Beginner Setup

last updated 2026-06-12 · one afternoon · €0 · what changed

Sane defaults for someone starting from zero. Who this is for: your adversaries are data brokers, ad networks, and opportunistic criminals, the ones targeting everyone. Nothing here requires abandoning a platform, explaining yourself to family, or spending money.

the plan Six changes, in order of impact. Do them top to bottom: the password manager makes every later step easier. If the afternoon runs out, stop after any step and you're still better off than this morning.

the setup

Bitwarden

password manager

free~45 mincategory page

The single highest-impact change available to anyone. Free tier is fully usable, syncs everywhere, and it's open source and audited: why it's here, zero cost, zero excuses. (The category page leads with 1Password over recent company-level concerns at Bitwarden; at this tier, free wins, but read the caveats and keep the export habit below.)

Create an account with a long passphrase: four random words you can actually remember. Write it on paper for now; recycle the paper in a month.
Install the browser extension and the phone app, sign in to both.
Save your recovery code (Settings → Emergency access) somewhere that isn't the vault.
Change three passwords today: email, banking, and your most-used social account, to generated ones. Migrate the rest as you log into things naturally.

Ente Auth

two-factor codes

free~30 mincategory page

App codes instead of SMS, with encrypted sync so a lost phone isn't a lost identity. Why it's here: a stolen password stops being enough to take an account from you.

Install Ente Auth (Android/iOS); Aegis is equally good if you're Android-only.
Enable 2FA on your email first, then banking, then the vault you just made. Each service shows a QR code; scan it with the app.
Each service hands you recovery codes: store them in Bitwarden.
Where a service offers both app codes and SMS, remove SMS once the app works.

Brave

browser

free~20 mincategory page

A private daily driver that doesn't break the web: tracker blocking and anti-fingerprinting are built in, so there's nothing to install on top. Why it's here: the browser is where the bulk of everyday tracking happens, and Brave ends most of it before you touch a setting.

Install Brave, import bookmarks and passwords from your old browser (then move passwords onward into Bitwarden).
Settings → turn off Rewards, Wallet, and News, two minutes of de-cluttering and you're done.
Leave Shields on their defaults; they're already right.
Keep the default search engine: Brave Search runs its own independent index. Give it an honest week before judging.

Signal

messaging

free~15 min + persuasioncategory page

End-to-end encryption that looks and feels like a normal messenger. Why it's here: it's the one private tool you can realistically move other people onto.

Install on your phone, register, set a PIN you'll remember.
Set a username (Settings → Profile) so you can share it instead of your number.
Turn on disappearing messages by default: Settings → Privacy → Default timer → 1 week.
Move one group chat. The family one is usually easiest, start there, not with your most stubborn friend.

AdGuard DNS

network

free~15 mincategory page

Encrypted DNS that blocks ads, trackers, and malware domains, with no account and no dashboard. Why it's here: one settings change, every device improves, nothing to maintain.

On the phone: Android → Private DNS → dns.adguard-dns.com; iOS → install the profile from adguard-dns.io.
On the computer: set the OS or browser DNS-over-HTTPS to https://dns.adguard-dns.com/dns-query.
If you're comfortable in your router's admin page, set 94.140.14.14 there too: that covers the TV and everything else.

Update autopilot

hygiene

free~15 minno category page, just do it

Most real-world compromises exploit a patch that existed for months. Why it's here: automatic updates outperform every gadget on this site, and they're free.

Turn on automatic OS updates (Windows, macOS, and phones all support it).
Turn on auto-update in app stores and the browser.
Uninstall what you don't use: every app is attack surface and most phones carry twenty zombies.
While you're in the phone settings: review which apps have location, microphone, and contacts access. Revoke freely; apps re-ask if they truly need it.

after setup

Let the password migration happen naturally. Every time you log into something over the next month, save it to Bitwarden and upgrade the password if it's reused. Forcing it all in one sitting is how people burn out.

Old browser stays for two weeks, then goes. Keep it as a fallback while Brave proves itself, then uninstall so you don't drift back.

Common pitfall: 2FA without recovery codes. The point of step two in every section was the recovery codes. If you skipped them, go back: lockouts hurt more than hackers at this tier.

When you're ready for more, the standard setup picks up exactly here, starting with getting your email out of Gmail.

checklist

Bitwarden installed on browser + phone, master passphrase on paper, recovery code saved
Email, banking, and top social account moved to generated passwords
2FA on email, banking, and Bitwarden; recovery codes stored in the vault
Brave as default browser, rewards/wallet clutter switched off
Signal installed, username set, one conversation moved
AdGuard DNS set on phone and computer (router if you dared)
Auto-updates on everywhere; unused apps deleted; permissions reviewed