Family Security Setup — A 90-Minute Checklist Backed by Real Breach Data

The Verizon Data Breach Investigations Report 2024 found that the human element — phishing, stolen credentials, error — featured in roughly 68% of breaches. Among non-targeted attacks (the kind ordinary households face), the failure modes are dull and repetitive: a password reused across sites that got leaked five years ago, no 2FA on the email account that controls every other account’s reset link, an unpatched router with default admin credentials, and a backup that turns out not to exist.

This post is a 90-minute setup checklist that closes those four common failure modes. It assumes one motivated person sets it up for the household. The order matters — the high-leverage steps come first, so even if you stop halfway, you’ve moved out of the easy-target tier.

Why this checklist (the data)

Three datasets shape the priorities:

• Verizon DBIR 2024 — stolen credentials and weak credentials together account for the majority of non-targeted breaches.
• FBI IC3 2023 — 880,418 cybercrime complaints, $12.5B in losses. Phishing leads in count, BEC leads in dollar value, and “personal data breach” sits in the top categories.
• Have I Been Pwned — 13+ billion breached account records indexed. The median person’s email shows up in 5–10 historical breaches by 2024. If you’ve reused that password anywhere, those accounts are exposed.

The implication: the floor is low, but the high-leverage fixes are also small. Fixing password reuse + email 2FA closes the door on most opportunistic compromise.

Step 1 — Password manager (30 minutes)

This is the foundation. Without a password manager, the rest of the security stack collapses because you’ll reuse passwords or write them in a notes app.

Pick one

For most households:

• 1Password Families — $4.99/month for up to 5 users. Best onboarding, best mobile apps, well-tested zero-knowledge encryption. Strong choice if you can afford it.
• Bitwarden Families — $3.33/month for up to 6 users. Open-source, audited, slightly more technical UX. Best price-to-feature ratio.
• Apple iCloud Keychain — free, built into Apple devices. Works well if everyone in the household is on iPhone/Mac. No cross-platform support for Android/Windows.

Avoid LastPass. The 2022 breach exposed customers’ encrypted vaults along with metadata about which sites were stored. Multiple security researchers (Krebs, Wladimir Palant) have published detailed migration recommendations.

Setup, in order

1. Owner installs the family plan. Create the master account on a desktop browser, not phone — easier to set up.
2. Generate a strong master password. 4-5 random unrelated words (a “passphrase,” per the EFF dice-words method) is easier to remember and harder to crack than 8-character “complex” passwords. Write the master password on a piece of paper, store in a fireproof safe or sealed envelope.
3. Set up the secret recovery key. 1Password and Bitwarden both generate a long recovery key. Print it. Store with the master password.
4. Invite family members. They each create their master password. Two children old enough to have accounts, two adults — four invites.
5. Browser extensions on every device. This is what makes the manager actually convenient — autofill becomes faster than typing.
6. Import existing passwords. Both managers import from Chrome, Safari, Firefox, and from spreadsheet exports.

What to fix immediately after

Run the manager’s password health audit (1Password calls it Watchtower; Bitwarden has a Reports section). Three categories show up:

• Reused passwords — change the highest-value one first (email, then bank, then anything with stored payment)
• Weak passwords — short or common, regenerate
• Compromised passwords — the manager checks against Have I Been Pwned. If yours appears in a breach, change it now.

You won’t fix everything in one session. Target the top 10 highest-value accounts in week one. The rest can be handled gradually as you log in to each site over the following weeks.

For deeper comparison, see family password managers compared.

Step 2 — 2FA on critical accounts (20 minutes)

Once the password manager is in place, layer 2FA on the accounts that matter most.

