The Proton Blog

How to block websites on Chrome: A step-by-step guide for parents

Ben Wolford — Wed, 27 May 2026 16:00:10 GMT

It’s only getting harder to manage screen time for kids — whether it’s setting up time limits, or making sure they don’t access inappropriate content. Sometimes you’ll think you’ve covered your bases by blocking access to an app (like YouTube or game apps like Roblox), but it turns out they’ve found a workaround by accessing the same content through their browser.

If you need to block a website on your Chrome browser, it’s important to note that Chrome doesn’t have a built-in way to do this, so we’ll share a few different approaches for both desktop and mobile.

Why would I need to block a website on Chrome?

There are any number of reasons why you might want to block websites on Chrome. These might include:

To block inappropriate content
To limit screen time
To prevent access to social media
To block access to certain games

Blocking access to specific websites can be an important part of your approach to limiting screen time and protecting your child’s mental health.

Options for blocking websites on Chrome

Here’s a quick overview of your options before we go into detail for each one.

Option	Ease of use	Devices impacted
Family Link	Simple	Mobile and desktop
Chrome extensions	Simple	Desktop
Device-level settings	Simple	Mobile
Router-level blocking	Difficult	All devices

How to block websites on Chrome with Google Family Link

Family Link is the most robust free option for parents, and it’s pretty simple to set up. You can use the Family Link categories to block sites, or add individual websites.

Create a Gmail account for your child using Family Link
Open Family Link and select your child’s profile
Tap Controls > Google Chrome and Web
Choose one of the existing settings (Allow all sites, Try to block explicit sites, or Only allow approved sites)
Select Approved sites and Blocked sites under “Manage sites” to add approved and or blocked websites

This option works across desktop and mobile, provided your child is signed into their Google account. If you have an older device, however, you should check to confirm it’s compatible.
Google’s SafeSearch is another feature that helps you manage explicit content in your child’s search results. If your child is logged in to their Google account with their correct age (and is under 18), this feature will already be toggled on to the Filter setting, which blocks any explicit content that’s been detected.

Parent tip: Once your child turns 13 they can opt for an unsupervised Gmail account, meaning you can no longer manage their account. They can then visit the previously blocked websites, and adjust the SafeSearch settings.

How to use Chrome extensions to block websites

Installing a Chrome extension is the most popular method if you only need to worry about desktop solutions. These extensions generally allow you to be more granular about permissions, so you can block websites at certain times (for example overnight, or during homework times) and allow them at others.

Choose an extension and install it
Add the URLs for the websites you’d like to block
Set a password so that your kids can’t disable the extension
Optional: Set time usage limits for sites, set blocking schedules, or block by category

Some commonly recommended extensions include BlockSite and Stay Focusd, however, you should do your due diligence and make sure the extension you choose meets your needs and gets a good rating in the Google Play or App Store. Note that while many of them are technically free, you’ll probably need to pay in order to block more than one or two sites.

Parent tip: Chrome extensions won’t work if your child switches to another browser.

How to block websites on Chrome Mobile

If you only need to block websites on mobile devices, or want to supplement your Chrome extension solution, here’s how you can go about blocking sites on your child’s mobile device:

Android devices

The Digital Wellbeing and parental controls settings on Android allow you to adjust how long they can spend on each site, but if you’re looking for more targeted control, you’ll need to download Google’s Family Link app, which integrates with Android’s Digital Wellbeing.

Parent tip: Digital Wellbeing’s website filtering applies to the Chrome browser. If your child decides to use a different browser, you may need to block those browser apps entirely through Family Link’s app controls.

iPhone/iPad

The Screen Time settings offer a lot of control over what your kids can see on their devices, including the ability to block websites.

Navigate to Screen Time, scroll down to Family and select your child’s name
Scroll down and select Content & Privacy Restrictions
Ensure this option is toggled on and tap App Store, Media, Web & Games
Select Web Content and choose your preferred settings

Parent tip: These settings apply to everything on the iPhone or iPad, not just websites accessed using Google Chrome.

How to block websites on Chrome using your router

For parents who want to block sites across every device in the house, including gaming consoles, smart TVs, and more, you may be able to do this by updating your router settings. This is a more advanced option, but most routers have an app you can download, which makes the process slightly easier.

These are the steps for the ASUS router, which allows you to block categories, such as pornography and gambling, rather than specific pages.

Tap on the Family tab
Add a profile using the + on the top right of the screen
Choose the age range that’s appropriate
Add all the devices that you want grouped under that profile
Select the time scheduling mode
Go into the new profile and select Content Block
Block all relevant categories

We recommend looking up the specific steps for your home router as the level of customization varies across devices and models.

Parent tip: Kids can circumvent router blocks by using mobile data.

What you can’t block (and what to do instead)

Kids are digital natives, and they’re shockingly good at finding workarounds when it comes to technical blockers; lock down Chrome and they may download another browser or use a friend’s device. Parental controls are important, including for social media, but they work best alongside open conversations about internet safety and digital literacy.

If you’re using multiple services to manage your child’s online activity, you may find it useful to use a secure password manager to keep all your logins in one place. Proton Pass also offers a dedicated family password manager that can help you share and manage family logins.

Parent tip: While these are all good options for preventing your child from seeing inappropriate content on Google Chrome, using Google products leaves your child vulnerable to Google’s data collection, tracking, and profiling. You may want to consider looking into a privacy-focused browser..

FAQ: Blocking websites on Chrome

Can I block websites on Chrome without an extension?

Yes, the best way to block websites on Chrome without an extension is to use the Family Link app.

How do I block websites on Chrome on my child’s phone?

To block websites on your child’s phone, you can use the Family Link app on Android or iOS, or update the Screen Time settings on iOS devices.

How do I stop my child from unblocking websites?

The Family Link restrictions are tied to your Google account, so your child can’t change Chrome’s filter settings without parental approval. However, this doesn’t mean they won’t attempt to access websites on a browser other than Chrome, or on a device that isn’t covered by parental controls. It’s best to pair technical solutions with conversations around what’s appropriate and why.

Does blocking work in incognito mode?

If your child is signed in to Chrome with an account managed by Family Link, then incognito mode is not available to them.

Is there a free way to block websites on Chrome?

Yes, Family Link is free, and there are some Chrome extensions that offer basic site blocking at no cost, although you’ll have to pay to get the really useful features.

Can you shop safely on Facebook Marketplace? Common scams to watch out for

Ben Wolford — Wed, 27 May 2026 15:18:55 GMT

Who doesn’t love snagging a bargain online? It’s easy on the wallet, kinder to the planet, and you often uncover unique pieces.  But buying from strangers on the internet carries risks that you rarely encounter in brick‑and‑mortar stores or with established brands.

To help you shop safely, we’ll share the most common fraud tactics you’ll find on Facebook Marketplace, how to report sellers, and some clear, actionable steps to stay safe while shopping on the platform.

What is Facebook Marketplace?

Facebook Marketplace is the social network’s built-in classifieds hub, allowing anyone to list or browse items within their Facebook account. Because listings are linked to a real Facebook profile, you can see the seller’s name, profile picture, and any mutual friends.

This information can lend a sense of legitimacy, but can also be fabricated by scammers who exploit the platform’s openness. Fake messages and fake ads on Facebook and sister company Instagram have proliferated in recent years. In 2025, reporting from Reuters proved that scam ads actually account for 10% of Meta’s income.

Common Facebook Marketplace scams and how to avoid them

There are endless ways scammers can try to defraud genuine buyers and sellers on Facebook Marketplace, but these are some of the more common scams to watch out for.

Gift card payment scams

Target: Buyers and sellers

There are a few variations on this scam:

After agreeing to purchase an item, the bogus buyer claims to have “accidentally” sent too much money. They ask for a refund of the excess amount, often via a gift card code, but after the seller provides the refund, the original payment is reported as fraud and reversed.
The bogus seller requests payment via a gift card instead of a payment platform that offers buyer protection. The scammer immediately uses the gift card, doesn’t send the item, and the buyer has no recourse to recover the money.
The bogus seller is offering a gift card below cost, for example, a $100 App Store gift card for $80. After the buyer purchases it, they discover the gift card is fake or already used.

Too-good‑to‑be‑true pricing

Target: Buyers

You come across a listing for something where the price is far below market value. After you pay, the seller disappears, or the item delivered is counterfeit or of poor quality.

