The security industry wants you to think you need 17 tools, a VPN running at all times, a hardware key on a lanyard, and a PhD in threat intelligence.
You don't.
You need three things. The first is a free password manager. They're all free. You can set them all up in under 20 minutes. And when you're done, you'll be better protected than the majority of people who use the internet every day.
This is the privacy and tools article I wished existed when I started working in cybersecurity — because I spent years watching technically sophisticated people get compromised by the exact three gaps these tools close.
81%
of hacks use stolen or reused passwords
3 tools
is all you actually need
20 min
to set up the whole stack
Why Most People Have Zero Tools Right Now
The security advice problem isn't a lack of information. It's too much of it, most of it bad.
Search for "how to stay safe online" and you get 47 products to buy, a list of threats designed to scare you, and no clear answer about what to actually do first. Most people read it, feel overwhelmed, and do nothing. That's worse than having one tool set up properly.
Here's the honest version: most real-world compromises — the kind that happen to regular people, not corporations — come down to three things. Stolen or reused passwords. Malware that's already on the device. And attackers who know that even if they steal a password, they just need the password to get in.
Three problems. Three tools. Let's go.
Tool 1: Bitwarden — Password Manager
The problem it solves: You're using the same password in multiple places. You know you are. Everyone does. It takes one breach anywhere — a shopping site, a forum, a food delivery app — for that password to become a master key to your entire digital life.
A password manager fixes this permanently. It generates a different, random, unguessable password for every single site you use. You remember one password — the one that opens Bitwarden — and it handles everything else.
Why Bitwarden specifically: It's free, open source, and independently audited. The code is publicly available for anyone to inspect. It works on every device, every browser, every operating system. And unlike some alternatives that have had high-profile security incidents in recent years, Bitwarden's track record is clean. The free tier genuinely covers everything you need. There is no feature wall pushing you toward a subscription.
🔑 Creates strong passwords
Generates a unique, unguessable password for every site — so a breach at one place can't unlock everything else.
🔒 Fills them in automatically
No typing, no copy-pasting. It fills your login on any device the moment you arrive at a site.
🆓 Completely free
The free tier covers everything you need. There is no catch.
Setup — exactly what to do:
Go to bitwarden.com and create an account with a strong master password — the only one you'll need to remember
Install the browser extension (Chrome, Firefox, Edge, Safari — all supported)
The next time you log in anywhere, Bitwarden will offer to save the password. Say yes.
Over the next week, let it capture your existing passwords. Don't rush.
Turn on the ONE setting: Settings → Security → Two-step login → Authenticator app (do this after setting up Tool 3)
It's free. Download Bitwarden and spend 10 minutes on it today. It's the highest-return action on this list.
Tool 2: Malwarebytes — Security Scanner
The problem it solves: Most people's devices have something on them. Not necessarily ransomware or anything dramatic — often it's adware, tracking software, browser extensions that got bundled with something else, or background processes that arrived via a sketchy download six months ago. None of it announces itself.
If you suspect your device is already compromised before running this, read How to Tell If Your Phone Has Been Hacked first — it'll help you interpret what Malwarebytes finds.
Malwarebytes scans your device, identifies what shouldn't be there, and removes it. That's the full pitch.
Why Malwarebytes specifically: It has the most reliable detection rates in independent tests for consumer malware. It's been around long enough to have a proper track record. And the free version is sufficient for what most people need — a manual scan to clean up the past, and the browser extension to block the obvious future. You don't need it running constantly in the background. Run it, clean what it finds, move on.
🦠 Finds what's already there
Scans your device for malware, spyware, and anything that snuck in before you started taking this seriously.
🏃 Runs a scan, then leaves
You don't need it running in the background 24/7. Run a scan. Clean what it finds. Done.
🪟 Windows and Mac
Works on both. Free version is enough for a manual scan. No subscription required.
Setup — exactly what to do:
Download the free version from malwarebytes.com — the free version is exactly what you need
Run a full scan on your device right now — this is the catch-up scan
Clean anything it finds. Note what it found.
Run a scan once a month from now on. Put a reminder in your calendar.
Turn on the ONE setting: enable the browser extension for real-time link protection (free)
Download Malwarebytes free — the free version is enough for this.
