Ah, the joys of the connected life: opportunities to engage with global communities, be educated and entertained, and shop with ease. But these go hand in glove with intrusions from marketers and threats from criminals. The tips here, compiled with input from dozens of security experts, will help you take control. We also have pulled out a shorter list of just seven, super-fast steps you can take right now, in less than 10 minutes. And Julia Angwin, the author of "Dragnet Nation," shares her quest for privacy and security in the digital age.

You can begin with either list or the essay—and you don't have to follow every tip, or even most of them. The important thing? Just get started. 

1. Check Your Data Breach Status
Wondering whether your personal data is for sale on the web? At haveibeenpwned.com you can check your email addresses and usernames against lists from 120 known breaches at com-panies including Adobe, LinkedIn, and Snapchat. (You'll need to register to check the full database.) If your name pops up, change the password for the compromised account and any other site where—tut, tut—you were using the same password. (Bonus tip: Pros pronounce “pwned” as “poned,” not “pawned.”)

2. Stop WiFi Imposters
Laptops, smartphones, and other WiFi-enabled devices can automatically connect to familiar networks. That’s convenient—no one wants to enter a password for their home or work WiFi every day—but it can also be risky. A hacker can set up a rogue WiFi network with the same name as a legitimate one such as “Google Starbucks” or attwifi and trick your gadgets into joining it.

Periodically get a fresh start by using your devices’ network or WiFi settings to prune the networks you join automatically. Most devices let you delete networks one by one, but if you have an iPhone or iPad, you need to go to Reset Network settings under General settings and delete all of them at once.

3. Use 10-Minute Mail (watch video below)

4. See Who Shared Your Private Data
Sometimes you need to register for a website with your real email address, say, if you plan to log in repeatedly to make purchases. Here’s a neat hack for ferreting out which companies are sharing your data with email lists, if you have a Gmail account: Type “+” before the @ symbol and add the website’s name. Email addressed to YourName+Websitename.com@gmail.com will go to the regular inbox for YourName@gmail.com. But now it will carry an extra crumb of data, and if you get spam from a company you’ve never heard of, you’ll know whom to blame.

Set a password or PIN for every laptop, smartphone, and tablet you own. Any lost device without a screen lock is an unprotected gateway for thieves, who may be able to access your email, banking, and social accounts, changing passwords and taking control of your digital life. Here's how to do a screen lock right:

5. Go Long (watch video below)

6. Try to Be Unique . . .
Don’t use any of the following PINs because they’re far too common, accounting for almost 20 percent of those currently in use: 0000, 1111, 1212, and 1234.

7. . . . But Not Too Personal
Your birth date? The last four digits of your Social Security number? Your phone number? Those are all terrible, horrible, no-good, very bad PINs. Don’t use them.

9. Shred These 5 Document Types
Do you really need to destroy every piece of paper that has your name and address on it? “Probably not, but I shred a lot,” says Kelley Long, a CPA and certified financial planner at Financial Finesse, a company hired by HR departments to coach employees on personal financial issues. In particular, Long recommends destroying any health-related documents. “Medical identity theft is a growing threat,” she says.

Your Long-approved list of paperwork to shred includes any documents containing the following:

• Social Security number (even just the last four digits)
• Birth date
• Credit card numbers
• Account numbers from financial institutions
• Medical insurance numbers

10. Shut Off the Flow of Credit Card Offers
These unsolicited mailings can be intercepted and filled out by identity thieves who have credit cards sent to their own addresses, then start piling up debt in your good name. You can put a stop to most of these offers by going to optoutprescreen.com or calling 888-567-8688. The service, run by the Consumer Credit Reporting Industry, will turn off the spigot permanently or for five years. You can always opt back in.

11. Receive Less Mail
When you give a company your name and address, chances are good that the information will be added to direct-marketing lists and used by other companies to send you solicitations. Go to dmachoice.org to remove your info from many mailing lists if you don’t want the offers.

12. Return to Sender
Life as a direct-marketing target: You go to the mailbox, filter out the offers you don’t want, put them in the recycling bin—and repeat. But if an unwanted envelope is printed with the phrase “Address Correction Requested” or “Return Postage Guaranteed,” you have an alternative. You can write “Refused/Return to Sender” and mail it back—no postage required. You’ll keep your recycling bin svelte while making the marketing company pay the return-trip postage. It’s a tiny win, but still a win.

