commons sense: don't open attachments (or click on links) from people you don't know, or that you weren't expecting. And if you really want to do that, use precautions, like opening the attachments within Chrome (without downloading the files). Even better, save the file to Google Drive, and then open it within Drive, which is even safer because then the file is being opened by Google and not your computer.

Do opt out of data broker websites: Your personal data may be collected and shared by so-called data brokers, opaque companies that scoop up information about consumers. These are not companies you willingly share information with, but companies that get it from other sites and services generally without your knowledge. This sounds and is a bit shady, but the good news is that you can opt-out of most of these.

Do sext if you want, but do it safely: Sexting is now just as commonplace as sex itself. But there are precautions you can take to sext securely. You can read our comprehensive guide on sexting safely, but it boils down to figuring out your threat model, getting consent, being wary of photo apps that automatically backup pictures, and choosing the right app for you.


We now live in a world where smartphones have become our primary computing devices. Not only do we use cellphones more than desktop computers , but we keep them with us pretty much all the time . It goes without saying then, that hackers are targeting mobile phones more often than ever.

The good news is there are some basic steps and some precautions you can take to minimize the risks of using your smartphone.


Most people use passcodes, passwords, or patterns to “lock” their phones. If you don’t do this, you absolutely should! If you’re feeling particularly paranoid, you should be vigilant about where you’re typing in your passcodes: “Shoulder surfing,” where someone learns your passcode because they’re looking over your shoulder, watching you type it in, can be a risk if you leave your device laying around a bar or near a snooping acquaintance. (Patterns are far easier to guess or shoulder surf than pins or passcodes, according to a recent study .)

One of the biggest mobile threats is someone who has physical access to your phone and can unlock it. This means your security is only as good as your passcode: If at all possible, avoid giving out your code or password, and avoid using easily guessed passcodes such as your birthday or address. Even simple passcodes and passwords are great to stop pickpockets or street thieves, but not so great if what you’re worried about is an abusive partner who knows your PIN, for example. Devices designed to brute-force or guess your cellphone passwords are becoming cheaper and more accessible, so we recommend using alphanumeric passwords of at least 7 characters to unlock your phone. Of course, inputting 7 or more digits every time you need to read a text may sound a bit annoying, but modern smartphones come equipped with fingerprint or facial recognition technologies that make your life significantly easier. Unless you’re worried authorities may legally coerce you to unlock your phone with something like TouchID or FaceID, we recommend using those.

With that in mind, here's a few basic things you can do to prevent other common threats to your cellphone.


Pretty much everyone in the world of cybersecurity— except perhaps the engineers working on Android —believes that iPhones are the most secure cellphone you can get. There are a few reasons why, but the main ones are that iOS, Apple’s mobile operating system, is extremely locked down. Apps go through extensive checks before getting on the App Store, and there are extensive security measures in place. These include “code-signing,” which only allows apps to run that come from a known source and have been approved by Apple, “sandboxing,” which prevents security vulnerabilities in an app from accessing other apps or critical data on the phone, and the fact that full disk encryption is enabled by default. These features make it really hard for hackers to attack the most sensitive parts of the operating system. Because Apple controls the iOS infrastructure, iPhones get immediate, regular security updates and patches from Apple; critical security updates for many Android devices can take weeks or months to be pushed to users. Even the iPhone 5s, which was launched in 2013, is still supported.

So if you are paranoid, the iPhone is the most secure cellphone out of the box. But unless you have a really good reason for it, do NOT jailbreak it. While the jailbreaking movement and the hackers behind it have contributed to make the iPhone more secure, jailbreaking an iPhone at this point doesn’t really provide you any feature that’s worth the increased risks. In the past, hackers have been able to target at scale only jailbroken iPhones .

Nothing is unhackable though. We know some governments are armed with million-dollar hacking tools to hack iPhones, and perhaps some sophisticated criminals might have those too. Still: Get an iPhone, install the updates, and you’ll probably be fine.

Of course, one of the main problems with iPhones is that they are expensive; others simply don’t like iOS or Apple products. Don’t fret, there are some alternatives.


Android has become the most popular operating system in the world thanks to its decentralized, open-source nature and the fact that many handsets are available at prices much lower than iPhones. In some ways, this open-source nature was Android’s original sin : Google traded control, and thus security, for market share. This way, critical security updates depend on carriers and device manufacturers, who have historically been lackadaisical about pushing them out.

The good news is that in the last two years the update picture has improved a lot. Google has been pushing partners to give users monthly updates, and Google’s own flagship devices have almost the same kind of support that Apple provides to iPhones, as well as some of the same security features. Also, Google now wants to mandate two-years of support to popular phone makers as part of their Android contracts.

So your best bet is to stick to Pixel phones, whose security doesn’t depend on anyone but Google. If you really don’t want a Google phone, these cellphones have a good track record of pushing security updates, according to Google itself.

Whatever Android phone you own, be careful about the apps you install. Hackers have traditionally been very successful at sneaking malicious apps on the Play Store so think twice before installing a little-known app, or double check that the app you’re installing really is the one you want. Last year, a fake version of WhatsApp was installed by more than a million Android users . Also, stick to the Play Store and avoid downloading and installing apps from third-party stores, which may very well be malicious. On most Android phones, installing third-party apps is not enabled by default, leave it that way.

To protect the data on your Android phone, make sure full disk encryption is enabled. Open your Settings app, go to “Security” and click on “Encrypt Phone” if it’s not enabled already (If this doesn’t work on your device, Google for instructions on your specific handset.)

Finally, while not mandatory, it might be a good idea to install a mobile antivirus. While these can be effective against criminal’s malware, they probably won’t stop government hackers.


Last year we revealed that hackers had been exploiting a nasty bug on a T-Mobile website to pull the personal data of customers in an attempt to gather data that they could then use to impersonate the victims and socially engineer T-Mobile support technicians into issuing new SIM cards. It’s not just T-Mobile, though. Every major wireless carrier has been subject to these attacks, where hackers convince the company to give them your phone number, which is likely the gateway to multiple other, perhaps more sensitive, parts of your digital life : your email, your bank account, your iCloud backups. These kind of attacks are called “ SIM swapping ” or “SIM hijacking.” SIM hijacking is what makes two-factor authentication via SMS so dangerous. You should switch to an authentication app or physical key for your two-factor authentication, but there are some other steps you can take to prevent SIM hijacking in the first place.

As a consumer, you can’t control the bugs that your carrier leave open for hackers. But you can make it a bit harder for