Home security without the bunker cosplay.

Do this

• Find the router model and firmware version. If the vendor or ISP no longer supports it, plan replacement instead of heroic tinkering.
• Turn on automatic firmware updates if the device supports them. If it does not, set a reminder and check quarterly.
• Change the admin password, disable WPS, disable internet-facing remote administration, and remove old port forwards or UPnP rules.
• Use WPA2-AES or WPA3 with a long passphrase. Put guests, TVs, cameras and unknown gadgets on guest Wi‑Fi where practical.
• For UniFi, OpenWrt, pfSense or OPNsense households, write down who owns the firewall rules. Clever segmentation that nobody maintains becomes decorative complexity.

Check

• Can you name the router model?
• Can you log into it?
• Is firmware current?
• Are there any exposed services or port forwards?
• Is there a guest/IoT network?

Avoid

• Do not keep a router only because the lights still blink nicely.
• Do not expose admin panels, NAS, cameras or game servers to the internet unless you understand exactly what is open.
• Do not buy mystery imported network gear for a work-from-home household because it was cheap and had aggressive antennas.

More detail

• Low-maintenance household: eero, Nest Wifi, a current ISP router or similar can be perfectly reasonable if it updates itself and the owner knows how to manage it.
• Moderate household: recent ASUS, Synology, Netgear or simple UniFi can work if someone is willing to read update notices and keep settings tidy.
• Technical household: UniFi stacks, Firewalla, OpenWrt, pfSense and OPNsense can be excellent. They can also become a shrine to one person's free time. If nobody maintains them, choose the simpler option.

Do this

• Start with personal email, Apple/Google/Microsoft accounts, banking, telco, password manager, social media and cloud storage.
• Use one reputable password manager and generate unique passwords. Family sharing beats texting passwords around like it is 2009.
• Enable passkeys where supported, especially on email, cloud identity, password manager and admin/developer accounts.
• Use a hardware security key for the highest value accounts or for anyone with admin access, public profile risk or sensitive work access.
• Store backup codes and account recovery details somewhere safe, boring and reachable when the main phone is missing.

Check

• Is personal email protected by MFA/passkey?
• Are passwords unique?
• Is password manager recovery documented?
• Are backup codes printed or stored safely?
• Is SMS the only factor anywhere important?

Avoid

• Do not reuse one clever password with tiny changes. Attackers also understand exclamation marks and seasons.
• Do not store passwords in screenshots, notes apps, chat threads or browser autofill chaos.
• Do not make one phone the only way back into the household's accounts.

More detail

• For normal families, 1Password, Bitwarden, Keeper and Apple/Google/Microsoft ecosystem vaults can all be reasonable. The deciding factor is adoption: will people actually use it?
• For work-adjacent or admin users, security keys are worth the small friction. Keep at least two keys enrolled and store one separately.
• For children and shared accounts, set up family recovery properly. Shared streaming, school and utilities accounts still need sane handling.

Do this

• Use a reputable paid VPN only when there is a real reason: travel, untrusted Wi‑Fi, privacy from the local network, or a specific access need.
• Read whether a VPN, proxy or unblocker shares bandwidth or turns the home IP into part of a residential proxy network.
• Review browser extensions and remove anything unknown, unused, coupon-ish, downloader-ish or weirdly broad in permissions.
• Install apps from official stores or the vendor's own site. Keep work-adjacent machines free of keygens, cheats, cracks, sketchy drivers and random APKs.
• Use a separate low-risk device or VM for experiments if someone insists on tinkering.

Check

• Which extensions can read all websites?
• Any free VPN/proxy/unblocker installed?
• Any sideloaded APKs?
• Any cracked software on sensitive devices?
• Are work and personal browser profiles separated?

Avoid

• Do not install random VPNs to bypass school, game, streaming or DNS controls.
• Do not grant 'read and change all data on all websites' because a popup asked nicely.
• Do not run cracked creative tools, game cheats or keygens on the same computer used for work, tax, banking or passwords.

More detail

• Browser permissions matter more than the extension's cute icon. If it can read and change every site, it sits beside webmail, banking, password forms and work portals.
• Free VPNs and proxies can shift trust to a provider with weak incentives. Some services monetise users through tracking, ad injection or bandwidth sharing.
• The household rule should be behavioural, not moralising: if a site is blocked or an app is unavailable, ask. If the rule is wrong, fix the rule. Do not reward bypasses.