13. Turn On Automatic Updates
Keeping your software up-to-date is the most critical step you can take to boost security, according to professionals surveyed last year by Google. “Software updates are like oil changes,” says Mark Surman, executive director of the Mozilla Foundation. “They can be a hassle in the moment but a lifesaver in hindsight.” Hackers are always exploiting more vulnerabilities, while security pros play nonstop malware whack-a-mole. If you’ve got old software, you’re missing the latest protections. “Most modern software will update itself if you let it,” Surman says. Make sure you have auto-updates turned on across the board.

It’s easy to create passwords that are difficult for hackers to crack, but not enough people do it. Jeremi Gosney, the head of the password-security firm Sagitta HPC and co-founder of a hacker conference called PasswordsCon, recently cracked 173 million of them in just six days. That represented 98 percent of the passwords stolen from LinkedIn in a huge data breach in 2012.

A major problem, Gosney says, is that most passwords are just too predictable. “We know every trick people use: foreign words, movie or book titles, patterns on the keyboard, anything you can think of,” he says. And it doesn’t take long for experts armed with the latest computer technology to run through all of the familiar patterns.

Strong passwords have two things in common: They avoid patterns and they’re just too darned long for a brute-force attack—in which a computer runs through every possible combination of characters—to succeed. But assuming that a password is a truly random collection of characters, how long is long enough? Security experts use some quick math to get the answer. That’s the theory, but you don’t need to crunch numbers to boost your password potency. Just do the following:

15. Stop Making Sense
One way to make a great password is to string together unrelated words. “It’s the Diceware method, in effect,” Gosney says. Diceware is a low-tech way to pick passwords that was developed in the 1990s. You roll dice to pick from a list of 7,776 words. But you don’t have to actually roll dice. Just pick five long, random words and string them together into a nonsense sentence that you can remember.

16. Use a Password Manager
Here’s the rub: We all have a lot of passwords, and it’s tough to remember long strings of random characters. Password managers can generate a complex, unique password for each account. “They used to be hard to navigate, or you had to copy and paste,” Gosney says. “But now they actually eliminate steps from my workflow.” He likes LastPass and 1Password. (LastPass was hacked last year, but users’ passwords apparently remained safe.) You’ll still need one well-crafted password for your password manager account—so review Tip 15.

17. Got a Great One? Okay, Write It Down.
Everyone tells you not to commit your passwords to paper. Ignore that. “As long as you’re not leaving Post-it notes under keyboards, it’s totally cool to write passwords down,” Gosney says. He keeps vital passwords—including the one for his password manager and his phone’s lock screen—in a sealed envelope to be opened only if he’s incapacitated. That way, his loved ones can access his online accounts to pay bills and take care of other business.

18. Be Password Loyal
People also tell you to change passwords regularly. Don’t, unless there’s a good reason, such as responding to a data breach. Switch often and you’ll probably end up using weak options.

Password Math

Step 1. E stands for “entropy,” which is the opposite of an ordered pattern. Entropy is good: The bigger the E, the harder a password is to crack.

Step 2. Let’s say your keyboard has 95 unique characters. If you’re randomly constructing a password from that whole set, R=95.

Step 3. Let’s say you have a 12-character password. If so, L=12.

Step 4. The number R to the L power is 540,360,087,662,636,962,890,625—which is how many possible passwords you’ve got. Quite a mouthful, isn’t it?

Step 5. That number is the same as 2 to the 78.9th power—and the log base 2 of that is 78.9. In info-security lingo, it’s 78.9 bits of entropy. That approaches the “exponential wall,” where a password could take ages to crack. And yes, 12 characters picked at random from a keyboard will do the job. 

Or just see Tip 15.

19. Stop ID Theft After a Death
Identity theft affects 2.5 million estates every year, according to the IRS. If a loved one has died, send a copy of the death certificate to the IRS (the funeral home may help with that). Also, cancel any driver’s license, and notify credit agencies, banks, insurance firms, and financial institutions.

20. Go Belt and Suspenders With Two-Factor Authentication (watch video below)

By Lorrie Cranor, Chief Technologist, Federal Trade Commission, Washington, D.C.

