InfoStealers are scripts and executables that steal session cookies, browser passwords, docx, and generally all files of interest to an attacker.
I apply the principle of least privilege for this one. Create accounts for different tasks. For example: home budgeting and banking, shopping, aimless browsing, gaming, work etc. You would keep only related files and passwords in each account. So that the infostealer can only steal a subset of things important to you. And the attack surface is also smaller because maybe you'll only encounter infostealers in game cheat sites and you'd be using your gaming account then.
Not convenient. But convenience is the enemy of securitiy always.
Your approach makes sense as a damage-limitation strategy.
Why it helps
Using separate standard user accounts for different activities can reduce the impact of an infostealer because:
- Browser cookies, saved passwords, autofill data, and many app settings are often stored per user profile
- Documents and desktop files are normally separated by account
- A compromise in one account does not automatically expose everything stored in another account
- Risky activity can be isolated from more sensitive activity such as banking or work
So in principle, this is a valid form of compartmentalization.
Important limitation
It is not a complete defense.
If malware executes under one account, it may still be able to:
- Steal everything accessible to that account
- Capture keystrokes or clipboard data during that session
- Abuse active browser sessions
- Attempt privilege escalation
- Target shared folders, external drives, and cloud-synced locations
Also, if you frequently switch between accounts or use “Run as administrator” carelessly, some of the isolation benefit is reduced.
What is strong in your model
- Separating high-value activity like banking from general browsing
- Keeping fewer files and credentials in each profile
- Reducing exposure of long-lived sessions and saved logins
- Using least privilege instead of daily admin use
That is broadly aligned with good security practice.
Where convenience is not the only factor
I would slightly refine the “convenience is the enemy of security always” part.
In practice, poor usability can also weaken security if it causes people to:
- Disable protections
- Reuse simple passwords
- Store credentials unsafely
- Stop following the process consistently
So the better principle is usually: use as much separation as you can maintain reliably.
More practical additions
If the goal is specifically to reduce infostealer damage, these measures are also useful:
- Use a password manager instead of storing passwords directly in the browser where possible
- Enable MFA on important accounts, especially email and banking-related services
- Keep separate browsers or browser profiles for sensitive and non-sensitive activity
- Avoid running as administrator for daily use
- Turn off password saving in browsers used for risky activity
- Be cautious with downloads, cracks, cheats, and “mods” from untrusted sources, since those are common infostealer delivery paths
- Keep Windows, browsers, and security software updated
A separate browser profile can sometimes give a large part of the benefit with less friction than fully separate Windows accounts, although full user separation is stronger.
Bottom line
Yes, separating activities across different user accounts is a reasonable way to limit what an infostealer can access. It is a containment measure, not a substitute for prevention, but it can meaningfully reduce damage when used consistently alongside standard security practices.