Tool 3: A 2FA App — Aegis (Android) or Raivo OTP (iPhone)
The problem it solves: A password, on its own, is only one thing someone needs to get into your account. If it gets stolen — through a phishing attack, a data breach, or malware — that's game over.
If it gets stolen through a phishing attack (which is how most account takeovers actually start) — that's game over. Two-factor authentication (2FA) adds a second requirement: a time-sensitive code that changes every 30 seconds, generated on your phone. Even if someone has your password, they can't get in without that code. It doesn't matter how they got the password.
This is why 99.9% of automated attacks — the bots that try stolen password lists against millions of accounts — are stopped cold by 2FA. They have the password. They don't have your phone.
99.9%
of automated attacks blocked by 2FA
30 sec
to approve a login
0 cost
free on Android and iOS
Why Aegis and Raivo specifically: There are lots of 2FA apps. Google Authenticator works. Microsoft Authenticator works. But Aegis (Android) and Raivo OTP (iPhone) are both open source, store codes locally on your device rather than in someone else's cloud, and have no accounts required. They're the cleanest, simplest option for someone who wants this to just work without dependencies.
🤖 Android: Aegis Authenticator
Free, open source, stores codes locally on your device. No account required. Highly recommended by security researchers.
🍎 iPhone: Raivo OTP
Free, open source, optional iCloud backup. Clean interface, zero ads. The iOS equivalent of Aegis.
Setup — exactly what to do:
Install Aegis (Android) or Raivo OTP (iPhone) from your app store
Go to your Google account → Security → 2-Step Verification → Authenticator app
Scan the QR code with your new app. Your account is now 2FA-protected.
Repeat for your email, WhatsApp, Facebook, and your bank if it supports it
Turn on the ONE setting: in the 2FA app, enable biometric lock (fingerprint or Face ID) — so opening the app requires your face or finger
This is also what protects you if someone manages to take over your social accounts — a growing problem covered in detail in the article on social media account takeover.
What This Stack Protects Against
Here's an honest map of what you've just protected yourself from:
✅ Password reuse attacks
If one site leaks your password, Bitwarden ensures it doesn't work anywhere else. The breach stops there.
✅ Phishing attacks that steal passwords
Even if you're tricked into entering your password on a fake site, the attacker still needs your 2FA code, which expires in 30 seconds.
✅ Malware and spyware
Malwarebytes catches what's already on your device and the browser extension blocks the obvious incoming threats.
✅ Weak password habits
You'll never type "password123" or your dog's name into a login box again. Bitwarden does the generating. You just click fill.
What This Stack Doesn't Cover (Honest)
This isn't everything. It's the minimum — which is what the title promised.
For real-time scanning on a shared or high-risk device, Malwarebytes Premium adds a continuous background scanner. But for a personal device used normally, the free tier with monthly manual scans is sufficient.
What it does cover is the three reasons the majority of regular people get compromised. That's the point of a minimum stack — maximum protection for the most common threats, with the minimum friction.
Your Checklist — Are You Done?
Go through this before you close the tab:
Your Security Stack — Done Checklist
Bitwarden installed and browser extension active
At least 5 passwords saved in Bitwarden (email password first)
Malwarebytes downloaded and first full scan completed
Monthly scan reminder set in calendar
2FA app installed (Aegis or Raivo OTP)
Google account 2FA enabled
Email account 2FA enabled
Biometric lock enabled on 2FA app
Frequently Asked Questions
Do I really need all three, or can I just do one?
Do all three, but if you have to choose one: start with Bitwarden. Password reuse is the single highest-probability risk for most people. The 2FA app is second — because it closes the gap that remains even after Bitwarden. Malwarebytes is third — useful, but less urgent unless you've clicked something suspicious recently.
Is the free version of Bitwarden actually safe?
Yes. The free tier uses the same encryption as the paid tier (AES-256 end-to-end). The only things the paid tier adds are 2FA code generation, emergency access, and priority support. The core product — secure password storage and autofill — is identical.
I already use Google's built-in password manager. Is that enough?
It's better than nothing, but it has two gaps: it only works inside Google's ecosystem (Chrome, Android), and it stores your passwords in Google's cloud tied to your Google account. If your Google account is compromised, so are all your saved passwords. Bitwarden keeps them in a separate vault with a separate master password — the two don't share a failure mode.