In his blog post "Digital hygiene," Andrej Karpathy outlines a comprehensive guide to enhancing personal privacy and security in the digital age. He argues that such measures are essential in response to a vast "fraud apparatus," where tech companies, data brokers, and cybercriminals exploit personal information gathered through profiling, data breaches, and insecure practices. The guide provides a series of actionable steps, ranging from basic to advanced, to protect one's digital life.

The foundation of Karpathy’s security strategy is robust authentication. He first emphasizes the use of a password manager, like 1Password, to generate and store unique, strong passwords for every online service. This practice mitigates the risks of password guessing and credential stuffing attacks that occur when a single password leak compromises multiple accounts. To secure this central password vault and other critical services (e.g., Google), he strongly advocates for a hardware security key, such as a YubiKey, as a second authentication factor ("something you have"). He dismisses SMS-based two-factor authentication as dangerously insecure due to the prevalence of SIM swap attacks. A hardware key, which stores a private key on the device itself, requires an attacker to have physical possession of the key, drastically reducing the risk of a breach. He also advises treating antiquated security questions as passwords, generating random answers and storing them in a password manager.

Karpathy then addresses data and device security. He insists on enabling disk encryption (like FileVault on Macs) to protect data if a computer is lost or stolen. He expresses strong disdain for the Internet of Things (IoT), labeling it the "@internetofshit" and advising readers to avoid "smart" devices whenever possible. He views them as insecure, data-gathering computers with microphones that create a significant attack surface within a home.

For communication and browsing, Karpathy recommends privacy-first tools. He advocates for Signal for messaging due to its end-to-end encryption and minimal metadata storage, and suggests enabling disappearing messages to reduce long-term information vulnerability. For web browsing and search, he recommends the Brave browser and search engine, which are built on a privacy-first model with their own search index, unlike alternatives that may rely on Bing. He notes his preference for paying for premium versions of such services to be treated as a "customer, not the product."

A significant portion of the guide focuses on anonymizing personal and financial information. To prevent merchants from linking purchases and to mitigate credit card fraud, he uses privacy.com to mint unique, virtual credit cards for each transaction, which allows for spending limits and the use of random billing information. Similarly, to avoid giving out his physical address, he uses a virtual mail service (like Virtual Post Mail) that receives, scans, and digitizes physical mail. Regarding email, he follows strict rules: never clicking on links and disabling automatic image loading to prevent tracking pixels.

Finally, Karpathy details network-level protections and behavioral best practices. He uses Mullvad VPN selectively to hide his IP address from less-trusted services, NextDNS to block ads and trackers at the DNS level, and a network monitor like The Little Snitch to observe which applications are communicating online. He also stresses the importance of work-life separation, advising against accessing personal accounts on company-owned computers, which are often heavily monitored. Karpathy concludes by acknowledging that digital hygiene is a journey with trade-offs, admitting he still uses Gmail and 𝕏 (Twitter) for convenience but is exploring further steps like burner phone numbers and unique email aliases.