28 bad internet behaviors and how to fix them

Checking your bank balance while using free public Wi-Fi, downloading files from sketchy websites, and, of course, creating easy-to-guess passwords because “no one cares about hacking my accounts” are some bad habits you may practice. It’s time you stopped justifying these risky behaviors. Here’s a helpful list of the top 28 bad online habits you should work on this year.

Do lousy passwords used all over the internet and written down on a sticky note ring a bell? You may need better account security habits.

1. Using the same password for everything

Reusing the same password on multiple accounts is one of the worst things you can do to your online security. It’s like using the same key to lock your home, car, and deposit box – even after someone stole the key and could have made a copy.

With millions of records exposed in data breaches every quarter, it’s easier than ever for hackers to get passwords. If you use a single password for every login, cybercriminals can use the password leaked in one data breach to access all your other online accounts.

So if you quit one bad internet habit this year, make it this one.

What to do instead:

Create a unique password for every account, and use a password manager to store (and remember) these passwords for you.

Further reading:

• What is a password manager?
• What is a data breach, and how do they happen?

2. Setting “123456” as your password

If you use “123456” as your password, you’re one of the 1.5M people who used and lost this password in 2022. The only password worse than “123456” is the password “password.” And hackers can crack both in under a second.

Obvious number or character combinations and dictionary words are not good password material. Secure passwords should be impossible to guess for humans and take ages to brute force for computers.

What to do instead:

Never use “123456,” “password,” or “qwerty” as your password. Create a unique password that’s 12 or more characters in length, containing uppercase and lowercase letters as well as special symbols. You can use a password generator to make such passwords instantly.

Further reading:

• What is a dictionary attack, and how can you prevent it?
• Which type of password would be considered secure?

3. Keeping passwords on sticky notes

Having a unique and robust password but keeping it on a sticky note or in another easily accessible plain-text form is not much better than using simple passwords like “123456” or reusing the same password for everything.

You may trust your family with your passwords, but other people visit your home too. Friends, their significant others and their kids, or home maintenance workers – you can’t always predict who will be at your home and take a look at your openly shared password.

If you take the same practice to your workplace, it’s even worse – a bigger stream of people pass by your desk and computer. Sticky notes are no good for remembering private information.

What to do instead:

Invest in a password manager. You won’t need sticky notes or other forms of insecure password-keeping. The password manager will secure your passwords with next-generation encryption and even autofill them, so you don’t need to type them each time.

Further reading:

• Secure your passwords with the NordPass password manager
• What is the safest way to store your passwords?

4. Not using two-factor authentication

If passwords are the first line of defense for your online accounts, then two-factor authentication (2FA) is the second.

How does it work? After you enter your password, your account requires a one-time passcode or other confirmation (e.g., clicking on a notification) that you, not someone else, are accessing the account.

What’s the point? If your password is exposed in a data breach, 2FA prevents hackers from accessing your accounts using the leaked password.

Two-factor authentication is available on most online services, including Google, Apple’s iCloud, Facebook, Instagram, Twitter, and NordVPN. But too many people don’t take advantage of this excellent security feature. Don’t be one of them.

What to do instead:

Enable 2FA on your accounts whenever it’s available. Usually, you can do so by visiting security settings on any particular website or using a third-party app, such as Google Authenticator.

Further reading:

• How to enable two-factor authentication
• What is Google Authenticator?

Some bad internet habits are conscious choices. You know “password” is a terrible password, but you keep using it because it’s easy. Some behaviors, however, may not be that obvious and lead to accidental exposure of your most private information.

5. Clicking on links in strange emails

Many cyberattacks are successful because people open ransom emails they receive from strangers. And most strangers that send such emails are scammers and hackers.

Scammers use phishing and social engineering techniques to urge you to click on their links. These links take you to fake websites created to steal your passwords, credit card details, and other sensitive information.

What to do instead:

Don’t know or trust the source? Don’t click the link. When you do know the sender, double-check whether the link looks natural and whether receiving it makes sense because email addresses often get spoofed.

Further reading:

• How to protect yourself from email phishing
• What is email spoofing and how to avoid it

6. Visiting HTTP sites

The “HTTP” prefix you see on the website address usually indicates that your connection is not secure. What does it mean? Snoopers could see the data you share with that website.

HTTP websites are dangerous for online payments and cases when you need to provide personal information. That’s why most browsers warn you when you visit such websites.