Deposit scams

Target: Buyers

Often combined with the pricing scam, a seller will list an item at an incredibly low price. They then claim they’ve had a lot of interest in the item and will require you to pay a deposit to hold it, or miss out. Once the buyer pays the deposit, the listing and the seller will disappear.

Phishing scams

Target: Buyers and sellers

Scammers masquerade as buyers or sellers to send convincing “secure checkout” links to make or request payment. Because the interaction happens through Messenger, it’s easy for the target to assume a malicious link is valid. If you manually enter your details into the bogus link (rather than using a password manager), you may unwittingly share your private credentials with the scammer.

Facebook Marketplace scam red flags

These signs aren’t definitive confirmation of a scam, but rather a sign to proceed with caution.

Payment requests with no buyer protection

Payment methods that don’t offer buyer protection include PayPal Family and Friends, wire transfers, gift cards, and cash.

Stock photos of items in listings

You can ask the seller to take some new photos of the item, and if you’re suspicious, ask them to include a piece of paper with the date and their name written on it in the photo.

Urgent language

Anything that requires you to act fast and bypass your better judgment or normal processes should be a red flag.

Newly created Facebook accounts

Scammers often have to create new accounts after being reported. A newly created profile, with very few friends or followers and no other listings, is a definite red flag.

Your password manager doesn’t autofill your credentials

If you have a PayPal account but your password manager doesn’t fill in your details when you use the PayPal link the seller shares, the link may be a phishing or spoofed site. When a password manager refuses to autofill, it means the URL you’re looking at doesn’t match the legitimate PayPal domain (paypal.com vs. paypa1.com).

Which payment method should you use on Facebook Marketplace?

Choosing the right way to send and receive money is the biggest factor in staying safe on Facebook Marketplace. We’ve outlined the most common options, the protection each offers, and the red flags to watch for.

Payment option	How it works on Marketplace	Buyer‑protection level	When to use	Red flags
Meta Pay (formerly Facebook Pay)	Built into the Messenger checkout flow, you link a credit/debit card or bank account once and then pay with a single tap.	Full protection; Meta handles disputes, and you can request a refund if the item isn’t delivered or is not as described.	Ideal for most transactions, provided both parties have access to it.	Be sure the payment screen shows the official Meta Pay branding and correct URL.
PayPal – Goods & Services	Select the “Pay for goods/services” option to ensure the payment goes through PayPal’s protected channel.	Full protection; you can open a dispute within 180 days, and PayPal may reimburse you if the seller fails to deliver.	Good for higher‑value items or when parties don’t have access to Meta Pay.	Scammers often request to use the Friends & Family option, as it doesn’t offer buyer protection.
Credit or debit card	Enter card details on the Meta Pay checkout or a seller‑provided secure payment page.	Card‑issuer chargeback rights; most banks allow you to dispute unauthorized payments or undelivered goods.	Useful when the seller insists on a custom checkout page that you recognize as legitimate (for example, a verified Stripe link).	Beware of unfamiliar URLs that mimic PayPal or Stripe; a password manager will refuse to autofill on mismatched domains.
Apple Pay / Google Pay	Mobile wallets that tokenize your card details; supported where the seller uses Meta Pay or a compatible checkout.	Same protection as the underlying card, plus tokenization reduces exposure of your raw card number.	Convenient for mobile‑first shoppers who already have these wallets set up.	Only use when the checkout clearly indicates Apple Pay or Google Pay; never click a link that redirects to a plain‑HTML “payment” page.
Cash	Hand the money to the seller when you meet at a public location.	No digital protection – you rely entirely on the physical exchange.	Acceptable for large items where postage isn’t an option.	Avoid meeting in secluded places, and take someone with you if possible.

How does a password manager help protect against Facebook Marketplace phishing scams?

By pairing a protected payment method with a robust password manager like Proton pass, you dramatically reduce the attack surface that scammers rely on.

Domain‑locked autofill: Your credentials are injected only on the exact URL you saved. If a scammer sends a fake PayPal link, the manager won’t fill in your password, alerting you to the mismatch.

Secure vault for payment details: Store credit card numbers, billing addresses, and even one‑time virtual cards in an encrypted vault. You can copy‑paste the data into a verified checkout without ever typing it on a malicious page.

Unique passwords per service: If a phishing site somehow captures a password, the breach won’t affect your other accounts because each service uses a distinct login.

How to report a Facebook Marketplace seller or listing

Reporting a listing on the Facebook app

Select the Marketplace icon
Open the listing you want to report
Tap the three dots on the top right corner
Select Report listing

Reporting a seller on the Facebook app

Select the Marketplace icon
Open a listing from the seller you want to report
Scroll down to the seller details and tap on the seller name
Tap the three dots next to View profile

Select Report.

Reporting a seller or listing on the Facebook website

Open Marketplace
Open the listing you want to report
Tap the three dots on the top right corner
Select Report listing or Report seller

Alternatively you can report from within your Facebook Messenger chat window, by tapping the three dots, and selecting Report.

Best practices for staying safe on Facebook Marketplace

So, is Facebook Marketplace safe? With the right precautions, the answer is a qualified yes.

Here are some easy ways to make your shopping experience safer:

Always use a payment gateway with buyer and seller protection and verify any payment links shared by sellers.
Do your due diligence — check the Facebook profile of the person you’re dealing with to see if it’s newly created, has any reviews, and whether any other items have been listed, bought, or sold.
Don’t give out bank details, phone numbers, or other personal information, and use a password manager to keep your private information secure.
If you’re meeting in person, choose a public, well‑lit spot like a coffee shop (if possible), bring a friend, and inspect the item properly before paying.

How to change your WiFi password

Ben Wolford — Wed, 27 May 2026 14:37:30 GMT

Changing your WiFi password every 3-6 months is considered best practice, but many of us are guilty of setting and forgetting. It’s not hard to update, though, and can protect you from security headaches ranging from bandwidth theft to device exploitation.

We’ll cover which scenarios prompt a WiFi password reset and how to reset your password on your router and update it across your devices.

When it’s a good idea to change your WiFi password

Changing the WiFi password on popular home routers

Changing WiFi password on Windows 10/11

Changing WiFi password on macOS

Changing WiFi password on Android

Changing WiFi password on iOS

Should I change my WiFi network name (SSID)?

When it’s a good idea to change your WiFi password

Aside from updating your WiFi password every 3-6 months, some specific events should trigger a password reset.

After a guest leaves

If you share your WiFi password with anyone who’s not a member of your household, you’ll want to change it after they leave. At the same time, you could set up a guest account for future guests.

If you suspect a device is compromised

A compromised device can capture your WiFi password, sniff traffic, or act as a bridge for attackers to reach other devices on the same network.

When you receive a firmware update that resets settings

It might be tempting to ignore updates, but router manufacturers regularly issue firmware updates to patch security vulnerabilities, improve stability, or add new features.

If you notice unknown devices on your network

It’s a good idea to check your network devices periodically. Seeing unfamiliar MAC addresses or device names in your router’s connected‑device list is an indication that someone may have joined your WiFi without permission.

Changing the WiFi password on popular home routers

Many routers have a dedicated app for managing them. Using the app is generally recommended over the website, and makes it fairly straightforward to see devices and traffic on your network, as well as to change your password and network name.

ASUS routers

ASUS has one app that works across all ASUS routers, available for download from their website, the App Store, or Google Play.

Open the app and select Settings
Select WiFi > Wireless Settings > Network Settings
Add your new password in the Network Key field
Tap Apply

(Steps may vary slightly depending on your firmware.)

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to http://www.asusrouter.com or type your router’s IP address directly
Log in using your router username and password
Navigate to:

For firmware (>3.0.0.6.102_35404): Network > Main network profile

For firmware (<3.0.0.6.102_35404): Wireless > General

Select WPA Pre-Shared Key (Password) and enter your new password
Click Apply

ASUS support page

NETGEAR routers

NETGEAR has separate apps for Nighthawk and Orbi Mesh routers. Select your NETGEAR router type and download the app from their website, the App Store, or Google Play. Although the apps are different, the steps are the same.