Early one evening last spring, my mobile phone stopped working. I wasn’t too worried, but the next morning my husband’s phone wasn’t working, either. We went to one of the carrier’s stores and learned that two iPhones had been purchased on our account.

When I called the carrier’s fraud department, the rep confirmed that someone had “upgraded” our two phones and transferred our numbers.

I immediately logged in to my account and changed the password. I also placed a fraud alert with the credit-reporting agencies. And I had to spend many hours getting the carrier to finish cleaning up the mess.

But I still didn’t know how the theft happened. Section 609(e) of the Fair Credit Reporting Act requires companies to provide victims of identity theft with all business records related to the incident. So I filled out a template at identitytheft.gov, a site run by the Federal Trade Commission where you can report thefts like this, and mailed it in to the carrier.

Two months later, I received the records. I learned that the thief had acquired the iPhones in Ohio, hundreds of miles from my home, at one of my mobile carrier’s retail stores. She used a fake ID with my name and her photo. According to the records, the store clerk “followed proper authentication procedures.”

The thief probably sold the phones quickly. And as far as I know, she hasn’t been caught.

To keep it from happening to you:

21. Activate a PIN
Sprint requires customers to set a PIN and security questions for their accounts, and the other major mobile providers offer customers the option. Take it. Having a PIN can help keep strangers from making changes to your account.

22. Watch Your Bills
Many wireless plans are based on a flat rate, so make sure your bill is consistent from month to month. If it’s not, take a closer look at your account.

24. Check on the Kids
Minors had their identity stolen 51 times more often than adults in a study by researchers at Carnegie Mellon University. Keep an eye out for letters from collection agencies, bills for unpaid balances, or a warning that pops up when you try to file your taxes electronically if you list your child as a dependent. But sometimes there’s no hint that a minor is a victim of identity theft. To be safe, request reports from the three big credit-rating agencies by the time your children turn 15. That will give you time to clear up any problems before they apply for college loans, jobs, or credit cards.

Web-connected devices promise convenience, but some can leak private data. Here's how to keep your information safe.

25. Lock Down Your Baby Monitor
Hackers sometimes break into WiFi-connected babycams, even hijacking the speakers to talk to children and caretakers. That’s often because users don’t know to change the default settings. When you set up any internet-enabled camera, create a unique username and password. Also, turn off the babycam when it’s not in use. That will make hackers less likely to discover it.

26. Outwit Your Smart TV
Automatic content recognition (ACR) systems built into many smart televisions transmit data to analytics companies that may use it for marketing. You’ve already paid for your TV with money. If you don’t want to pay again with your data, hunt through your TV’s “smart” settings for the feature—which may be called Live Plus, SynPlus, or anything but ACR—and turn it off.

27. Shut Down Webcam Creeps (watch video below)

Lots of stuff that's fine at home—hanging out in your PJs, using WiFi file sharing, eating peanut butter from the jar—is totally inappropriate at a coffee shop. Here's how to get your laptop ready to leave your home network.

28. Deploy Your Firewall (watch video below)

29. Restrict File Sharing
File sharing makes it easy to swap documents among devices. If you’re on your home network, that’s good. When you’re on public WiFi, it’s bad. Turn it off under the Sharing settings on your computer.

30. Cloak Your Computer
You just turned off file sharing, right? Also turn off Network Discovery to make it more difficult for other devices on the network to find your laptop. On PCs, it’s under Advanced Sharing settings. Mac users can enter Stealth mode through Firewall Options.

31. Do All of This Automatically
Clicking away at laptop menus every time you leave home can be annoying. Windows makes it easy to automate the process using Advanced Sharing settings. Also, whenever you join a new WiFi network, Windows asks whether to add it to your “home” or “public” profile; the operating system forgets the public networks when you log off. To do something comparable on a Mac, use the free-to-download ControlPlane app.

32. Use a VPN
Virtual public networks route your traffic through a single remote server that has tight security in place. Traveling with a work laptop? Turn on your company’s VPN even for personal use, if that doesn’t conflict with company policies. Or consider using a paid service such as IVPN or the free VPN that was recently introduced by the Opera web browser.