Priority order

1. Primary email — controls password resets for everything else. Critical.
2. Secondary email used as recovery for primary
3. Bank, brokerage, retirement accounts
4. Cloud storage — iCloud, Google Drive, Dropbox, OneDrive
5. Apple ID / Google Account (if not the same as primary email)
6. Social media with public reach — Twitter/X, Facebook, Instagram, LinkedIn
7. Shopping accounts with stored payment — Amazon, eBay

Method by tier

• Phishing-resistant 2FA (best) — hardware keys (YubiKey, Google Titan, $50 each) or device passkeys (iCloud Keychain, Google Password Manager built-in). Use these for primary email, financial accounts, anything irreplaceable. Buy two hardware keys; register both on every account, store one in a safe.
• TOTP via authenticator app (good) — 1Password, Bitwarden, Authy, or Google Authenticator. Use this for everything else. Don’t rely on Google Authenticator alone if you ever change phones — Authy syncs encrypted across devices, 1Password/Bitwarden include TOTP as a paid feature.
• SMS 2FA (acceptable as last resort) — better than nothing, vulnerable to SIM swap. Avoid for high-value accounts. If a service only offers SMS, use it.

The Google study quoted in 2FA methods compared shows the prevention rates: SMS blocks 76% of bulk phishing, TOTP blocks 99%, hardware keys block 100%.

Backup recovery codes

Every 2FA setup offers backup codes. Print them. Store with the password-manager master password. The single most common 2FA failure mode is “I lost my phone and can’t get into my accounts” — solved by backup codes you saved in advance.

Step 3 — Device hygiene (15 minutes)

The device security floor is low and the fixes are simple.

Updates

• Phones — enable automatic OS updates. iOS: Settings → General → Software Update → Automatic Updates. Android: Settings → System → Software Update.
• Laptops — enable automatic updates. macOS: System Settings → General → Software Update → Automatic. Windows: Settings → Windows Update → Advanced options.
• Browsers — Chrome, Edge, Firefox, Safari all auto-update by default. Quit and relaunch monthly to apply.

A 2-year-old unpatched phone is dramatically more vulnerable than the same phone with current patches. Most ransomware and exploit kits target known unpatched vulnerabilities.

Screen lock

• Phone — at minimum 6-digit passcode (4 is too weak). Biometric (Face ID, Touch ID) layered on top. Auto-lock after 1-2 minutes.
• Laptop — require password on wake. Mac: System Settings → Lock Screen → Require password immediately. Windows: Settings → Accounts → Sign-in options.

Find My / device tracking

• Apple devices — turn on Find My iPhone/Mac for every family device. Enables remote lock and erase if stolen.
• Android — Find My Device, on by default for Google accounts.
• Windows — Settings → Privacy & security → Find my device.

If a device is lost, the first thing you want to do is remote-lock it. That’s only available if you set this up in advance.

Encryption

• iPhone/Android — encrypted by default since iOS 8 / Android 10
• Mac — turn on FileVault. System Settings → Privacy & security → FileVault → Turn On.
• Windows — turn on BitLocker. Settings → Privacy & security → Device encryption (or BitLocker Drive Encryption on Pro/Enterprise).

Encryption protects you when a device is stolen — without it, the data is readable to anyone with a screwdriver.

Step 4 — Home network (15 minutes)

The home router is the door to your internal network. Outdated firmware, default credentials, and weak Wi-Fi passwords are the FBI’s most-cited home network failures.

Five-minute router checklist

1. Log into the router admin — usually 192.168.1.1 or 192.168.0.1 in a browser. Username and password are on a sticker on the router (or “admin/admin” if it’s old).
2. Change the admin password. Use the password manager to generate and store it.
3. Enable automatic firmware updates. Look under “Administration” or “System” settings. If your router doesn’t support auto-updates, replace it — modern Netgear, ASUS, TP-Link, Eero, Google Wifi all support this.
4. Switch Wi-Fi security to WPA3 if available, otherwise WPA2-AES. Avoid WPA2-TKIP and WEP — both broken.
5. Wi-Fi password 12+ characters. Random, stored in the password manager.
6. Disable WPS (Wi-Fi Protected Setup) — the PIN-based version has been broken since 2011.
7. Disable remote admin — there’s almost never a good reason for the router admin page to be reachable from the internet.
8. Set up a guest network — separate SSID for guests and IoT devices (smart bulbs, security cameras, voice assistants). Keeps compromised IoT devices off the same network as your laptops.