Open the app and select WiFi Settings
Select the WiFi network you want to update
Enter your new password
Tap Save

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to the appropriate URL or type your router’s IP in directly

Nighthawk: www.routerlogin.net or www.routerlogin.com

Orbi: www.orbilogin.com

Log in using your router username and password
1. Nighthawk: Select Wireless
2. Omni: Select Basic > Wireless
Enter your new password in the Password (Network Key) field
Click Apply

NETGEAR support page

Verizon routers

Download the Verizon Home app – available in the Apple App Store and Google Play.

Launch the app and log in with your My Verizon credentials
In Connections, tap Network
Select Primary tab > Edit Wi-Fi
Enter your new password in the Wi-Fi password field
Tap Save changes

What if I can’t use the app?

As long as you don’t have a Fios Quantum Gateway or a Verizon Fios Advanced router, you should be able to change the WiFi password manually.

Open a browser and enter 192.168.1.1
Log in using your router username and password
Follow the onscreen directions (or refer to your router user guide)

Verizon support page

TP-Link routers

You can download TP-Link’s Tether app from their website, the  App Store, or Google Play.

Launch the app and log in with your TP-Link credentials
Tap Tools > Wireless
Enter a new password in the Password field
Tap Save

What if I can’t use the app?

Connect your computer to your router
Open a browser and go to http://tplinkwifi.net or type your router’s IP address directly
Log in with your router username and password
In the left‑hand menu, select Wireless > Wireless Settings
Enter your new password in the Password / Pre‑Shared Key field
Click Save

If your router isn’t included here, you should be able to find the instructions by searching “[router name] change WiFi password” or similar.

And of course, once you’ve changed your WiFi password on your router, you’ll need to update the password in your password manager and across your devices.

Changing WiFi password on Windows 10/11

Click the WiFi icon in the taskbar and select Network & Internet settings
Choose Wi‑Fi > Manage known networks
Find your network and click the three‑dot menu > Forget
Return to the WiFi icon, click your network name, and enter the new password
Select Connect automatically if you want to auto-join in the future

Changing WiFi password on macOS

Open System Settings > Wi-Fi
Next to your network name, select Details…
Scroll to the bottom and select Forget This Network… > Remove
Reselect your network and enter your new password
Select Remember this network to auto-join in the future

Changing WiFi password on Android

Open Settings > Network & internet > WiFi
Tap the gear icon next to your network > Forget
Select the network name and enter your new password

Changing WiFi password on iOS

Open Settings > Wi‑Fi
Tap the information button next to your network and choose Forget This Network > Delete > OK
Return to the Wi-Fi screen, tap your network name, and type the new password
Select Auto‑Join if you want your device to reconnect automatically

We’ve also written a guide about how to share your WiFi password.

Should I change my WiFi network name (SSID)?

Your WiFi network name, officially known as the service set identifier (SSID), doesn’t need to be changed regularly, but you should change your SSID from the default setting.

SSID best practices

Skip the generic router labels. Names like “NETGEAR_47” or “Linksys123” hand over clues to anyone scanning for networks. Pick a unique, non‑descriptive SSID that doesn’t give attackers a head start.
Give your network a distinct identity. Changing the default SSID thwarts “Evil Twin” attacks, where malicious actors clone popular router names to lure unsuspecting users onto a rogue hotspot.
Don’t rely on hiding alone. Disabling SSID broadcast adds a layer of obscurity, but it isn’t a real security barrier. Skilled adversaries can still discover hidden networks with the right tools.
Keep personal details out of the mix. Avoid using your name, street address, birthdate, or any other identifying information in the SSID. A clean, anonymous network name protects your privacy and reduces the risk of targeted attacks.

HOTP vs TOTP vs OTP: What do you need to know?

Kate Menzies — Wed, 27 May 2026 13:20:28 GMT

Authenticator apps, hardware tokens, and SMS codes are common authentication methods you’d encounter when setting up two-factor authentication (2FA). All of them rely on one-time passwords (OTP). TOTP and HOTP are two standardized types of OTPs, while SMS and email codes are other common OTP delivery methods. Although they fundamentally serve the same basic purpose, their implementations differ, giving them unique benefits and limitations. In this article, we’ll break down HOTP vs TOTP vs OTP and explain which option makes most sense for different use cases.

Understanding HOTP, TOTP, and OTP

One-time password (OTP)

OTPs are temporary codes, sometimes referred to as single-use passwords or 2FA codes, that are used only once. They don’t replace passwords; instead, they provide an additional layer of security. OTPs are commonly used in banking applications for identity verification during logins or when setting up an online account.

Note: OTP is the umbrella term for various forms of single-use passwords, including TOTP, HOTP, and email/SMS.

Time-based one-time password (TOTP)

TOTP codes are typically 6-digit codes generated by authenticator apps. They’re valid for around 30 seconds (sometimes up to 60 seconds, depending on the service). When a code expires, it is no longer functional, and a new one is generated. The time-based nature of TOTP makes it highly secure, as it limits the window of opportunity for attackers to use any stolen code.

HMAC-based one-time password (HOTP)

HOTPs are commonly found in hardware tokens like YubiKeys and rely on a counter-based system to generate codes. This system works in a similar fashion to a book of numbered vouchers — there’s a running order of codes that gets matched against the system. As long as the hardware token and application server remain in sync, you’re granted access.

Unlike TOTP, HOTP codes do not expire on a timer. They remain valid until you use it or generate a new code. This makes it ideal for offline scenarios, but it also means if you generate a code and don’t use it, it remains a valid key that an attacker could find and use.

HOTP, TOTP, and OTP: Key differences

TOTP and HOTP are both types of OTPs with different generation methods. For example, if you’re comparing TOTP against OTP, you’re likely comparing the time-based codes from authenticator apps against general OTP methods like SMS and email codes.

	SMS/Email codes	TOTP	HOTP
Code validity	Varies (minutes to hours)	30 to 60 seconds	Until a new code is generated
Security*	Low	High	Moderate
Setup complexity	None	Low	Moderate
Active network requirement	Yes	No	No
Additional hardware	None	None	Hardware token

*Security level based on code validity windows and interception risk.

Security

HOTP, TOTP, and OTP offer different levels of security, with the key considerations being exposure time and transmission method.

TOTP generally offers stronger security than SMS or email codes, as codes are generated on device and have a short validity. If attackers somehow get your TOTP code, it becomes useless.

HOTP is built on a cryptographic foundation, providing solid security. However, because HOTP codes don’t expire on a timer, the potentially long validity windows could make stolen codes a vulnerability.

SMS and email codes are the least secure of the bunch. They travel over networks that can be intercepted or redirected, making them more vulnerable to SIM swap or phishing attacks..

Note: No OTP method is immune to social engineering attacks, such as phishing. It’s important to know how to spot phishing to properly defend yourself.

SMS/Email codes	TOTP	HOTP
Susceptible to interception due to active network requirements	Minimal time for attackers to exploit stolen codes	Long validity offers extended attack opportunities
Unencrypted platforms make codes easier to steal	Lower interception risk, as codes are generated on device	Solid security built on a cryptographic foundation

User experience

Setup complexity, time pressure, and reliability affect the user experience of the three methods.

TOTP is reliable and convenient. Setup is straightforward (often simply a QR code scan), and codes are generated even without an active network. However, the short code expiry creates time pressure, which can cause frustration for slower users or those managing multiple accounts.

HOTP is much more relaxed in comparison, with zero time constraints. Setup is much more complex, though, and may involve purchasing additional hardware.

SMS and email codes are the most effortless, with no setup, but they rely on network connectivity, which can cause delays during outages or disruptions.

SMS/Email codes	TOTP	HOTP
No setup required	Simple setup via QR code with a 2FA authenticator	Complex setup, may require additional hardware
Slight time pressure, with some codes expiring in hours	Time pressure can cause frustration	No time pressure
Wholly dependent on an active network for code delivery	Works reliably even without a network connection	Works offline, but sync issues may occur

Limitations

The unique limitations of each method will affect how and when you use them. SMS and email codes work with your existing devices, but their dependence on your network and internet connections can cause delays with code delivery that might even last longer than their validity.

TOTP does not require a network connection to generate codes, but it does require your smartphone to be time-synchronized with the server for your code to work. The best way to ensure this is to have your device’s clock automatically sync with the internet. So, when you’re travelling, the time sync remains in place.

