Operational Security for Normal People: A Practical Guide

You do not need a burner phone. You do not need to live in a cabin in the woods. Operational security, or OpSec, is simply about making it harder for people to steal your life. It is about removing the low-hanging fruit so attackers move on to an easier target.

The reality is simple. Attackers are lazy. They want the easy wins. If you put up just a few barriers, you are already ahead of 99% of the population. This guide is for normal people who want to be safe, not paranoid.

What is Actually OpSec

Before we dive into tactics, let’s clarify what operational security really means. OpSec is about protecting sensitive information from falling into the wrong hands. It’s not about hiding everything - it’s about not making yourself an easy target.

The core principle: Attackers look for low-hanging fruit. They want victims who make their job easy. Good OpSec raises the difficulty level so they move on to someone else.

OpSec is not paranoia. It’s practical risk management. You don’t need to encrypt every email or use anonymous browsers for grocery shopping. You just need to eliminate the obvious vulnerabilities that 99% of people have.

The Keys to the Kingdom

The Only Password You Need to Remember

Stop trying to be clever with your passwords. You cannot remember a unique, complex password for every single account you own. It is impossible.

Use a password manager. Bitwarden is excellent and free. 1Password is great if you want a polished experience.

These tools generate long, random strings of garbage for your passwords. That is exactly what you want. You only need to remember one strong Master Password. The manager handles the rest.

MFA Is Not Optional

Multi-Factor Authentication adds a second step to logging in. It usually involves a code from an app on your phone.

Research from Microsoft shows that MFA can block 99.9% of automated account compromise attacks. Note the word “automated.” Most attacks are bots trying millions of passwords. MFA stops them dead.

Do not use SMS for this if you can avoid it. SMS messages can be intercepted, and SIM swapping is a real threat where attackers steal your phone number. Use an app like Signal, Google Authenticator, or generic TOTP apps. Better yet, get a hardware key like a YubiKey or use Passkeys.

Your Devices Are the Gateway

In 2024 alone, over 5.5 billion accounts were compromised in data breaches. That is an eightfold increase from the previous year. The scale of the problem is exploding.

Update or Die

Software updates are annoying. They restart your computer at the worst times. They change things you liked.

Do them anyway.

Updates patch security holes. When a vulnerability is found, the vendor fixes it. If you do not update, you are leaving the door open for an attack that is already known and easily automated.

Remember WannaCry? In 2017, it took down hospitals and banks globally. It spread through a vulnerability that Microsoft had already fixed months earlier. The victims just hadn’t updated. Don’t be that person.

Encryption Is Standard

If you lose your laptop or phone, your data should be unreadable. This is what Full Disk Encryption does.

• Windows: BitLocker
• Mac: FileVault
• iPhone/Android: On by default (usually)

Check your settings. Ensure this is on. If your device gets stolen, it should be a brick to the thief, not a goldmine of personal data.

Shut Up and Stop Sharing

Social engineering is when an attacker tricks you into giving them access. It is much easier to ask for your password than to crack it.

The more you share online, the easier you are to trick.

The profile you build

Every photo, every tag, every check-in builds a profile. Attackers use this.

• Vacation photos: Tells them you are not home.
• Birthday posts: Gives them your date of birth.
• Pet names: Gives them your potential password or security question answers.

Lock down your social media. Set it to private. Prune your friends list. If you haven’t spoken to someone in ten years, they do not need to see your kids.

Compartmentalization

Don’t let one breach ruin your life. Separate your identities.

Have a “junk” email for newsletters and shopping. Have a serious email for banking and government services. Never the two shall meet. If your junk email gets spammed or breached, your bank account remains safe.

When It Hitting The Fan

You will get hacked. Or at least, one of your accounts will be part of a breach. It is a matter of “when,” not “if.”

Have a Plan

1. Don’t Panic. Verify the threat.
2. Change Passwords. Start with your email, then your financial accounts.
3. Check Settings. Attackers often set up email forwarding rules to keep watching you even after you change the password. Check your forwarding rules.
4. Disconnect. If your computer is acting weird, take it offline.

Conclusion

This is not about being a spy. It is about being a responsible adult in a digital world. You lock your house when you leave, right? Start locking your digital life too.

Start today. Pick one thing. Set up a password manager. Turn on MFA. It takes ten minutes, and it might just save you a massive headache down the road.