You can spend a weekend going down the privacy rabbit hole and come out the other side overwhelmed, with seventeen browser extensions installed and no real change in your life. Or you can spread the work across a month, fifteen minutes a day, and end up with a quieter inbox, fewer exposed accounts, and a smaller data trail without ever forcing the issue. This is that second plan.
Each day is short enough to do over a coffee. By the end of thirty days, you will have completed something most people never quite get around to.
Week 1: Audit and Foundations
Day 1. Check for breaches. Visit haveibeenpwned.com and check every email address you use. Make a list of services that have leaked your data and roughly when. This list shapes the rest of the month.
Day 2. Install a password manager. Bitwarden, 1Password, and Proton Pass are all good choices. Set a strong master passphrase made of four random words and write it down on paper.
Day 3. Import existing passwords. Most browsers can export their saved passwords. Import them into your new manager. This gives you a starting inventory.
Day 4. Identify your high-value accounts. Email, banking, work, primary social media, password manager itself. These are tier one. Everything else is tier two or three.
Day 5. Change tier-one passwords. Generate unique long passwords for each tier-one account through your password manager. Save them, sign in once to confirm they work, and move on.
Day 6. Turn on two-factor on tier one. Use an authenticator app. If you can afford a hardware security key, set one up for your primary email today.
Day 7. Print recovery codes. Every account with two-factor authentication offers recovery codes for when you lose your second factor. Print them and store them in a safe place at home.
Week 2: Inbox and Identity
Day 8. Set up email aliases. Apple Hide My Email, SimpleLogin, or Firefox Relay. Pick one. Generate a few aliases to get used to the workflow.
Day 9. Move newsletters off your real address. Pick five newsletters you want to keep. Update the subscription email to a fresh alias for each. Future leaks of those services no longer expose your real inbox.
Day 10. Unsubscribe ruthlessly. Open your inbox, search for “unsubscribe,” and spend fifteen minutes clicking. Anything you have not engaged with in six months goes.
Day 11. Disable remote image loading. In your email client, turn off automatic loading of remote images. This defeats tracking pixels.
Day 12. Bookmark LettMail. For the next time a website wants your email for a one-off download or sign-up, you have a tool ready. Try it once today on something low-stakes to get used to it.
Day 13. Audit your phone number footprint. List the services that have your real phone number. For social and marketplace accounts, ask whether they really need it. Where possible, remove or replace with a burner number.
Day 14. Subscribe to breach alerts. Sign up for Have I Been Pwned’s free notification service for every address you actually use. Future leaks will reach you within hours.
Week 3: Account Cleanup
Day 15. List your accounts. Open your password manager and look at how many accounts are stored. The number is usually larger than the gut estimate. Make a quick mental sort: active, occasional, forgotten.
Day 16. Close five forgotten accounts. Pick five from the “forgotten” pile and actually close them. Some services bury this option deep, but JustDeleteMe (a community-maintained site) has direct links for most of them.
Day 17. Change tier-two passwords. Pick ten tier-two accounts you use occasionally and rotate them to unique passwords through your manager. Continue for fifteen minutes and stop.
Day 18. Audit connected apps on Google. Visit myaccount.google.com, then Security, “Your connections to third-party apps.” Revoke anything you do not recognise.
Day 19. Audit connected apps on Facebook. Same idea, on Facebook this time, under Settings, Apps and Websites.
Day 20. Audit connected apps on Apple ID. Sign in to appleid.apple.com, “Sign in with Apple,” and review which apps you have used Apple sign-in for. Remove anything you no longer need.
Day 21. Off-Facebook Activity. Inside Facebook, find “Off-Facebook Activity,” clear history, and disconnect future activity. This is the single highest-impact Facebook setting.
Week 4: Devices, Browsers, and Public Records
Day 22. Update everything. Phone, laptop, browser, password manager. Run pending updates today. Outdated software is the single most exploited weakness in personal computing.
Day 23. Browser cleanup. Remove extensions you no longer use. Each one has access to your browsing. A lean set of two or three trusted extensions is safer than a forgotten pile.
Day 24. Set the right browser defaults. Use HTTPS-only mode, set search to a privacy-respecting default, turn on strict tracking protection. Firefox, Brave, and Safari all have one-click privacy modes.
Day 25. Set up DNS-level filtering. NextDNS, Pi-hole, or Cloudflare’s 1.1.1.1 for Families. This blocks trackers and known malicious domains across your entire device, not just inside your browser.
Day 26. Sign out old devices. Google, Apple, Microsoft, and Facebook all have a “where you are signed in” panel. Remove devices you no longer use.
Day 27. Look up your name. Search your full name in a private browser. Note any people-search sites that have you listed. Many of them honour removal requests, though you usually have to ask each one separately.
Day 28. Submit a few removal requests. Pick the three most prominent people-search results and submit removal requests. This will take ten minutes each. Most of these sites have a process; it is just rarely linked from the front page.
The Last Two Days: Stabilize and Schedule
Day 29. Document your setup. In a notes app or your password manager’s secure notes, write down your recovery key locations, hardware key inventory, and the rotation schedule for passwords. Future you will thank present you the next time you need any of this.
Day 30. Schedule the next review. Put a reminder six months from today to repeat days 1, 15, and 21. Defaults drift. Forgotten accounts accumulate. A twice-a-year refresh keeps the work you did from quietly undoing itself.
What This Plan Does Not Do
This is not a plan to vanish from the internet. If your goal is full anonymity, the steps would be very different and much more disruptive. The plan above is a calm middle path. It reduces the size of your data footprint, raises the cost of compromising your accounts, and leaves you with a manageable maintenance schedule. You can still use the platforms you used before. You just leave less behind every time you do.
What Changes by Day 30
By the end of the month, several quiet shifts will have happened. Every important account uses a unique password and a second factor. Your real email is no longer the default sign-up address for everything in your life. Your inbox is meaningfully quieter. The number of services with permission to act on your behalf or share your data has dropped. Your devices and browsers are running the latest updates and the right defaults. And you have a calendar reminder to refresh all of it in six months.
None of this is dramatic on any single day. Add the days together and you have done something that genuinely changes your exposure on the internet for the better, without giving up the parts of the internet you actually like.