With HOTP, generating new codes offline can be beneficial when network connectivity is poor. This is a double-edged sword, however. Regenerating codes without using them can cause your device to fall out of sync with the server, creating authentication failures. Also, the manual regeneration required with HOTP places a huge security onus on the user.

SMS/Email codes	TOTP	HOTP
Areas of poor network can cause significant delays in code delivery	Device time needs to be in sync with server time, even when travelling	Can go out of sync if too many codes are generated but not used

Which OTP method should you use?

The short answer is that TOTP is the best standard for most people, while HOTP serves specific offline needs. Both are superior to SMS.

While individual needs vary, TOTP appears to be the more balanced choice in most situations. The time-based nature provides an additional layer of security, and smartphone-enabled accessibility makes it a convenient and secure choice for the accounts you regularly access. But, for even stronger protection against phishing, hardware-based methods like FIDO2/passkeys go further than any OTP method.

Store passwords and generate OTPs securely

Managing passwords and TOTP authentication codes can be a hassle — constant app switching during logins reduces the already limited time you have to enter codes. Proton Pass is a secure password manager that reduces this friction with our integrated 2FA (TOTP) functionality. Access your passwords, 2FA codes, and more from one secure, encrypted vault.

What is TOTP? Everything you need to know about time-based one-time passwords

Kate Menzies — Tue, 26 May 2026 17:58:27 GMT

You’ve probably had to enter a six-digit code from an authenticator app when signing in online. That’s known as a time-based one-time password, or TOTP, and it’s an incredibly easy way to enhance the security of your online accounts.

Thanks to their quick 30 to 60-second expiry of these codes, they make it nearly impossible for cybercriminals to access your account even if they manage to steal your passwords. We’ll explore what TOTPs are, how they work, and how they compare with other authentication methods.

What is TOTP?

A TOTP is a type of one-time password (OTP) that generates temporary codes using time as a key ingredient. These codes change every 30 to 60 seconds, making it extremely difficult for cybercriminals to compromise. In the unlikely event they somehow discover your code, its short lifespan quickly makes it almost useless to an attacker.

TOTP is a two-factor authentication (2FA) method that adds an extra security layer to your username and password. It’s convenient to use — just generate the code from an authenticator app — and its time-based nature makes it very secure.

How does TOTP work?

To put it simply, TOTP works by sharing a secret key between the service you’re protecting and your TOTP app.

When you enable 2FA, you scan a QR code to share the secret key with your TOTP authenticator. TOTP apps are free, and common ones include Google Authenticator and Microsoft Authenticator. If you’re using a secure password manager, it might feature an integrated 2FA authenticator that generates TOTP codes. Proton Pass is one such password manager; it stores your passwords securely and generates your 2FA codes all in one app.

Once the initial setup is complete, the service you’re logging into and the authenticator app sync to independently calculate the same code at the same time using the secret key. When you log in, you’ll be prompted to enter a 2FA code. If the service’s code matches the one you enter, you’ll be logged in.

The differences between TOTP and other one-time passwords

TOTP is just one of several one-time password (OTP) methods. Here’s a quick overview of how TOTP compares against them. You can also find a more extensive guide on the difference between TOTPs, OTPs, and HOTPs.

TOTP vs OTP

OTP is an umbrella term for single-use passwords. TOTP is a type of OTP that uses a time-based model to generate OTP codes. All TOTPs are OTPs, but there are other OTP methods. These include SMS and email codes, and HOTP. Each method has different ways of generating and delivering your OTP code.

TOTP vs HOTP

HMAC-based one-time passwords (HOTPs) generate a new OTP code only when requested. This means that every code is valid until a new one is generated, which makes them more prone to compromise. TOTP codes automatically refresh after 30 to 60 seconds, so attackers have less time to use stolen codes.

TOTP vs SMS and email codes

SMS and email codes are delivered over cellular and internet networks, which makes them vulnerable to interception. If you’re using poorly secured or compromised networks, attackers could snoop on your activity and obtain your OTP codes. Comparatively, TOTP codes are generated on-device and not transmitted over any network, making them more secure.

The security benefits of TOTP

There are several security benefits that come with using TOTP as your preferred OTP method.

Time-limited codes: TOTP codes expire within 30 to 60 seconds before a new code is generated. This gives attackers next to no time to use stolen TOTP codes since expired codes can’t be reused.
Interception-proof: TOTP codes are generated on-device. They don’t get transmitted over networks where they could be intercepted due to poor network security.
Breach protection: If your password is exposed in a data breach, TOTP codes provide an additional barrier to unauthorized logins. Attackers cannot access your account without your authenticator app.
Works on any smartphone: TOTP works right from your smartphone — no need to purchase a hardware token. Just download an authenticator app onto your device, and you’re set.

TOTP offers excellent security, but it isn’t perfect. Losing your device could lock you out of accounts, so always save backup codes. Also, ensure your devices’ clocks automatically sync with the internet, as incorrect time settings are a common cause of TOTP failures.

Secure your accounts with TOTP

TOTP enhances your account security with time-based codes that are superior to other OTP methods. Managing multiple passwords and 2FA codes doesn’t have to be a hassle — just use Proton Pass, a password manager with an integrated TOTP authenticator.

Proton Pass combines password storage and generation with a 2FA authenticator, eliminating app switching when signing in and needing to download extra apps. It saves you precious storage space and makes signing in with 2FA seamless. Everything you store in Proton Pass, including the codes you generate, is protected by powerful end-to-end encryption.

Take login security to the next level — enable TOTP for your accounts and store all your passwords with Proton Pass today.

What is HOTP? A guide to HMAC-based one-time passwords

Ben Wolford — Tue, 26 May 2026 17:15:27 GMT

If you’ve ever used a hardware token to approve digital banking transactions or tapped on a YubiKey to generate a login code, you’ve used HMAC-based one-time password (HOTP) technology. To help you understand how you can use HOTP to protect your accounts, we’ll explore how HOTP works, its benefits and limitations, and compare it with other OTP methods.

What is HOTP?

HOTP stands for HMAC-based one-time password. It’s a two-factor authentication (2FA) method that generates single-use login codes on demand.

HMAC, or Hash-based Message Authentication Code, is a cryptographic technique that uses a secret key and a hashing function to produce a secure, tamper-resistant value. HOTP applies HMAC together with a counter to ensure that each authentication code is unique and can only be used once.

Because HOTP codes remain valid until used or replaced, they are well-suited for remote work and other environments where reliable time synchronization or constant connectivity isn’t possible.

How does HOTP work?

HOTP authentication is based on two shared components: a secret key and a counter. Both the user’s device and the authentication server store these values and use them to independently generate the same one-time code.

Setup: When a hardware token is set up, a secret key is shared between the device and the application server and stored securely on both sides.

Generating a code: The device uses a cryptographic hash function called HMAC to combine the secret key with the current counter value. The result is a short, unpredictable one-time password.

Authentication: When you enter the HOTP code, the server performs the same calculation using its own copy of the secret key and counter. If the codes match, access is granted.

The HOTP counter system explained

HOTP relies on a unique counter system shared between your device and the authentication server. Each time you generate a new code, the counter increments. After a successful login, the server updates its counter as well. As long as the device and server counters stay in sync, the codes will match and grant you access.

Think of HOTP as a book of numbered vouchers that you tear off and use in sequence. A used voucher can’t be reused, and you must use the next one. The HOTP counter system operates similarly.

HOTP authentication vs. other OTPs

HOTP vs. OTP

One-time passwords (OTP) is a broad term for the various single-use passwords we utilize for 2FA. HOTP is a specific type of OTP that relies on a counter-based system to generate its codes.

HOTP vs. TOTP

Time-based one-time passwords (TOTP) automatically generate a new code every 30 to 60 seconds. The most common example of TOTP is the codes generated by authenticator apps. HOTP, by contrast, generates a new code only when requested, using a counter rather than a timer.

This difference affects the security of each OTP method. The quick expiration of TOTP gives attackers a very small window of opportunity. Conversely, HOTP codes could remain valid for days and even weeks.

However, HOTP is more reliable in situations where devices have unreliable clocks. For example, equipment in remote locations with weak internet connections.

HOTP vs. SMS and email codes

OTP codes sent via SMS and email are susceptible to interception because they must travel across cellular and internet networks. HOTP generates codes on-device, making it more secure while providing consistent access even during network disruptions.