What to do instead:

To stay on the safe side, only browse sites that use an SSL – an encrypted connection, indicated by HTTPS. If you have no choice but to visit unprotected websites, enable the NordVPN extension first to secure your traffic.

Further reading:

• HTTP vs. VPN: Why you need both
• TLS vs. SSL: All you need to know

7. Checking your bank account on public Wi-Fi

Like HTTP sites, public wireless networks usually lack proper protection. They leave you open to man-in-the-middle attacks and other nefarious ways for hackers and snoopers to get your information. Anyone could intercept your banking credentials or other sensitive data if you visit insecure sites on such a network.

What to do instead:

When on public Wi-Fi, don’t check sensitive information, especially if it’s work or money related. Or better still — get a virtual private network (VPN) and keep your communications safe even on public Wi-Fi.

Further reading:

• How to stay safe on public Wi-Fi
• Is hotel Wi-Fi safe? No, and here’s why

8. Not making backups

No one thinks about backups much until the device gets stolen, infected by malware, or malfunctions. It’s easy to replace the old machine with a new one, but what about all the important files and photos you kept on it?

Unless you have them safely backed up, they are gone or extremely difficult (and costly) to retrieve. The damage is much less detrimental if you have copies of that data safely residing on another device, hard drive, or cloud.

What to do instead:

Make regular backups. When possible, have at least two copies and keep them in different storage (e.g., one on the hard drive and another in the cloud). You can keep them encrypted for extra protection.

Further reading:

• Can you recover deleted files?
• How does cloud backup work?

9. Uploading files to the cloud as they are

The cloud saves precious storage, and most devices automatically sync your files to the cloud. But is your data safe while sitting comfy in the cloud? Often, it’s not.

Remember Britney Spears’ iCloud incident? If someone steals your cloud credentials, they can access everything you keep in the cloud.

Moreover, most cloud companies can access your files if they want. A nosy employee with enough access privileges may snoop around in your private files. Or they may have questionable privacy practices enabling third parties to access your data.

Finally, cloud companies are vulnerable to cyberattacks and data breaches which may put your sensitive data in the wrong hands.

What to do instead:

Encrypt your files before uploading them to the cloud or use services that guarantee end-to-end encryption, such as NordLocker. NordLocker allows you to access encrypted data via cloud, or sync files across all devices.

Further reading:

• File encryption: more important than you think
• Google Drive alternatives: Best picks

10. Agreeing to all terms and conditions on software install

Reading the terms and conditions every time you want to install a new app is a real pain. No one’s surprised you hit “agree” without looking at what’s written there. However, reading at least a part of those terms and conditions should be your new habit.

By agreeing to the terms without reading them, you may be allowing the software to:

• collect and sell information about you.
• listen to your conversations.
• install additional software you don’t need.

Agreeing to all terms impacts your privacy, security, and device performance in the long run.

What to do instead:

Read the terms and conditions before clicking “agree,” focusing on the parts related to data collection and privacy.

Further reading:

• Terms of service: pitfalls, loopholes, and legal traps
• App tracking: how to protect your data privacy

11. Over-relying on your antivirus

Not having any security software is a bad habit, but thinking an antivirus solution is all you need to be secure is not quite right either.

Antivirus solutions cannot prevent all the threats. If you get a vishing call and tell the scammer login information for your bank account, no piece of software can stop you.

Awareness of threats and how to recognize them can be much better at protecting you than the most advanced security software.

What to do instead:

Continue using your antivirus, but remember – it cannot protect you from everything.

Be mindful when opening emails, clicking on links, or picking up phone calls from unknown numbers. Social engineering is as dangerous as malware, and antivirus cannot always bail you out.

Further reading:

• 12 types of social engineering attacks
• What is vishing?

Scammers target everyone, but not everyone is an easy target. You may scoff at the Nigerian prince, but the scam still works on more vulnerable groups, for example, the elderly.

The same logic applies to hackers and devices. Why hack someone prepared for a potential attack when there are so many careless individuals with little-to-none defenses?

12. Ignoring software updates

The majority of people find software updates annoying. No wonder – updates tend to pop up exactly when you don’t have time to deal with them. So what you normally do is hit the “postpone” button, thinking you will get back to the updates later.

But you never do.

Keeping programs up to date is crucial to staying protected from malicious threats. Hackers love to exploit vulnerabilities in software and apps, especially those with many users, like browsers.

Companies usually fix the issues immediately by releasing a patch in the form of a software update. But if you don’t install the update, the vulnerability is still accessible on your device, and you’re left exposed.

