I don’t regret any of it. I had a great college experience, and compared with most American young adults’ experiences at school, my time on campus was extraordinarily tame. There is no photographic or video evidence of me drinking heavily or using drugs because I never did. There are, however, a lot of less-than-flattering photos of me in my early college attire (sweatpants, t-shirt, and a messy bun), or acting like the enormous nerd that I was and am, singing with my college a cappella group, studying abroad in Russia, and playing concerts with my Harry Potter-themed band.

In 2020, a troll ran an ill-conceived smear campaign featuring videos of some of those escapades. He shared them on Twitter from an alternate account after I discussed disinformation in the presidential election. He tried to shame me into silence, but I wasn’t ashamed. However, I was worried. This man had dug deep enough into my Google search results to find these videos. He selected the ones that made me look the least serious and professional, and went through the trouble of downloading, editing, and sharing them through an alternate account. If he found those, what else did he find? My phone number? My address? My mother’s address? Would he ever deploy them if I debunked another one of his claims? Would I encounter him or one of his acolytes next time I walked the dog?

The night those videos were shared—the culmination of a week-long trolling campaign against me—my nerves and emotions were frayed. I felt unsafe and alone. I signed myself and my husband up for an anti-doxing service, which scrubs online white pages and other public records of your personal information for a fee. I had already been in the public eye for a few years, and so I took care with my physical and technical security, but that evening was a turning point in my online engagement. The days of posting my every fleeting thought or photographic evidence of the mundane occurrences in my life were already long gone, but now it was time for a new level of curation and caution.

Just before the 2020 election, we were both called on to testify before the U.S. House of Representatives Permanent Select Committee on Intelligence, chaired by Representative Adam Schiff of California. The topic—“Misinformation, Conspiracy Theories, and ‘Infodemics’: Stopping the Spread Online”—couldn’t have been more timely or more likely to attract the criticism of the very people who spread the malign information we were discussing.

The day before the hearing, “Q,” the anonymous leader of the QAnon conspiracy cult, posted a message on 8kun about the proceedings. “Shall We show them, Anon..?” [sic] it began, before listing the names of the all-woman witness panel and closing with the phrase “Forewarned is Forearmed” and a salute to the “Q Team.” The next day, Q adherents spent the two-hour hearing criticizing our appearances, making anti-Semitic slurs, and alleging we were all CIA plants. “Do we see a pattern here?” one poster asked, including a picture of the four women witnesses. “Look at the nose on that broad,” a commenter wrote of me. Another implored, “show us your boobs!” Cindy, who is a wheelchair user and proud disability advocate, was grotesquely ridiculed. The discussion wasn’t void of violent threats, either. One user wrote

Cindy had already locked down her Twitter account. “I didn’t need the stress of dealing with prep for [the hearing], executing that, and then coming back to disaster mentions” on Twitter, she tells me in a later conversation.¹ It’s not a decision she takes lightly. “I know for a fact that that has caused me to [lose] opportunities to expand my reach and … increase my credibility,” she says. “When I lock down, nobody can share my content, nobody can follow me. There are those moments where you have that opportunity. I know I’m limiting my professional progress each time I scale back on social media. It’s the calculation I make each time to prioritize my physical safety, my mental health.”

As an open-source analyst and investigator who has uncovered disinformation networks that have made the pages of The Washington Post and other notable publications, Cindy is an expert on the digital breadcrumbs that can be used to target us. “Every social media user needs to make choices about how authentically themselves they’re willing to be online,” she underlines. The tidbits of our lives that make us more human—our family issues, health issues, and personal stories—“those can all be used to target you in the future, either by trolling or through attempted recruitment by intelligence services,” Cindy warns. “The calculation might be that that’s a vulnerability you’re willing to put out there, [but] you want to think carefully about the personal details you’re sharing that might put yourself in a more compromising position.”

But it’s not just the personal details that can get you in trouble; basic cyber hygiene is the foundation to any online security practice. No, it is not the most exciting part of protecting yourself online, but it is the part most connected to your physical safety. From password managers and two-factor authentication to being savvy about the seemingly innocuous tidbits you share on social media, you can build a moat around your public profile, adding an extra layer of security and peace-of-mind as you do your work and make yourself heard.

Women in the public eye do not have the luxury to be so careless, nor could we possibly expect 20 hours of safety in such a scenario. If Cindy or I had made a similar mistake around our testimonies, for example, it’s likely the QAnon cultists who dug through our online profiles would have attempted to gain access to our accounts. They wouldn’t have been successful, because we follow the basic, easy practices I’m about to outline for you that keep our personal information safe from anyone who might try to harm us.

It’s time to banish the sticky notes and scribbles at the back of your notebooks and proactively strengthen your online security.

We’ve all been there, but this behavior needlessly exposes us to potential security breaches. If the concert ticket website is compromised, criminals now have access to the other accounts where you used the same password. This is entirely avoidable. It is extremely easy to set up a password manager, a service that will generate, store, and even input every password, username, and security question you have.

Here’s how they work: after signing up for a password manager service (I use LastPass; other services include 1Password, BitWarden, and Dashlane), you create a single password that will log you into your password manager service. This is the only password you’ll ever have to remember so long as you’re using the service. From there, most password managers offer a browser plugin and mobile app that will store all the usernames and passwords for sites and services you use. You won’t have to copy and paste them from site to site, and if you ever update your passwords, the service will log the change automatically. Most of these services will also identify weak or potentially breached passwords affected by large-scale hacks or leaks. A good password manager will also offer two-factor authentication to keep your accounts even more secure (more on this below) and ensure that if someone did crack your complex login information to your password manager, they would not be able to gain access to your account. (You should absolutely turn this on if it’s available on the service you choose.) Best of all, when you create an account on a new site the first time, these services will generate a complex password, full of letters, numbers, and symbols, fitting the requirements of every site or service you use, and you’ll never have to think of or remember one again.

Most web browsers and operating systems offer some version of a password manager (such as Apple Keychain or Google’s Password Manager). Though they are aggressive, incessantly asking “Would you like to save your password?”, convenient (pre-installed with your browser) and cost-effective (most of the best services on the market require a subscription fee of around $30 per year for full operability) they do not always offer the same features that an external service focused only on password management would.³

You may also be tempted to use single sign-on, employing your Google, Facebook, or Amazon account to log in to other websites rather than create new accounts. There are two reasons you should avoid this at all costs. First, the web titans providing those umbrella accounts are likely to harvest data about your behavior on third party services when you log in using the credentials from their site. More importantly, however, if your password for your Google, Facebook, or Amazon account were ever compromised, criminals could then access all your information on sites where you used them to log in. Yikes.

It is likely that you have been the victim of a password breach in the past...