What are the benefits and limitations of HOTP?

The benefits of HOTP authentication

There are several advantages to using HOTP as your preferred OTP method:

Works offline: HOTP can operate offline, making it ideal for locations with restricted internet access.
No time pressure: HOTP codes don’t automatically expire, so you can take your time to enter the code.
Recognized algorithm: HOTP is defined by RFC 4226, which ensures compatibility across software providers and hardware tokens from various vendors.
Fewer dependencies: HOTP’s counter-based system doesn’t rely on accurate clocks or continuous connectivity, which can make it more predictable in certain environments.

The limitations of HOTP authentication

As with all technologies, HOTP comes with some important considerations:

Indefinite validity: HOTP codes can remain active indefinitely if no new codes are generated. This gives attackers more time to exploit stolen codes.
Counter synchronization: If you generate codes without using them, your device and server counters can fall out of sync, causing authentication failures.
Manual management: Since codes don’t automatically expire, you must remember to generate new codes after each use.

Take a step towards stronger password security

While HOTP may not offer the security benefit of automatic expiration or the convenience of SMS codes, its counter-based system offers unique advantages. It’s a proven 2FA system with reliable offline access, and the absence of time pressure might make it preferable for some.
To easily manage your passwords and 2FA codes in one encrypted location, consider using Proton Pass. Our secure password manager with an integrated 2FA authenticator keeps all your credentials and 2FA codes protected with full end-to-end encryption. Keeping your digital life secure and convenient has never been simpler.

The principle of least privilege: how to protect your SMB

Kate Menzies — Tue, 26 May 2026 12:40:11 GMT

Access problems are rarely created by a huge incident. More often, they build up through small exceptions that made sense at the time: a team member may move into a new role and keep access permissions from their previous role. A shared login may be created to solve an urgent problem, and then keep circulating after the urgency is over.

These events happen quickly within small and midsize businesses (SMBs). Teams are lean, responsibilities end up overlapping, and then access is granted just to keep work moving. In these circumstances, a business loses a clear view of who can access which systems, credentials, data, and vendor accounts, and whether that access is still justified.

When that control slips, it’s harder to contain and recover from incidents. A compromised account may still have access to systems it no longer needs, and a shared credential may make it difficult to trace who took an action.

The principle of least privilege gives businesses a way to prevent access creep. We’ll explore what least privilege is, how to implement it in your business, and give you a practical guide to getting started.

What is the principle of least privilege?

Why is over-privileged access the default for many SMBs?

The risks of lax access controls

How to implement the principle of least privilege

A practical least privilege checklist for SMBs

Make least privilege easier with Proton Pass for Business

What is the principle of least privilege?

The principle of least privilege is the practice of limiting access to the minimum required to perform a specific role or task. Team members, systems, and applications should have access only to what they need, for as long as they need it, and no more.

This principle means access decisions should follow the work someone actually needs to do. The same logic applies to employees, contractors, administrators, service accounts, third-party integrations, and automated workflows: each one should only have the permissions needed for its role or task.

This also applies to password sharing. A team member who needs access to one client account should not automatically be able to use finance logins, infrastructure credentials, HR admin accounts, or other sensitive business credentials unrelated to their work.

Why is over-privileged access the default for many SMBs?

Most businesses don’t create over-privileged environments on purpose. They create them gradually. When new hires join, they’re given access to the systems they need. Gradually, they’re given more access for specific projects, or covering work for another team member. The access is never removed and it grows far beyond what they require for work.

The same thing happens with shared credentials. A password gets shared once for convenience, then becomes a permanent part of someone’s workflow.

This pattern tends to emerge for a few common reasons:

Speed feels more important than structure. When teams are small and busy, giving someone broader access can feel faster than setting up the exact permissions they need.
Roles aren’t always clearly defined. If responsibilities shift from week to week, access decisions often become informal too.
Credential controls are weak during role changes and offboarding. If a team member leaves, changes teams, or finishes a contract, but their shared passwords are not rotated, their vault access isn’t reviewed, and their old permissions remain active.

No small decision feels dangerous at the time, but over weeks, months, and years, over-privilege creates significant risk within an organization.

The risks of lax access controls

Over-privileged access creates security, operational, and compliance risk. Some of the most common risks include:

Lateral movement

If an attacker gets access to one account, excessive permissions let them move deeper into the environment. Instead of compromising one system, they may be able to reach several.

Data exposure

If access to customer records, internal documents, or financial systems is not limited to the people who need it, more accounts become possible entry points to that data. A compromised login can expose information the person should not have been able to reach, and a simple mistake, such as sharing the wrong file or changing the wrong setting, can affect sensitive systems unnecessarily.

Accidental deletion or misconfiguration

Someone with unnecessary admin rights can change settings, remove data, or expose systems by mistake. Least privilege reduces the blast radius of those errors.

Insider threats

Insider threats come in many forms. They can be deliberate attempts to infiltrate your network by hackers, exfiltrations from disgruntled employees, or more commonly they can be mistakes. Most employees aren’t malicious, but broad access increases the opportunity for misuse, oversharing, or careless handling of sensitive information.

Governance issues

If your business cannot clearly explain who has access to what, why they have it, and when that access is reviewed or removed, it becomes harder to investigate incidents, complete security reviews, respond to audits, or prove that access controls are working as intended.

How to implement the principle of least privilege

For most SMBs, least privilege is not something you implement all at once. It is something you build by making access more intentional, more limited, and easier to review over time.

Use role based access control

One of the most practical ways to apply least privilege is through role based access control. This helps you define roles based on responsibilities, such as finance, HR, marketing, customer support, IT admin, or external contractor. Then you assign access according to those roles instead of handling every permission individually. Role based access control is not exactly the same as least privilege. Least privilege is the principle. Role based access control is one of the most practical ways to apply it consistently.

Separate standard access from privileged access

One of the most common mistakes businesses make is letting admin rights be used for routine work.

Privileged access should be treated differently from routine access.

If someone needs more permissions, that access should be tied to a specific responsibility and limited as much as possible. The goal is to avoid giving people permanent high-level access simply because they might need it occasionally.

Review access regularly

Least privilege only works when access reflects team members’ current responsibilities. That is why access reviews need to be part of your routine, not a one-off effort.

A simple monthly or quarterly review can reveal outdated permissions, unnecessary access to systems, inactive integrations, or contractors who should no longer be connected. These reviews help you surface risks that could have remained unnoticed in the background for months.

Make temporary access truly temporary

Short-term work should not result in long-term access. Contractors, consultants, agencies, and project-based collaborators should only have access for as long as their work requires it.

Temporary access needs an owner who’ll commit to overseeing it, as well as a clear purpose and an end date. Without that, accounts, vault permissions, and shared credentials can remain active simply because no one is responsible for reviewing and removing them.

Treat offboarding as a security process

Least privilege does not end when someone leaves the company or changes roles.

Offboarding should include removing access to all accounts, revoking vault permissions, and reviewing whether sensitive credentials need to be rotated. When access removal is delayed or handled inconsistently, businesses create unnecessary exposure long after the original need has disappeared.

Include credentials in your access model

Least privilege is not only about system permissions. It also applies to the credentials that unlock your business.

Passwords, passkeys, recovery codes, admin logins, and shared accounts should all be treated as controlled assets. If credential control is still being handled informally, then least privilege is only being applied halfway.

A practical least privilege checklist for SMBs

Committing to putting least privilege into action at your business is easy to agree to, but complicated to actually implement. It’s even more complicated for SMBs with limited time and resources.

But don’t worry: large-scale access redesign generally isn’t necessary for most SMBs. Rather, your organization should begin with making a few clear decisions about who really needs access to what, where unnecessary exposure exists today, and how those permissions will be reviewed going forward.

The checklist below is designed to help businesses start making decisions and build out a realistic plan to implement least privilege.

Identify your most sensitive systems, shared accounts, and credentials.
Define core roles and the minimum access each one requires.
Organize credential access by team, role, or function.
Remove outdated, inherited, or unnecessary permissions.
Set a clear process for temporary and contractor access.
Review access on a consistent schedule.
Strengthen offboarding so access is revoked quickly and reliably.
Rotate critical credentials after departures or role changes.
Separate administrative identities from everyday user accounts.
Assign clear ownership for access decisions.