Another issue comes into play when you don’t update your security software. Your antivirus needs to be aware of the new threats to identify them, which requires regular software updates. If you run an outdated version of the antivirus, it may not be able to recognize and quarantine the malware you accidentally download.

What to do instead:

If you don’t feel like checking for updates, enable automatic updates on your applications. And think twice next time you want to click “postpone.”

Further reading:

• Why postponing software updates puts you at risk
• How to update NordVPN apps

13. Not having security software installed (and active)

While ignoring antivirus updates is a bad digital habit, not having any software that protects you from malicious threats is even worse.

Hackers, scammers, and snoopers are always improving their tactics and tools. Knowing about the current threats may not always be enough – you never know what the bad actors will come up with next. So it’s good to have tools of your own for extra reassurance.

Good news if you use NordVPN — NordVPN protects your data with strong encryption and has a bunch of extra security features to keep you safe from hackers. You can also get it bundled with encrypted cloud storage and a password manager to elevate your security and digital confidence to another level.

What to do instead:

Use NordVPN’s Threat Protection to prevent malware downloads and accidental phishing website visits. It also blocks intrusive ads and online trackers.

If you suspect your device may have already been infected, use antivirus to scan for threats. Windows Defender is a good start if you have a Windows operating system.

Further reading:

• Malware removal with Threat Protection
• Stay safe online with these cybersecurity tools

14. Leaving your screen unlocked

Every device has built-in screen locking – a pattern, PIN code, biometric authentication (face or fingerprint recognition), or a password. Not using any of those is a terrible mistake.

If you don’t lock your screen, anyone can read your private messages or install malware on your phone when you’re not looking. And in case your phone is stolen, the thief gets access to your pictures, emails, and social media accounts, and they can use Google or Apple Pay to make contactless payments.

What to do instead:

Lock your devices. Patterns are easiest to guess, so it’s better to avoid them. But biometrics and passwords (as long as they’re strong) are a good starting point.

You should also enable remote location and wiping to erase all your private information remotely if someone nabs your phone.

Further reading:

• What’s the best way to lock your phone?
• 8 steps to improve Android security on your phone

15. Not using a computer password

Computers store private and sensitive information, yet their protection is often overlooked. Not using a password on your computer can lead to someone installing spyware or stealing your private information.

Don’t like the classic passwords? Many laptops now offer biometric authentication, and there are other options, such as Windows’ picture passwords. Any method is better than leaving your computer unlocked.

What to do instead:

Put a password or other lock on your computer and use it whenever you leave your device unattended — even for a few minutes.

Further reading:

• Which type of password would be considered secure?
• What is biometric data, and is it safe?

16. Thinking your device is inherently secure

It’s a common misconception that some devices or operating systems are inherently secure. Linux and Apple fans, we’re looking at you.

Windows and Android are much bigger targets for hackers. But every device and every operating system can be infected by malware. And even the most secure computers can’t prevent human error or safeguard your data when you don’t even employ the very basics, such as locking your screen.

What to do instead:

Start with security settings, such as adding lock-screen protection, and quit the bad habits listed in this article.

Continue learning about cyber threats and safe behavior online. And look into security software, such as NordVPN, to be more confident about your digital defenses.

Further reading:

• Can Macs get viruses?
• 8 steps to improve Android security on your phone
• Protect your phone with these iPhone security tips

Brilliant security habits won’t suffice if you continue downloading malware to your devices. Before you click “download” again, read this.

17. Downloading free software

When searching for software, you can always find free applications to download. Many companies have a transparent business model behind their apps being free. For example, freemium software will try to get you to upgrade, while other apps will show ads to compensate for the costs.

But what about software that doesn’t have such a clear business model, like most free VPNs? They need a lot of resources to support the software, from an extensive network of servers to human resources. If it’s not your money they gain, it may be something even more valuable to them.

Free software may collect a lot of data about you to sell to the highest bidders (advertisers, hackers, scammers, you name it), bombard you with ads, or work as malware in disguise.

When it comes to software subscriptions, there’s another option too – the free or cheaper accounts may be stolen, and using them is, therefore, illegal. Not only do you fund scammers by using them, but you can also get in legal trouble yourself.

What to do instead:

Think twice before you download free or too-cheap-to-be-true software. Read reviews, make sure the website is legitimate, and have Threat Protection ready to block malicious downloads just in case.

Further reading:

• Your free VPN app could be a trojan: how to spot fake VPNs
• Free VPN vs. paid VPN — which is right for you?