33. You Know What? Just Fake It.
Toymakers are rolling out connected kids' products—including tablets and talking dolls—and asking families to divulge personal information to register them. But that essentially provides marketers and potential hackers with details about your children. So consider providing fake information. For an address, may we suggest Bart Simpson’s—742 Evergreen Terrace?

“Encryption is for everybody—activists, journalists, secretaries, grandmas,” says Matt Mitchell, aka Geminiimatt, an info-security consultant and host of monthly cryptography-instruction gatherings in Harlem. “When you mail a letter, you seal the envelope so no one can read it. It’s the same idea with your data and encryption.” Basically, encryption scrambles your data so that it’s unreadable by anyone who doesn’t have permission to access it.

34. Do Your Phone First
“Your smartphone knows everything about you,” Mitchell points out. New iOS and many Android smartphones are encrypted by default; if you have an older mobile OS, you’ll need to go into Settings.

35. Next, Your Computer Files
You can encrypt your whole machine or just sensitive files. To encrypt specific files on a Mac, use the Disk Utility. Windows 10 Home users can download a free app such as GPG4win (aka Gnu Privacy Guard).

36. Finally, Your USB Drive
Flash drives can be misplaced—along with your files. Mitchell recommends Apricorn flash drives with built-in encryption. He says they’re pricey but worth it, starting at $99 for 8GB.

It doesn't cost old-fashioned money to use Facebook, but you pay for access with your data, which is vacuumed up by the $350 billion behemoth in ways both obvious and hidden. Take these steps to boost privacy and limit how much Facebook—and its partners and users—can learn about you.

37. Keep GPS Data Private
Facebook can extract your whereabouts from your mobile phone. But you can turn the function off using your phone settings. For an iPhone, you'll find the controls under Location Services. If you've got an Android device, look under Facebook Permissions in Applications Manager.

38. Turn on Log-In Approvals
This is Facebook’s name for two-factor authentication. (What’s that? See Tip 20.) It keeps strangers from accessing your account—even if they steal your password.

39. Become Elusive
Don’t want people finding your Facebook page when they type your name into a search engine? You can change that and more under the “Who Can Look Me Up?” section of Facebook Settings.

40. Leave a Group
Facebook lets users add friends to groups without their consent. But you can remove yourself from any group by going to your Activity Log.

41. Reduce Ad Overload
You know those posts that read “So-and-so likes this” with a sponsored link? You can avoid being used in ads by tinkering with Facebook’s Ad settings.

42. Hide ID-Theft Clues
Your birthday. Your hometown. Your alma mater. Those are all things Facebook can reveal to the world—and they’re answers to potential security questions. Hide such information by using the Privacy Checkup Tool found under the padlock on the upper right of any Facebook page.

A couple of years ago, Craig Young, who works on the Vulnerability and Exposures Research Team at a security firm called Tripwire, found that 20 of the 25 most popular home routers sold on Amazon contained big security holes. (Some of those have since been patched.) And in 2014, it took Young just a few hours to find 10 flaws in wireless routers during a competition at Def Con, a hacking conference in Las Vegas.

This is bad, because the laptops, smartphones, and other devices you use at home all connect to the internet through your router. And so do web-connected devices such as smart TVs and some security cams and children’s toys. Here’s how you can make your router more secure. The whole project shouldn't take more than 10 minutes.

44. Find an Ethernet Cable
Then use it to temporarily connect the router to your computer. You’ll be updating your router’s firmware. And losing your connection during that process could turn your router into a doorstop. It’s safer to rely on old-fashioned wires and plugs.

45. Get the IP Number
Every router has two IP (internet protocol) addresses, an external one for communicating with the internet through a modem and an internal one for your laptop, smart TV, and other devices. To make changes to your router’s settings, you need to access it through your browser using the local IP address. (Owners of Apple’s Airport routers who have a Mac can make changes via Airport Utility.)

The local IP address is very likely to be 192.168.1.1, but you can double-check by looking in the router’s manual. Lost it? Go to www.routeripaddress.com and enter the model name to find it. You’re in. Congratulations! Now let’s get to work.

46. Update the Username and Password
If you never changed the default settings, do that now. (See Tips 15-18 for password advice.)

47. Change the SSID . . .
Your SSID—service set identifier—is your home network’s name. Replace the default SSID with something more creative but not too personal. There’s no need to identify this as your network, is there?