What makes a checklist like this effective is not how complex it is, but whether the business follows it consistently. For many SMBs, meaningful improvement comes from replacing informal access habits with a process that is easier to repeat, review, and maintain.

Make least privilege easier with Proton Pass for Business

Least privilege often breaks down around credentials. A company may have proper access levels clearly mapped out on paper, for example, but still share passwords without proper controls in place.

Teams might store login details in spreadsheets, chats, notes, or internal docs. Shared accounts might get passed around informally with little or no visibility and control. Departing employees may leave with persistent access to credentials that the business never rotates. These are all access problems that can be solved with a least privilege approach governed by effective credential access.

In many companies, credential access still depends on shortcuts that are hard to govern. Passwords are sent through messages, stored in documents, passed between teams, or left available after the original need has ended.

Over time, it’s easy to lose visibility into who can use which credentials, whether that access is still justified, and what needs to be revoked or rotated when someone changes roles or leaves.

A business password manager offers both credential and access management for teams of any size. Instead of treating credentials as something teams manage ad hoc, businesses can use a specialized tool to organize, share, and revoke access. Credentials can be grouped by team, role, or function, sensitive logins can be exposed to fewer people, and access can be adjusted much more quickly when responsibilities change.

Proton Pass for Business supports that effort by helping organizations reduce credential sprawl, tighten access around shared logins, and make least privilege easier to enforce in day-to-day operations. By creating groups, admins can also manage sharing at the group level, which makes it easier to give a team access to the right vaults and remove that access when business needs change.If your organization is ready to adopt least privilege, try Proton Pass for free or get in touch with our sales team.

Press safety at risk: US journalists’ personal data leaked on the dark web

Ben Wolford — Tue, 26 May 2026 01:59:20 GMT

Journalists have always operated in the crosshairs. They investigate the powerful, protect confidential sources, and publish uncomfortable truths. Today the threats they face are evolving, with political pressure and surveillance coming not only from authoritarian regimes but also from backsliding liberal democracies. Bad actors can use hacks and data breaches to disrupt their operations, retaliate against whistleblowers, and ultimately compromise their editorial independence.

To better understand the risks facing media today, Proton analyzed dark web marketplaces where hackers trade in pilfered databases to understand media companies’ exposure to digital vulnerabilities. We chose three of the biggest names in US media — The New York Times, The Washington Post, and The Wall Street Journal — and scanned for leaks associated with those organizations and their employees.

Our research turned up more than 116,000 dark web exposures tied to email addresses associated with The New York Times, The Washington Post, and The Wall Street Journal. The volume of exposed data that we discovered — often leaking from multiple sources — places these companies at serious risk of targeted cyberattacks, blackmail, or social engineering.

The leaks include over 12,000 plaintext passwords and over 61,000 pieces of personally identifiable information, revealing the vast scale of cybersecurity risks faced by reporters and their sources.

The media aren’t the only ones at risk. A previous investigation from Proton found thousands of politicians’ leaked emails and passwords on the dark web, representing not only personal privacy vulnerabilities but potential national security threats.

It’s important to note that these leaks are not proof that The New York Times, The Washington Post, or The Wall Street Journal have suffered any kind of cyberattack. The leaks are typically from third-party sources, such as retailers or software providers, who have suffered data breaches that exposed their customers’ data. But the existence of these leaks opens up media companies to targeted hacks, breaches, blackmail, and social engineering.

The scale of data leaks in US media

Proton’s research team, working with Constella Intelligence, identified more than 116,000 dark web exposures connected to over 35,000 individual email addresses, including the employees’ work and personal accounts, contact forms, and team mailboxes.

Consistent with responsible disclosure principles, we’ve already informed each of the publications, providing them details of our findings and time to take appropriate actions.

Such a large amount of information from just three media companies illustrates the potentially enormous scale of data breaches in the media industry.

How does this happen?

The reporters and their organizations are not to blame here. It’s a structural problem that affects everyone who uses the internet, including you.

Whenever someone uses their name, email address, or birthday to register for a third-party service, like LinkedIn, Adobe, or Dropbox, they entrust some of their personal information to that company. When those third-party platforms are breached (and breaches happen constantly), the credentials and personal data of everyone who registered can end up on the dark web. In many cases, these leaks also include passwords, and if the victim is reusing the same password in multiple places, it creates much broader cyber security risks. We publish general findings regularly in our Data Breach Observatory.

At Proton, we’ve developed tools specifically to help people identify and mitigate the effects of data breaches. Pass Monitor is included in Proton Pass, and companies that use our business password manager or our broader suite of business tools benefit from robust account security defenses.

Threat to US press freedom

In parts of the world where press freedom is most severely threatened — like China, Iran, or Saudi Arabia — attacks on journalists rarely stop at political pressure. They extend into surveillance, social engineering, blackmail, and intimidation. Compromised credentials are a tool of authoritarian control as much as they are a tool of conventional cybercrime.

The United States is not exempt from this dynamic, ranking 64th on the World Press Freedom Index. American journalists face growing legal and political pressure, and the security risks they face are not purely hypothetical. Leaked passwords open doors to email accounts, internal systems, and communication platforms where source identities could be exposed. PII creates opportunities for blackmail or targeted harassment campaigns designed to silence or discredit reporters.

More than 2,500 email addresses in our dataset have been exposed ten or more times — meaning some individuals are persistently vulnerable, with their information circulating repeatedly across dark web markets and forums.

What people and organizations can do to stay safe

The exposures we identified are the downstream consequence of third-party breaches — outside the control of any individual journalist or newsroom. But there are meaningful steps organizations and individuals can take to reduce their exposure and limit the damage when breaches do occur.

For organizations:

Conduct regular dark web monitoring to identify exposed credentials before they are exploited
Implement strong policies around the use of business email addresses for external service registrations
Centralize account management through a single enterprise password manager and manage network access with dedicated IPs
Provide security training that reflects the specific threat model journalists face — which differs from standard enterprise risk

For individuals:

Use unique, strong passwords for every account
Use email aliases when registering for third-party services, so that a breach of one service doesn’t expose your primary address across the board
Enable two-factor authentication wherever possible
Treat your work email address as sensitive infrastructure — because it is

The dark web doesn’t discriminate. Anyone whose data passes through a breached service can end up exposed. Good account hygiene is the first and most important line of defense — and the tools to practice it have never been more accessible.

If your media organization would like to learn more about Proton security solutions, learn about our discounts for news organizations.

The real cost of a data breach for UK businesses

Kate Menzies — Thu, 21 May 2026 16:41:27 GMT

When you think about the cost of a data breach, you probably think about fines from regulatory bodies. But realistically, fines are only part of the much broader financial impact. A breach can trigger legal and forensic costs, disrupt business operations, slow down teams, damage customer trust, and create months of recovery work.

That cost is rarely limited to one invoice or one headline number. It appears in forensic investigation bills, legal advice, customer notification work, system recovery, business disruption, lost productivity, and the time leadership teams spend containing the incident instead of running the business.

We’re going to examine what a data breach really costs, looking specifically at the UK where data breaches are growing significantly. We’ll explain where those costs tend to land, and why prevention is usually far easier to control than response.

What a data breach costs in the UK

UK government data offers us useful insights, but they need careful framing. In the Cyber Security Breaches Survey 2025 report, businesses estimated the average cost of their most disruptive breach or attack in the last 12 months at £1,600 overall, rising to £3,550 when excluding organizations that reported a £0 cost.

The same survey notes that these are self-reported estimates and may understate the full financial impact. Breach costs are often underestimated when businesses focus only on the immediate incident, because the real financial impact extends into disruption, recovery work, lost time, and longer-term commercial consequences.

For UK businesses, especially SMBs, not every breach becomes a multinational-scale crisis. But even a less dramatic incident can create real financial and operational strain. The Proton Data Breach Observatory and its 2026 analysis, What Proton’s Data Breach Observatory reveals in 2026, reinforce how persistent and widespread the risk is. 512 breaches were reported, exposing more than 902 million records since the start of 2025, and SMBs accounted for 63% of those tracked breaches.

The direct financial costs of a data breach are only the beginning

The most visible breach costs are the ones that a business can invoice. For example, if customer or employee data has been exposed, the organization may need to enlist third party services. This can include legal advice, forensic investigation, incident response support, containment work, system restoration, and customer communications.