DNS-level filtering (optional but high-leverage)

Setting your router’s DNS to a filtering provider blocks malware and ad domains across every device on your network without installing anything per-device:

• Cloudflare 1.1.1.1 for Families — free, blocks malware (1.1.1.2) or malware + adult content (1.1.1.3)
• NextDNS — free for under 300,000 queries/month, paid plans cheap, full configurability
• Cleanbrowsing — free family filter

Set as primary DNS in router settings — applies to everyone.

Step 5 — Backup that actually works (10 minutes)

CISA’s 3-2-1 rule: three copies of important data, two different media, one stored off-site.

Three layers

1. Cloud sync (iCloud, Google Drive, OneDrive) — protects against device loss. Most people have this. Verify by deleting a file from one device and checking it appears in the trash on the cloud.
2. Local backup (Time Machine on Mac, File History on Windows) to an external USB drive — protects against ransomware and against cloud account lockout.
3. Off-site backup — either a second external drive at a relative’s house (rotate every 3 months) or a service like Backblaze ($9/month, set-and-forget) — protects against fire, flood, burglary.

Verify

The backup nobody tests is the backup that doesn’t exist. Once a quarter:

1. Open your cloud storage on a different device than usual. Confirm photos, documents are there.
2. Boot Time Machine / File History and confirm the most recent backup is from the last 24 hours.
3. Pick one important file and confirm you could restore it if needed.

Family-specific layers

Family password sharing

Both 1Password and Bitwarden Families let you create a shared vault. Use it for: streaming services, household utility logins, shared shopping accounts, Wi-Fi password. Keep individual logins (banking, work, email) in private vaults.

Kids’ accounts

• Under 13 — Family Sharing (Apple) or Family Link (Google) handles COPPA compliance and gives parents app-install approval and screen time controls. Don’t create lookalike accounts that pretend the child is older — it complicates account recovery later.
• Teens — gradually transition to standard accounts with strong passwords + 2FA. Talk through the password manager flow once; teens pick up the pattern fast.

Parental controls

Two layers, as covered in the FAQ:

• Account-level — Family Sharing / Family Link controls
• Network-level — DNS filtering on the router (Cloudflare 1.1.1.3, NextDNS, Cleanbrowsing) blocks across every device on the Wi-Fi, including kids’ friends’ phones when they visit

Network-level is the durable layer. Device-level controls are bypassed by any unenrolled device.

What you don’t need

• Antivirus on phones — both iOS and Android have built-in protection. Third-party “antivirus” apps for phones do nothing useful and often degrade battery life.
• Antivirus on Mac — macOS has XProtect built-in. For most users, that’s enough.
• VPN for general home use — VPNs are useful on public Wi-Fi or for specific privacy threat models, not for “general home security.” See VPN performance and privacy reality for what VPNs actually do.
• “Identity theft protection” services — most are overpriced credit monitoring. Free credit freezes via Equifax, Experian, TransUnion do most of what you want.

Bottom line

The 90 minutes break down roughly:

• 30 min — password manager setup, top 10 password fixes
• 20 min — 2FA on email + critical accounts, backup codes printed
• 15 min — device updates, screen lock, Find My, encryption
• 15 min — router admin password, WPA3, firmware auto-update, DNS filter
• 10 min — backup verification

Verizon DBIR consistently shows that fixing the credential side of the equation is the highest-leverage move available. After 90 minutes, your family’s exposure to opportunistic compromise drops by an order of magnitude. The polish work — better hardware keys, more rigorous backups, kids’ device controls — can be added month by month.

For deeper dives on each layer, see family password managers compared, 2FA methods compared, and phishing detection in 2024.

Family security hardware that closes the most common gaps

Three hardware categories return outsized risk-reduction for typical households: a secure mesh router, hardware security keys, and a clean network printer (the most-overlooked attack vector in 2024).

For privacy-first families, Synology + YubiKeys is the strongest pairing. For households that prioritize ease-of-use over fine-grained control, Eero Pro 6E + YubiKeys is the smoother alternative.