18. Downloading attachments without thinking

Malicious attachments may look innocent enough – a photo from an old friend or a spreadsheet from work. But even images and office documents can be malware in disguise.

Once downloaded and opened, malware can encrypt your data and ask for ransom (ransomware), log everything you type on your device, including your passwords (keylogger), spy on your activity and private conversations (spyware), or damage your device and steal your data in many other ways.

What to do instead:

Be on the lookout for suspicious attachments. If you don’t know the sender, don’t download or click on anything in the email you’ve received. Better yet, don’t even open the email.

Further reading:

• Which email attachments are generally safe to open?
• Scan your files for viruses with NordVPN

19. Downloading antivirus from virus warning pop-ups

Every now and then, a pop-up may appear, claiming to have found malware or viruses on your device.

Is it scary? Sure. Legit? Not really.

It’s not your antivirus that displays these pop-ups — it’s the website. And that website or its ads have no way of knowing if there’s malware on your device. Clicking on the pop-up promising a malware cure will initiate a malware download instead.

What to do instead:

Don’t click random pop-ups, because they may install malware or adware on your device. Many such pop-ups are part of malvertising campaigns, so it’s a good idea to use an ad blocker to avoid seeing them in the first place.

Further reading:

• How to remove fake virus warning pop-up
• What is malvertising?

20. Downloading files from sketchy sites

Downloading free pirated movies, games, and programs is not cool at all. Software piracy is actually considered a crime and it’s one of the easiest ways to infect your device with malware.

Anyone can upload a virus and name the file after a new popular movie or video game. It doesn’t mean the file is what it says it is.

What to do instead:

Be vigilant on sites that offer free downloads, or even better — don’t go there at all. Use reputable services, research them, and read the terms of service before downloading any files.

Further reading:

• Why no NordVPN is better than a fake NordVPN account crack
• How to spot a fake app

Security is not the only thing to worry about when it comes to bad internet habits. Privacy is another issue that often gets overlooked.

21. Not caring about your digital privacy

“I have nothing to hide” is a common excuse for someone to justify their ignorance of online privacy. It may seem valid until you learn about the social engineering attacks, data breaches, and all the ways third parties gather, share, and sell your most private information.

Data is now a commodity, and everyone wants it. ISPs may gather your browsing history to sell to the highest bidder, while Google and Facebook collect all the information they can get their hands on to show you personalized ads and track you across the internet.

Even some governments collect data to spy on their citizens. Not to mention hackers and scammers who use the data to get a better success rate for their nefarious activities.

Ignorance is only bliss until you or someone close to you gets hacked or scammed. And even if the worst doesn’t happen, you may be overpaying for goods and services just because you don’t protect your online privacy.

What to do instead:

Take responsibility for your privacy. Get to know the dangers and online scams, think twice before sharing private information online, get a VPN to hide your IP address and encrypt online traffic, and use Threat Protection to stop invasive ads, tracking, and malware.

Further reading:

• Privacy vs. security: What’s the difference?
• Why data privacy is important
• The ultimate guide to data privacy protection

22. Dismissing privacy concerns

Do you feel like someone is watching you through your webcam? Or does it appear like your smartphone is listening in on your conversations? It doesn’t always mean that you are paranoid.

Activities like snooping, webcam hacking, and location tracking happen every day. We are not used to taking all the warnings seriously, but we should.

What to do instead:

Don’t ignore your sixth sense if you suspect someone is accessing your webcam or microphone without your consent. Find out if your camera has been hacked or your phone is listening to you. Better safe than sorry.

Further reading:

• Is the CIA watching me?
• How to stop someone from spying on my cell phone

23. Choosing services that don’t care about your privacy

Have you checked how much Google knows about you? Spoiler alert: it knows a lot.

It’s not just Google that tracks everything it can get its hands on. Data brings a fortune to many companies — social networks, browsers, free online games, and probably most apps on your phone. Even Spotify is as much a data company as it is a music streaming service.

Most of these companies don’t even hide it. You can check their terms and conditions (if only you read them).

What to do instead:

Choose services that care about privacy. Most services and apps have alternatives that don’t track your every move online.

Adjust your settings if you don’t want or can’t quit some mainstream services or apps. For example, disable location tracking and personalized ads on Google and Facebook and remove the microphone, location, or camera access on apps that don’t need it to function.

Further reading:

• The brands we (shockingly) trust with our privacy
• Google alternatives: How to de-Google your life
• The best private search engines for secure browsing

24. Oversharing on social media

It may seem obvious that oversharing (like overdoing anything) is a bad internet habit, but sometimes the best advice is the simplest.

