The Lisbon Incident

Cute cafe. Good espresso. Laptop open, deadline looming.

I'd connected to the WiFi like I'd done a hundred times before. Two hours later, my bank sends me a fraud alert. Someone in Romania was trying to buy $800 worth of crypto with my debit card.

Same cafe. Same network. Some guy with the right tools—took him maybe ten minutes to grab my session. I didn't even notice.

That was three years ago. I've become... slightly obsessed with security since.

Here's the thing: most of this stuff is simple. Basic habits. Takes maybe an hour to set up properly, then it's just muscle memory. But most people skip it because "it won't happen to me."

It happened to me. In a nice cafe. In a safe city. While I was literally just checking email.

What Actually Gets People

Forget the movie-hacker stuff. Here's what actually happens:

Stolen passwords. Someone reuses "password123" everywhere. One site gets breached. Now hackers have the keys to everything.

Phishing emails. "Your account has been suspended, click here." Looks real. Isn't. You just gave someone your login.

Public WiFi snooping. What happened to me. Unencrypted network, anyone can watch what you're doing.

Lost laptop. Stolen at airport. No encryption. Congrats, they have access to your entire life.

Most hacks aren't sophisticated. They're just... taking advantage of people who didn't think it would happen to them.

VPN: Not Optional

After Lisbon, I got a VPN. Should've done it years earlier.

A VPN encrypts everything leaving your device. Even if someone's watching the network, they see gibberish. Useless to them.

Use it when:

  • Any public WiFi. Always.
  • Hotel networks. Yes, even nice hotels.
  • Coworking spaces. Shared network, shared risk.

At home? Optional. Your risk.

I use NordVPN. ExpressVPN and Surfshark work too. Just don't use free VPNs—they make money by selling your data. Defeats the entire purpose.

For detailed comparisons, see our VPN guide for digital nomads.

Passwords: You're Doing It Wrong

Same password everywhere? You're one breach away from disaster.

LinkedIn gets hacked. Attackers take your email and password. They try it on your bank. On your email. On your crypto exchange. Same credentials work everywhere.

Get a password manager. Today.

I use 1Password. NordPass and Bitwarden also work. They generate random passwords. You remember one master password. Done.

"correct horse battery staple" beats "P@ssw0rd123" every time. Length matters more than complexity. Four random words is stronger than eight random characters.

Never reuse passwords. Ever.

Check if your email has been in breaches at haveibeenpwned.com.

2FA: The Second Lock

Password gets stolen? 2FA saves you.

Two-factor means: something you know (password) + something you have (phone, key). Attacker needs both.

From best to worst:

  1. Hardware keys (YubiKey). Phishing-proof.
  2. Authenticator apps (Authy, Google Authenticator). Solid.
  3. SMS codes. Better than nothing but... SIM swapping exists.
  4. Email codes. Useless if your email's compromised.

Enable 2FA on your email first. Everything else resets through email. Lose email, lose everything.

File Sharing Without Being Stupid

Google Drive, Dropbox Business, OneDrive—all fine. Encrypted.

Email attachments? Not encrypted. Creates copies everywhere. Avoid for anything sensitive.

USB drives? Can carry malware. Can get lost. Can get stolen. Just... don't.

Password-protect shared links. Set expiration dates. Audit who has access.

Your Laptop Is a Liability

Lost or stolen laptop = complete breach. Unless you encrypted it.

FileVault on Mac. BitLocker on Windows. Turn them on. Takes five minutes. Now a thief just has expensive hardware, not your life.

Also:

  • Strong password, not a 4-digit PIN
  • Auto-lock after 2 minutes
  • Find My Device enabled
  • Updates on auto. Security patches exist for a reason.

Public WiFi: The Rules

I still use public WiFi. But differently now.

Always:

  • VPN on before connecting. Non-negotiable.
  • Verify the network name. Ask staff. Fake hotspots are real.
  • HTTPS only. Look for the padlock.

Never:

  • Banking without VPN
  • Entering passwords without 2FA
  • Leaving laptop unattended. Not even for the bathroom.

Better option: Your phone's hotspot. Encrypted, private, only you know the password. For anything sensitive, use that instead.

Frequently Asked Questions

With VPN, yes. Without, no.

Different things. VPN protects data traveling over networks. Antivirus protects your device from malware. Need both.

Only when breached. Use unique passwords with a manager and you won't need to rotate constantly.

Change passwords on email and bank immediately. Enable 2FA everywhere. Scan for malware. Check account activity logs.

Bitwarden is free and legit. Better than reusing "password123."

Check your company policy. If yes: separate data, encrypt disk, strong passwords.

You can't always. Assume all public WiFi is hostile. VPN regardless.

Just Do These Things

Today:

  • Get a password manager. Start using it.
  • Enable 2FA on email.
  • Turn on disk encryption.
  • Check haveibeenpwned.com for your email.

This week:

  • Get a VPN. Set it up on all devices.
  • 2FA on banking, work accounts, social media.
  • Review device security settings.

Forever:

  • VPN on public WiFi. Always.
  • Check email links before clicking.
  • Lock screen when stepping away.
  • Never leave devices unattended in public.

Three Years Later

I still think about Lisbon sometimes. The $800 got reversed. But it took weeks. The panic lasted longer.

The guy who got me? Probably spent ten minutes on it. Probably wasn't even targeting me specifically. Just fishing.

Most security is just... making yourself slightly harder to hack than the next person. Attackers are lazy. They go for easy targets.

Don't be easy.

Password manager. 2FA. VPN. That's 90% of it. Takes an hour to set up. Saves you from becoming someone's story about why security matters.