The security habits that matter most at home, according to the pros

Most people don’t want to become security experts—they just want to keep their homes, accounts, and loved ones safer without feeling overwhelmed. That’s what makes learning from people who do this work every day so valuable. Not because they’re perfect, but because they’ve learned where effort actually pays off.

In this episode of Random But Memorable, Michael “Roo” Fey talks with Wade Wells and Taiga Walker from the 1Password security team about how their professional experience shapes the way they protect their own families. They share the habits they consider non-negotiable, the mistakes they’ve seen play out in real life, and the practical tradeoffs they make to balance security with usability at home.

The result is a grounded, relatable conversation full of ideas you can borrow—whether it’s how to think about identity, devices, and networks, or how to talk about security with people who don’t live and breathe it. If you’re looking for realistic ways to reduce risk without turning your home into a fortress, Wade and Taiga offer a thoughtful place to start.

Editor’s note: This interview has been lightly edited for clarity and brevity.

Can't see the video? Watch on YouTube!

Michael “Roo” Fey: Did working in security change how you think about protecting your family? Do you lock everything down more now?

WW: I had a little bit of that mindset before working in security, but the profession has definitely hardened me. I’ll admit there was a point where I was more paranoid. As I matured in the security field, I let that go and accepted that incidents will happen eventually.

Now I focus not just on prevention, but on response actions. If something were to happen, how would I recover or overcome it? I make sure I have proper phone numbers written down, agencies to talk to, and various things blocked.

What about you, Taiga?

TW: I’d say the same. When I first started out —especially after my undergraduate — I had this paranoid sense. As I matured in this career field, I realized you can’t eliminate all risk. Taking a risk-based perspective has really influenced my decisions and discussions.

You can’t eliminate everything, but what can I do that will have the greatest impact?

MF: What are the big areas you focus on when you’re securing your family and home?

WW: First, keep everything that you can updated. If I’m visiting family and see a browser that hasn’t been updated in a while, I close it, hit refresh, and say, “You’re updating that right now!” Because that is the number one way you’re going to get something.

Second is multi-factor authentication. Enable MFA everywhere you can, ideally using passkeys, which we’ve talked about in the past. Usually, it’s a bit of a push to get people to use MFA, though.

TW: I agree, especially around identity. This might be biased, since we all work at 1Password, but everyone should use a password manager. I still see folks writing passwords down in journals or on sticky notes instead of using a password manager to protect their identities.

Another area is parental restrictions around your home network. That can mean blocking specific websites or domains that could put family members and anyone else surfing the web at risk.

MF: That makes sense. Is your home security setup different from what most people have?

WW: By a lot. I put in the effort and bought equipment that offers plenty of customization. I don’t use the standard router that your cable company gives you. I’ve upgraded to ones that I can completely control.

Network segmentation is the big thing. So not just having two different Wi-Fi bands, 2.4 GHz and 5GHz, but separate networks entirely.

I have those along with dedicated networks for IoT devices and for guests. If people are coming over, I put them on a guest network. You can also do things like DNS holes that block certain traffic going out. I don’t do that, though, because if something breaks and my wife has an issue, I don’t want to have to fix it every time.

MF: What about you, Taiga?

TW: I’m not quite at Wade’s level, but I do use network segmentation. I still use a standard router, but I create different gateways and zones for different purposes—my main network, IoT devices, and a guest network.

A couple of years ago, I also added another layer using a DNS filter. If I want to block specific domains, I use a free tool called OpenDNS. It takes some configuration, but it’s worked well for me.

MF: I tried running OpenDNS for a while and ran into the issue Wade mentioned — other people in the house couldn’t access things and started asking why the internet was broken. I ended up dialing it back.

I also got an email from my router manufacturer saying they were ending support and security patches. That was the moment I realized I needed to do something about it.

WW: End-of-life is a big one. If you have really old devices, you’ll eventually have to replace them. They can’t run forever.

MF: Taiga, do you have a security habit at home that’s non-negotiable?

TW: Yes. If any family member receives something suspicious — an SMS or an email  — they have to consult me before interacting with it.

It’s easy for me to spot, but for family members who don’t work in tech or cybersecurity, it’s not second nature. That’s a non-negotiable.

MF: Wade, what about you?

WW: My family has an old practice we’ve used since I was a kid: a verbal password we can use to recognize each other. My mum used to say that if someone is picking you up from school, they have to know the password.

We still use it today. I’m on YouTube enough that my voice and likeness could be recreated. If I ever called saying I was in jail in Tijuana, they could ask for that password. I haven’t had to use it yet in the cybersecurity work, but it’s better to be prepared than not.

MF: You mentioned separating IoT devices onto their own network. Are there any devices that really concern you from a security perspective?

WW: I caught my baby monitor pinging China. It was a Chinese-made device, so I was like, “Okay, that’s fine. But this thing isn’t allowed on the internet anymore.” I disabled its internet access entirely.

My UniFi system caught it and said, “Hey, you have something that’s constantly pinging China. You should look at this.” I don’t necessarily think it was malicious, but it was too high a risk.

The same goes for many children’s toys. I don’t allow them to connect to the internet, or if I do, I put them on a special network.

MF: What about you, Taiga?

TW: Mine was with an automated vacuum cleaner. There was an advisory a couple of weeks back suggesting — and don’t quote me on the specifics —  it was made in China and could be eavesdropping on potential chatter while the vacuum was running.

I had it on my IoT device network. But once I saw that, I unplugged it and deleted all the information connected to my account.

MF: How do you approach security conversations with family members or roommates?

TW: If friends or family members receive something asking them to take urgent action, I ask them to wait, slow down, and process it.

Those discussions are always interesting because you’re seeing security through a different lens. There’s a difference in the type of panic and paranoia between someone who does and doesn’t work in cybersecurity. So I always try to understand what’s happening from their perspective rather than what I see and do on a daily basis.

WW: We share a lot of family accounts back and forth. And it’s very important that everything goes into 1Password. I’m sure that my wife slips up every now and then, but I stick to it.

I also tell my family that if anything seems fishy, call me.

MF: What security hype do you ignore?

WW: Something that I implement for myself, but don’t implement for others, is removing local access for yourself. That prevents you from installing things if your account gets compromised. It’s a lot of work to log in again using a local admin account. Often, you have to use a fingerprint sensor because it’s on the computer.

So I’ve had people tell me, “Just do that for all your family members. They can’t install anything, and then everything will be okay.” But if they can’t install anything, they’re going to be calling all the time asking how to install stuff!

DNS black holes are cool, but they can also cause headaches.

MF: Let’s close with advice. What’s one thing listeners can do to protect their families without feeling overwhelmed?

WW: The obvious one is to use a password manager, so I’m going to suggest something else!

Use MFA everywhere you can — preferably not SMS, if the website or service allows that. Use a hardware key or a passkey that’s stored in a credential manager.

TW: Trust but verify. Let’s say Wade reached out and asked some suspicious questions. I’m going to trust that it’s Wade, but perform some verification on my end just to be sure. Even if a message looks like it’s from someone you know, take a moment to confirm.

Enjoyed this podcast interview? Ask questions and share tips in our episode discussion thread!