Do this

• Put TVs, speakers, cameras, printers and unknown gadgets on guest Wi‑Fi where practical.
• Keep cameras, microphones and smart speakers away from sensitive work calls, screens and private family spaces.
• Use work devices for work. Keep work files out of personal Dropbox, iCloud, Google Drive, family printers and personal AI tools unless explicitly approved.
• Use AI for drafting, summarising and comparing. Require human approval before it sends, submits, deletes, buys, changes access or handles money.
• If work and personal data get mixed by accident, fix it early. Quietly compounding it helps nobody.

Check

• Which devices have microphones or cameras?
• Are printers/NAS/cameras on guest or IoT Wi‑Fi?
• Any work files in personal cloud?
• Any AI tools connected to browser/account actions?
• Who approves agent actions?

Avoid

• Do not keep internet-connected cameras with default credentials.
• Do not paste sensitive work material, medical details, legal material or family information into random AI tools.
• Do not let a browser agent roam through banking, tax, school, legal, medical or work accounts unattended.

More detail

• Physical privacy is part of cyber hygiene. A smart speaker in the wrong room or a cheap camera pointed at a work desk is not just a gadget choice.
• For work-from-home staff, the safest home setup is not a lab. It is clean boundaries: managed work device, approved apps, approved remote access, approved storage and a clear reporting path.
• AI agents change the risk because they can act with your identity. The control is not 'never use AI'. The control is action gating and data discipline.

Do this

• Use a VM, dev container, separate OS user, spare machine or at least a separate browser/profile for untrusted projects.
• Check package.json scripts, especially preinstall/install/postinstall, before installing unfamiliar Node dependencies.
• Avoid random one-line curl/bash, npx, bunx, pip, composer or installer commands from blogs and READMEs on sensitive daily-use machines.
• For serious projects, use lockfiles, frozen installs, registry controls and deliberate review of dependency changes.
• Keep SSH keys, cloud tokens, browser sessions and password-manager unlocks out of throwaway experiments.

Check

• Did this package add lifecycle scripts?
• Could this command execute code immediately?
• Are tokens or SSH keys available in this shell?
• Is the project isolated from email/banking/work?
• Would this be acceptable on a work build runner?

Avoid

• Do not assume npm install, pnpm install or bun install only downloads files.
• Do not run random npx/bunx tools on the laptop that holds real accounts unless you trust the package and source.
• Do not test abandoned, typo-squatted, cracked or suspicious repos in your normal profile.

More detail

• Install-time hooks exist for legitimate reasons. Native modules compile, assets build, tools prepare themselves. That same feature is useful to attackers because it runs at the exact moment trust is lowest and curiosity is highest.
• Home development risk is often worse than people admit because the machine is not clean. It has saved browser sessions, cloud sync folders, password vault access, school accounts, tax records and sometimes work credentials nearby.
• The practical balance is not 'never code at home'. It is isolate first, review scripts, pin dependencies, avoid package runners for random tools, and keep sensitive tokens out of experiments.

Do this

• Protect telco accounts with a strong password, MFA where available, and any port-out or SIM-swap protections the provider offers.
• Know how to reset important passwords from a clean trusted device.
• Keep backup codes and recovery contacts somewhere safe. Print is boring. Boring is fine.
• Test restoring one ordinary file from cloud or external backup before a real incident forces the issue.
• If money, work or identity may be involved, keep screenshots, messages, timestamps and device details before wiping everything in a panic.

Check

• Can you recover email without the main phone?
• Are telco controls enabled?
• Can you restore one file?
• Are backup codes reachable?
• Does the household know what to do after strange MFA prompts?

Avoid

• Do not make recovery depend on one device, one person or one memory.
• Do not approve strange MFA prompts just to make them go away.
• Do not destroy evidence if fraud, account takeover, device theft or work data may be involved.

More detail

• Incident first actions should fit on one page: disconnect obviously suspicious devices if safe, change passwords from a clean device, revoke sessions, contact bank/telco/work where relevant, and preserve evidence.
• For families, name the recovery owner for shared accounts. Utilities, school portals, streaming accounts, smart-home apps and cloud photos all become painful when nobody knows who owns them.
• For important local files, cloud sync is not the same as backup. Ransomware and deletion can sync too. Keep a second copy for the files that matter.