If the breach is notifiable, there are also the extensive requirements of following the regulatory process itself, including assessment, documentation, and reporting. The ICO says organizations must notify it within 72 hours of becoming aware of a personal data breach if it is likely to result in a risk to people’s rights and freedoms.

These direct costs often escalate because several workstreams happen at the same time. A business may need to investigate what happened, preserve evidence, engage insurers, support affected users, patch systems, reset credentials, review access controls, and keep normal operations going in parallel. That is one reason breaches are rarely experienced as a single bill. They arrive as a cascade of urgent and overlapping work.

Regulatory exposure can create more costs. Under the UK GDPR and Data Protection Act 2018 framework, the higher tier of administrative fines can reach £17.5 million or 4% of total annual worldwide turnover, whichever is higher, depending on the infringement. The ICO’s enforcement page also notes that penalties continue to be issued for security and data protection failures, so the cost conversation should not treat enforcement as theoretical.

That does not mean every breach leads to a fine, or that every fine comes close to the statutory maximum. It does mean the direct financial cost of a breach in the UK can quickly move beyond remediation and into regulatory risk, legal support, and external scrutiny.

The bigger costs are often indirect

Direct breach costs are easier to quantify because they are measurable. The more difficult aspect to assess is the indirect impact, which is often larger and more persistent.

Business downtime: A breach can interrupt sales, service delivery, finance operations, customer support, payroll, or staff access to core systems. Even when the incident itself is contained relatively quickly, the recovery period can drag on while teams rebuild systems, verify data integrity, update credentials, restore access, and work through a backlog.
Customer churn: Not every customer leaves right after a breach, but some do, and the damage can extend well beyond immediate cancellations. Businesses that depend heavily on customer trust may feel the impact in renewals, commercial conversations, or partner confidence. When teams focus only on notification and remediation, they underestimate the financial impact of a breach.
Rising insurance cost: A serious incident may affect future cyber insurance premiums, coverage terms, or insurer scrutiny around security controls. Even when coverage remains available, the organization may face a more demanding renewal process and extra security requirements after the event. This is part of the long tail of breach cost that many businesses only appreciate once the immediate crisis has passed.

Why SMBs often feel the impact more sharply

It’s easy to assume that larger companies always suffer more because they have more to lose. In cash terms, that is often true. But smaller organizations can be disproportionately affected because the same categories of cost land on a much thinner operational base.

Businesses with greater operational and financial resources may be better able to absorb legal spend, outside technical support, downtime, and prolonged disruption. A small business may not have in-house security staff, crisis communications support, or spare operational capacity. If a small team loses access to email, CRM software, finance systems, file storage, or customer records even for a short period, the damage can hit revenue and service continuity directly.

That is why average breach-cost figures need context. A relatively modest headline figure can still mask serious disruption for a small business, especially when the real burden falls on lost time, interrupted operations, emergency response work, and internal capacity. The UK government’s Cyber Security Breaches Survey 2025 report explicitly notes that its self-reported breach-cost estimates may understate the true economic impact.

Proton’s Data Breach Observatory reinforces that point. It found that SMBs were the most common victims among breaches tracked since January 2025, accounting for 63% of incidents. Among breaches exposing more than 100,000 records, Proton said SMBs still made up 60% of incidents, with small businesses — defined here as organizations with 1–49 employees — representing 42%.

Smaller businesses often delay preventive investment because they assume attackers are more interested in larger organizations. When a business doesn’t see itself as a likely target, centralized credential management, breach monitoring, access control, and stronger authentication can feel like costs that are difficult to justify. The problem is that once a breach happens, the absence of those controls can make the incident more disruptive and more expensive to contain.

The risk is not theoretical. VikingCloud’s 2025 SMB Threat Landscape research found that nearly one in five SMBs said a successful cyberattack would force them to close, while Mastercard reported that nearly one in five businesses that had already suffered an attack later filed for bankruptcy or closed. Those figures help explain why breach impact for smaller businesses is often measured less by headline averages and more by how much disruption the business can realistically survive.

What UK law and regulation add to the cost

The UK regulatory context doesn’t drive all breach costs, but it can magnify them significantly.

Notification

If a personal data breach is likely to result in a risk to individuals’ rights and freedoms, the ICO must be notified within 72 hours of awareness. If the risk is high, affected individuals may also need to be informed without undue delay. That creates cost even before enforcement is on the table, because the organization has to assess the incident, understand what data was affected, document the facts, and prepare communications that can stand up to regulatory and customer scrutiny.

Enforcement risk

For businesses that process large volumes of personal data or depend heavily on customer trust, the financial risk does not stop at technical remediation. It extends to the consequences of being seen to have failed in protecting personal information.

Regulatory process costs

Once the ICO is involved, businesses may need legal support, internal investigation time, board reporting, external communications planning, and evidence of remediation. Even where a breach does not result in a major fine, the process still consumes significant time and money.

Prevention costs are usually easier to control than breach costs

The business case for preventive security is simple: prevention is usually more controllable than breach response.

A business can budget for an enterprise password manager, better access controls, enforcing two-factor authentication (2FA), breach monitoring, incident response planning, and user training. It can’t budget nearly as precisely for a real breach that interrupts operations, forces emergency spending, and damages trust. The ROI argument is about reducing the chance that a common, preventable weakness turns into an expensive disruptive event.

This is why credential security is especially important. The exposure of email addresses, usernames, and passwords across incidents is a significant business threat. When credentials are compromised, the damage often extends beyond the original breach itself. Weak, reused, or poorly controlled passwords can give attackers access to other accounts, systems, and services, increasing the likelihood of follow-on compromise. That is why your organization’s cost conversation should focus on prevention, not just reaction.

If one of the most common breach vectors involves compromised credentials or data that makes credential abuse possible, then investments that prevent password reuse, improve visibility, and improve credential hygiene address a direct cost driver rather than a theoretical one.

Proton Pass for Business is a business password manager built around exactly that kind of practical control: helping teams create, store, and manage strong, unique credentials more securely across the organization.

Get ahead of breaches before they cost your business

Breach cost is best understood as cumulative. Some of it appears quickly in legal advice, forensic investigation, notification work, and system restoration. But a large part builds more gradually through lost productivity, delayed work, commercial and reputational strain, and the longer effort required to restore confidence. For smaller organizations in particular, that wider disruption can be existential rather than merely inconvenient: VikingCloud’s 2025 SMB Threat Landscape research found that nearly one in five SMBs said a successful cyberattack would force them to close.

That is why the cost conversation can’t end with fines or notification requirements. It should lead to more practical questions: which risks can be reduced before an incident happens? And which controls make the fallout easier to contain when one does?

Prevention is usually more manageable than response. Credential security is your organization’s best bet when it comes to minimizing costs. Your organization being affected by a data breach will lead to repeated exposure of email addresses, usernames, and passwords across incidents. Weak or reused credentials can make it easier for attackers to access additional accounts or services after the initial compromise.

Stronger credential hygiene, better access control, and practical security tools will not eliminate every risk, but they can reduce the likelihood that one exposed or reused password turns into a wider and more expensive incident.Start monitoring exposed credentials and reduce credential-related breach risk in your organization with our secure business password manager or contact our sales team to find out more.

What is an AI agent?

Risa Tang — Thu, 21 May 2026 15:26:59 GMT

AI has quickly evolved from a novelty to something many people use every day. The simplest and common uses are to draft messages, summarize documents, or search the web. But a new evolution is underway with the rise of AI agents — AI systems that not only answer questions but act semi-autonomously to carry out tasks.

In simple terms, an AI agent is software that uses AI to pursue a goal and take actions in your digital life with minimal supervision. Instead of responding to one prompt at a time, an agent can read information, decide what to do next, and keep going until it reaches a result or requires your input. Rather than simply asking an AI to “Summarize my emails”, you could tell an agent “Help keep my inbox under control,” and it will read, sort, draft, and even send emails within the limits you’ve set.

That ability to act is what separates AI agents from simpler AI tools such as large language models. Here’s a closer look at what AI agents are, what they’re capable of, the risks involved, and how you can stay secure while using them.

In this article, you’ll learn:

What are AI agents used for?
How do AI agents work?
Types of AI agents
How to get started using an AI agent
Why AI agents mean new risks
How to stay safe while using AI agents

What are AI agents used for?