Unnecessary oversharing gives more information for hackers and scammers to target you. Their messages and phishing emails become more personalized and, thus, easier to believe and fall for.

Photos are another serious risk since any image or video can be manipulated and falsified. An innocent picture of fun times at the beach can become a nude deepfake sent to your employer or spouse.

Then there’s cyberstalking and cyberbullying, which may not be directly related to oversharing but become more dangerous because of it.

And let’s not forget about the risk of identity theft and giving advertisers more than the necessary data. Are those extra likes worth it?

What to do instead:

Limit the information you share online. Never give out your address or phone number unless it’s necessary. And before sharing hundreds of photos from your personal life, ask yourself whether you actually should. If the answer is “yes,” consider sharing them privately without making the posts public for all the world to see.

Further reading:

• What is a deepfake?
• What is catfishing, and how do you spot it?

You can install an antivirus on your smartphones, tablets, and computers. But what about your router, home network, and all the smart devices connected to it? They also need protection, and they rarely get enough of it.

25. Using a weak Wi-Fi password

You may be susceptible to easy hacking if you don’t have a strong password on your home Wi-Fi. Cybercriminals can hack your network and snoop or collect your private information.

Your neighbors can also take advantage of your weak Wi-Fi password by connecting to your Wi-Fi and using it for their own needs. It may not seem like that big of a deal until they start downloading or uploading something illegal to the internet, and you’re the one getting fined for it.

What to do instead:

One of the best ways to create (and, more importantly — remember) your Wi-Fi password is to use a passphrase. You can use the words of a song you like or come up with an original phrase and then shorten it using special symbols and numbers.

For instance, the phrase “I care about my privacy. My VPN provider is NordVPN” could be converted to a strong password “1camp.MVpiN.”

Further reading:

• How to change your Wi-Fi password
• How to protect your Wi-Fi from neighbors

26. Not securing your router

All your internet connections at home pass through your router, yet router security is often overlooked.

Not only do many people use lousy passwords for their Wi-Fi network, but they also keep the default passwords of their routers. Default passwords, usernames, and router IP addresses can be found online with a simple Google search.

What does it mean? Someone with enough knowledge could connect to your router and change its settings or monitor your connections to the internet.

What to do instead:

Change your router username and password when setting up your home network. Make the password strong enough to resist guessing and dictionary attacks.

Also, you can hide your network name (SSID), enable MAC filtering, and set up a VPN on the router for additional security.

Further reading:

• How to disable SSID broadcast to hide your Wi-Fi
• What is a MAC address, and how can you hide it?

27. Disregarding smart home security

If you don’t secure your router, chances are you think even less about your smart home devices. And you’re not alone – 1 in 4 people don’t take any measures to protect their smart devices. The usernames and passwords stay as the manufacturer left them, and security doesn’t get a second look.

If that wasn’t enough, manufacturers often don’t focus on the security of these devices either. They need to rush production and leave vulnerabilities that hackers love to exploit. It then leads to creeps talking to your kid via a hacked baby monitor or indoor security camera.

What to do instead:

First, take time to research the devices you want to buy. Make sure the company takes security into account and doesn’t have questionable practices regarding user privacy.

When you already have the device, change the username and password immediately. Also, change activation phrases from “Hey Alexa” or “OK Google” to something only your family would know.

Finally, set up a VPN on your router to encrypt the connections of all your smart home devices connected to the network.

Further reading:

• Smart home privacy concerns: how can you protect yourself?
• What is the Internet of Things (IoT)?

28. Forgetting firmware updates

It’s easy to update your software – you click on the update reminder and wait until your device restarts. Firmware updates are not always that easy, and you need to look for updates manually.

And that’s where the “Ain’t nobody got time for that” meme comes to mind.

Hackers do have time. They find time to exploit routers and other devices with outdated firmware. And recovering a hacked router takes much more time than installing updates.

What to do instead:

Set yourself a reminder to look up and install firmware updates. For the router, visit the manufacturer’s website and follow their instructions to download the latest firmware.

Further reading:

• Router malware: how to tell if your router is infected
• DD-WRT firmware setup with NordVPN

Final thoughts

Dealing with bad habits on the internet requires time and patience. But once you set your mind to it, it becomes second nature. Soon, you won’t be able to imagine a life without a VPN, a password manager, encrypted files, and the careful inspection of every email.