48. . . . Then Hide It
Router settings allow you to hide your WiFi network from prying outsiders. Note that once you do this, you’ll stop seeing the network pop up in your own devices’ WiFi lists, and you’ll need to type the SSID into each device you want to connect.

49. Embrace Encryption
Fasten your jargon seatbelts: You need to switch from WEP to WPA2-AES and disable the PIN method of using WPS. These acronyms represent ways to encrypt communications on your WiFi network. You want WPA2-AES because it’s the newest and strongest. If you have really old devices, they may not be able to connect this way. And that means it’s time to replace them.

50. Update Firmware
Some routers today automatically update their firmware—they check for updates, install new software, and reboot in the middle of the night. But not all of them do—and many routers that say they have automatic updates require users to log on and hit “Okay.” So do that.

51. Make Sure Remote Management Is Off
Are you going to need to change your router settings when you’re far away from home? Probably not. Do you want to allow anyone else to do it? No, so make sure that this feature is disabled. It’s often referred to either as Remote Management, Remote Access, or Remote Administration.

52. Shut It Down
Going out of town? Turn off the router unless you need it to access smart devices such as your thermostat or a security camera.

53. And, Uh—Maybe Get a New Router
Signs it could be time for an upgrade: One, the router is too old to have WPA2-AES (see Tip 49); or two, it follows an old WiFi standard such as 802.11b or 802.11g. If you’re getting a new router, skip 802.11n devices and choose one that follows the newer, faster 802.11ac standard. (We know—more jargon. Consult our wireless routers buying guide for more details.)

54. Check Links Before You Click
Suspicious of a link in an email or online ad? Check its safety with Sucuri SiteCheck or urlvoid.com. First, hover over the suspicious link and the full address will appear in the bottom corner of your browser; right-click to access the drop-down menu, and select Copy Link. Now paste the URL into your link checker to get a report. Foolproof? No. A good hint if there's a problem? Yes.

Web browsers don't come with every protection you might want. Download extensions to improve security. 

55. Add HTTPS Everywhere
When you see “https” and a green padlock alongside a URL in your browser’s address bar, it means that the data is encrypted as it travels back and forth between the website and your computer. (The “s” stands for “secure.”) Some sites that support https use it inconsistently. Add the HTTPS Everywhere extension, which you can download from the Electronic Frontier Foundation, and your connections will be encrypted anytime you connect to a website that supports https. (Extensions are small pieces of software that can enhance the functionality of web browsers.) HTTPS Everywhere works with the Chrome, Firefox, and Opera browsers.

56. Block Snoops
Hate ads that steamroll over a web page? That’s not the half of it. Many ads, along with webpage elements such as the Facebook “Like” button, send information about your online activity to their data-collecting masters.

“These ads aren’t like billboards” that just sit by the side of a road, says Chris Jay Hoofnagle, who teaches privacy and internet law at the University of California, Berkeley. “They’re live code being run by people you don’t know and should not trust.”a

Extensions including Adblock Plus, Disconnect, Ghostery, Privacy Badger, and uBlock address this issue using varying approaches. Most let you add URLs to a “whitelist” of sites they won’t check. You can do that if a favorite website stops working once you download the extension. There are also additional settings you can use to adjust which ads get through.

By Raul Glasgow, Owner, Shortcircuited Computer Repair Services, Brooklyn, New York

I do info-tech consulting and computer repair. I’m basically the computer guy for a number of dental and medical offices. One day last summer I got up and checked on the server where I keep my website—and the site was just gone. The files were encrypted, and I saw a message appearing in a pop-up window.

This wasn’t the first time I’d encountered ransomware, so I knew what the message was going to say: To get the files back I’d have to pay the hackers in bitcoin, a digital currency.

I started seeing ransomware attacks targeting some of my clients two or three years ago, and since then it’s become more common.

The first time it was a dental office, and they were being told to pay about $2,000 in bitcoin to get their files back. But we were worried they could lose the money if the hackers didn’t actually restore the files—after all, we didn’t know who these guys were. We ended up wiping everything and starting fresh with a new computer. We could do that because everything was backed up.

A few weeks before my own site was hacked, another dental office I work with had its patients’ X-rays encrypted by ransomware, and they had no backups of those files. The ransom was lower this time, about $300 worth of bitcoin, and the client decided to pay up. There was no other good option.