AI agents are deployed in digital environments and used in both personal and professional settings to boost productivity.

For everyday use, AI agents can:

Monitor your inbox, draft suggested replies, and highlight anything urgent
Organize notes or saved articles and generate quick summaries
Track price changes for flights or products, and notify you when they drop
Manage appointments in your calendar by suggesting meeting times and sending invites
Sort and tag photos or files for easy reference

In business cases, AI agents are frequently used to:

Help customer support teams triage tickets, classify them, and prepare draft responses
Assist sales and marketing teams by summarizing account information and generating personalized outreach for review
Take over repetitive back-office tasks, such as extracting invoice data into accounting tools or flagging unusual transactions
Assist IT and security teams by scanning logs and grouping related alerts

In all these cases, the practical benefit is clear: AI agents can save time and reduce manual effort by coordinating multiple steps across tools. But while AI agents can boost productivity and automation, they also open the door to new types of mistakes, attacks, and data breaches, as we’ll explore below.

How do AI agents work?

Most people’s primary experience with AI is through a chatbot like ChatGPT, Google Gemini, or Microsoft Copilot. A chatbot is an application that wraps an AI model in a conversational interface. You type a question, the chatbot sends it to the model, and you receive a reply.

AI agents build on that basic idea but add several important components. Most modern agents combine three core parts:

A language model

At the heart of many agents is a large language model (LLM). The LLM is responsible for understanding language instructions, reasoning about them, and generating text. It turns the outcome you set for your AI agent into concrete steps and decisions.

Tool use (or tool calling)

An agent is usually connected to external tools and services, such as email, calendars, databases, and web browsers. The agent can call these tools to read data or take actions, such as fetching recent emails and updating records or meeting invites.

Memory and context

AI agents often retain some form of memory so they can keep track of what has already happened and what still needs to be done. This can include everything from previous tasks to user preferences. Memory helps an agent work across multiple steps, instead of treating every interaction as isolated.

In general, an AI agent follows these steps:

You prompt the agent with a goal and relevant context
The agent interprets your request and plans a series of steps
It uses tools to gather information or take actions
Its memory is constantly updated based on what happened and informs what to do next
The process repeats until your goal is reached or your response is needed

Put simply, chatbots give you an interface to “talk to” a model and receive answers, but AI agents combine that model with tools and memory so they can actually do work inside your apps and accounts.

Types of AI agents

AI agents can be grouped into various types, depending on their functions and how they make decisions. In general, there are five types of AI agents:

Simple reflex agents

The most basic type of AI agents, simple reflex agents react only to current information and follow preassigned conditions without looking at past context. These are best suited for repetitive and simple tasks, such as filtering emails.

Model-based reflex agents

Similar to simple reflex agents, model-based reflex agents also use conditions to make decisions, but factor in past decisions and situations. This enables them to learn from memories of previous environments and adjust their patterns accordingly. Self-driving cars and robotic vacuum cleaners commonly use model-based reflex agents.

Goal-based agents

Rather than simply reacting to input, goal-based agents make decisions according to a desired objective. They’re more dynamic and advanced, and can evolve and map out new strategies even if obstacles crop up. GPS navigational systems are an example of goal-based agents, where your destination is the intended outcome and your route may change depending on traffic conditions.

Utility-based agents

Utility-based agents weigh up the optimal “values” of multiple outcomes and pick the option that offers the best trade-off according to a chosen metric, such as time, cost, or risk. They are most useful in situations where there are competing priorities — for example, when you need to prioritize tasks.

Learning agents

Designed to improve continuously, learning agents can adjust their behavior based on experience and feedback. This makes them more effective over time as they accumulate and process more data, and are particularly useful for fast-changing roles such as a virtual personal assistant.

How to get started using an AI agent

When you’re just starting out with AI agents, it’s best to be cautious with the tasks you ask them to do, then gradually refine them.

Begin with a low-risk task
Think of a simple task you want automated, like getting an AI agent to organize a newsletter folder, draft replies you still approve manually, or summarize saved articles. This lets you decide on the best type of agent for the job, and allows you to first observe how it behaves without giving it access to anything sensitive.
Use built-in agent features first
Many tools now include basic agent capabilities, such as “smart” inbox assistants, document organizers, or support bots. Using these is often safer than creating a custom agent, particularly if you don’t have much experience in coding and development.
Add access step by step
When you do connect an agent to your accounts, start with limited, read-only access. Only allow it to send emails, update records, or make changes once you are comfortable with how it performs.
Review and adjust consistently
Pay attention to what the agent gets right and where it struggles. Most systems let you fine-tune settings or narrow scopes so the agent stays focused on the tasks where it adds the most value.

After you become more familiar with how agents work and behave, you can move from small, personal use cases to more complex and integrated workflows — with appropriate safeguards in place.

Why AI agents mean new risks

Any system that can act on your behalf can also make mistakes on your behalf or be abused by someone else, and AI agents are no exception. Here are some common risks of AI agents:

Larger attack surfaces

Because AI agents generally have access to apps such as email, cloud storage, calendars, and dashboards, this makes them a bigger target. If an attacker can influence that agent, they can potentially move through all those connected systems and easily access confidential data.

Prompt injection and malicious content

Many agents routinely parse web pages, documents, and emails as part of their work. Attackers can hide instructions in that content, tricking agents into leaking data or bypassing safeguards because AI agents generally aren’t able to discern between genuine and faked instructions.

Over-privileged access

It may be tempting to give an agent broad access to maximize efficiency: full inbox control, production databases, or many internal tools at once. But this also means greater risk: if an over‑privileged agent is compromised or misbehaves, the damage will be far more severe.

Data leakage and compliance issues

Many agents send prompts and documents to third‑party AI services. If those providers store data or use it for training, you may be sharing more than you intend, with implications for personal privacy and regulatory requirements.

But all of this is not to say that using AI agents is inherently dangerous; it just requires more care and the right tools and practices to keep you safe.

How to stay safe while using AI agents

The goal is not to avoid AI agents altogether, but to use them in ways that respect your privacy and minimize impact should things go wrong. Whether you are experimenting with AI in your personal life or rolling out agents at work, these steps can help:

Limit what agents can access. Give each agent a narrow, clearly defined scope instead of broad access. For example, let a personal agent read from a specific email label rather than your entire inbox, or give a finance agent access only to test data until you trust its behavior.
Always require human approval for sensitive interactions. Tasks that involve money, security settings, or sharing data outside your organization should require explicit approval. An agent can prepare payments, drafts, or reports, but a person should review and confirm anything high impact.
Understand where your data goes. Before connecting an agent to real accounts or documents, check which providers it uses, where data is processed, how long it is stored, and whether it is used to train models. Opt for tools that give you clear, privacy‑respecting controls.
Treat agents like privileged software. Log what they do, review it regularly, and be ready to revoke access quickly if something looks wrong. In organizations, that means knowing which agents exist, what systems they touch, and how to turn them off instantly.

This is where Proton Pass makes a difference. Proton Pass is an end‑to‑end encrypted password manager that also offers AI access tokens, allowing you to control and monitor which credentials your agent has access to.

Instead of sharing usernames, passwords, and API keys with your AI agent on an ad hoc basis, Proton Pass access tokens grant limited access to specific items or vaults. You can issue separate tokens for different agents, ensuring all your credentials stay encrypted and always under your control. Whenever an agent uses an item, it creates an audit log including the reason for access, so you can review and monitor your agent’s activity.

Used together, these practices let you tap into the benefits of AI agents while keeping risk contained.

Work and automate AI agents safely with Proton Pass

AI agents are a natural next step in how we use AI. They move beyond answering questions to actually helping with the work you do every day, in your inbox, files, and critical systems. That makes them particularly powerful — and something that deserves the same protections as any other sensitive software.

You can dramatically reduce the risks that come with this new wave of automation by limiting what each agent can access, keeping humans involved in important decisions, understanding where your data is processed, and refusing to share raw credentials. Adding a privacy‑first password manager like Proton Pass gives you a secure way to manage the credentials agents use, with AI access tokens providing precise control over which tools can access which vaults.

And as is the case with any kind of technology that requires confidential information, the most important thing to keep in mind when using AI agents is to build good security habits. Start small, keep access limited, and use tools that always put you in control of your data and your passwords.