With my own website, I really didn’t want to pay a ransom so I said the hell with it—I’m just going to restore everything from a backup.

That would have been a big job.

But then I saw that one of the major anti-malware companies had a fix for at least some ransomware attacks—as long as you had a few of the files backed up and knew what ransomware software was involved. It wasn’t something a lot of nontechnical people would be able to use, but it worked for me.

From what I’ve seen, antivirus companies are working on the problem, and they’re starting to catch up. But the hackers are introducing even stronger encryption. And it’s not always real hackers, people with skills. Anyone can just go online these days and buy the software they need to start a ransomware business. Instead of dealing drugs, a criminal can get into hacking.

To keep it from happening to you:

57. Back Up Your Data
Use a system that backs up your files automatically. If you’re hit with ransomware, you’ll have the option of restoring the data.

58. Keep Software Updated
Ideally, set your computer and key programs to update automatically (see Tip 13).

59. Try Haggling . . .
Ransomware crooks are honing their “customer service,” according to Philip Casesa, a strategist at the International Information System Security Certification Consortium. So it’s worth asking for a ransom discount.

60. . . . But Not Right Away
Wait to click on the pop-up until you’ve obtained bitcoin, which can take time. The reason: The criminals will likely impose a time limit before deleting your data—and the clock starts ticking as soon as you click.

Pokémon Go is a mobile game—maybe you’ve heard of it. It was downloaded an estimated 75 million times in less than three weeks last summer, breaking records and attracting criminals armed with a phishing scam.

Phishing is when someone poses as a legitimate business to trick consumers into divulging information. In this case, fraudsters emailed Pokémon Go users saying that because of the popularity of the app, the game’s servers were overwhelmed (that much was true) and that developers were starting to charge users $12.99 per account (a lie). The email prompted users to click on a link that went to a website that looked like the real Pokémon Go site and log in to their accounts. The goal? To get passwords.

One way to stay safe is to use two-factor authentication, which prevents a criminal armed just with a password from accessing your accounts (see Tip 20).

Here are two more:

62. Scoff at Fake Email Notices
Surprised to find an email from a bank or social site asking you to log on? Don’t click; open a new browser window and type in the address of the company website instead.

63. Call Customer Service
Be leery if an institution asks for your log-on credentials through email or a text message. Instead of replying, call the company.

For a seemingly all-knowing data machine, the search giant gives users a large amount of control.

64. Tweak the Settings
Go to My Account to control what data about you is being collected and how it’s being shared. In particular, go to the Personal Info & Privacy section to review Location, Search, and YouTube Search History. You can delete records one entry at a time or all at once, and if you’d like to, you can prevent Google from recording data going forward. Privacy Checkup lets you control what shows up on Google+, the social network.

65. Make Google Forget You
Ready to push the big red Destruct button on Gmail, Google Drive, and the rest? You’ll still be able to use tools such as Search but your account and—Google promises—the data used to target you with ads will disappear. Go to My Account and look for Delete Your Account or Services. Take a deep breath (you can’t undo this) and follow the prompts.

66. Keep Your Fitness Data to Yourself
Many wearables are paired with users’ smartphones using Bluetooth technology—but those phones may not be the only hardware scooping up the signals. A 2014 study by the security firm Symantec and a June 2015 study by Germany’s AV-Test.org found that many Bluetooth devices don’t prevent data access by “sniffers” located nearby. Fitness trackers and running watches can broadcast sensitive information such as the user’s name, address, password, and GPS data. Not all trackers let you shut off Bluetooth, but many do. If possible, keep your wireless settings turned off until you choose to upload the data to your phone at the end of a workout or at night. (As an added benefit, that will extend the battery life.)

More on Privacy

Editor's Note: Reporting by Andrew Chaikivsky. Additional reporting by Tercius Bufete and Catherine Roberts. Special thanks to Access Now, the Electronic Frontier Foundation, the Federal Trade Commission, Fight for the Future, the Ford Foundation, the Mozilla Foundation, the Privacy Rights Clearinghouse, and associate professor Lujo Bauer, who teaches computer security at Carnegie Mellon University.

This article also appeared in the November 2016 issue of Consumer Reports magazine.

Copyright © 2005-2016 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.