As 2019 approaches, I thought I’d write a new, updated version of my casual security guide from 2016. Same disclaimers apply: I am still not an expert. I’m writing this mostly to have something to send to friends and family who ask me questions about this stuff. Note: I reference a lot of work by Martin Shelton, a researcher at Google. Also, this is a work in progress!

Level 1: Enable 2-factor authentication (at the very least, on your email)

Turning on two-factor authentication (2FA) for an online account means that whenever you log into the account, a code will be sent to your phone that you’ll have to enter after entering your correct password. The idea here is that even if someone gets ahold of your password, they would also need your phone to get this code.

You should set up 2-factor authentication for all of your online accounts that support it. Here’s a general guide, and here are some how-to guides from some popular services: GMail, Twitter, Facebook, Dropbox, GitHub and a list of other services. If you enable 2-factor for only one account, do it on your email.

Note: There are different ways to receive/present this 2nd factor code. Not all of them are equally secure.

More on Security Keys

As mentioned above, you can also use a physical piece of hardware called a security key as your second factor.

Compared to SMS or TOTP (Google Authenticator), a security key is a more secure second factor, since you need the key to login to a new computer. It also helps mitigate phishing attempts better than alternative methods.

One such example of a security key is a YubiKey. Facebook, Twitter, and Google all support using a YubiKey as a second factor. Once you purchase a YubiKey, you can follow these guides from Google, Facebook, Twitter. (Here’s an alternate Google guide from Yubico if you need.)

What happens if you lose your phone/security key?

Most services give you back-up codes when you enable 2-factor for just this reason (here’s more info on GMail backup codes). In a pinch, you can use these codes as your 2nd factor.

Store these somewhere safe, like on a piece of paper you store somewhere secure. Once you use a backup code to login, you can choose to temporarily disable two-factor authentication until you get your phone back or get a new one.

Level 2: Check which devices and third-party applications have access to your accounts

It’s important to periodically check the devices you’re currently logged into an account with. Here’s how to…

This is something you’d want to do after you log in to one of these accounts on a hotel or friend’s computer, or, say, after a breakup. Change your password to these accounts as well (see below for more on passwords).

It’s also very important to periodically review which third-party applications have access to your accounts. This is because some of these applications may well have permission to read your otherwise private information or even post on your behalf. You should only keep the access permissions that are absolutely necessary. Remove any apps you don’t recognize or look sketchy. BuzzFeed has a good article on this if you want to learn more.

Google/GMail users should also periodically complete Google’s “Security Checkup” and “Privacy Checkup”.

Level 3: Use better passwords

You should use long, randomly generated passwords for every account, but even more important is that you should never reuse passwords (even if you give them small variations). This is because services get breached and passwords leak all the time, and someone could simply try your password from the leaked service for your other services (you can see which services you use that have been breached at haveibeenpwned.com).

What’s a good password look like? Vy<{t/W~Ee.5}k(D[Bm(N and uncoiled armful polymer appeasing shredder recast are both examples of strong passwords. StarWars13… not so much.

Since our goal is to not reuse any passwords, we’re going to have tens if not hundreds of long passwords to remember. The easiest way to handle this problem is to use a password manager, which is software that stores all of your passwords within a password “vault.”

As long as you choose a good manager (see below) and make the password to open this vault very strong, you’ll likely be more secure overall.

One way to create a strong, but memorable password is to generate a passphrase using dice (more info on diceware passphrases). This process will create a passphrase like “rubdown cytoplasm sculptor kindred unsubtle roamer”, which should be easy for you to memorize, but very hard for anyone else to guess (this invaluable xkcd comic explains the concept well).

Password manager recommendations

Easiest to use: LastPass is an easy-to-use online password manager that has a free option. Here’s a beginner’s guide to LastPass by Shelton.

A solid, paid option: 1Password is another popular option, though it costs a fee, paid either monthly or yearly ($36). Here’s a guide to getting started with 1Password from the same author.

More secure: KeePassXC is a free, “offline” password manager, meaning that your encrypted passwords only lives on your computer – think of it as Excel For Passwords. I’ve got three guides for you on KeePassXC: Shelton’s, the Electronic Frontier Foundation’s, and mine.

Once you have a manager you like, and a strong vault password, go through each of your online accounts and reset your password to a unique, long, and random password.

You can read more about creating and storing strong passwords from the EFF.

Level 4: General tips

Don’t get phished

Basically don’t click on sketchy looking links, especially in your email. One apparently common trick is to send you an email (“Fraud alert” it might say) with a link to go log into an account, like your bank account. It may look like your bank’s website, but it could be faked to steal your password. To avoid this, just open your browser and type in your bank’s website and log in there.

Here are some examples of phishing emails. Don’t click anywhere inside of emails like this!

Here’s the EFF’s guide to avoid phishing attacks and one from Security in a Box. If you see a suspicious-looking URL and want to check if it’s safe, Google has a service for that.

Keep your apps and operating systems up-to-date

It may be annoying to keep everything up-to-date, but it’s often important for security. Hackers are constantly looking for vulnerabilities in software, and software companies are constantly “patching,” or updating their software to prevent this. But you only get the benefit of these patches if you click that sometimes-annoying “Update” button, rather than continuously put it off till tomorrow.

Your browser

For desktop, Firefox is generally thought of as more privacy-respecting than Google Chrome, but they’re both good choices. Personally I use both: Chrome when I need to be logged in under my real name (email, banking, most social networking, etc.), Firefox for everything else.

On your iPhone, you can use Firefox’s iOS app, or add a privacy-protecting add-on like to Safari like Better. Personally I’ve been using Brave, though I’m keeping an on eye some concerning business practices.

For bumping up your browser security/privacy, I’d recommend the following extensions:

If you want to make your Firefox installation more privacy-respecting, you can follow these steps and, to further disrupt sites that try to track your browsing habits, install the Multi-Account Containers add-on and/or the Cookie AutoDelete add-on. You can also change Firefox’s default search engine from Google to DuckDuckGo.

If you want to browse more anonymously, consider using the Tor Browser. However there are some important things to note about the Tor Browser, which Shelton summarizes nicely:

Tor Browser encrypts your traffic and bounces your secured connection within the Tor network before connecting to the Web from a remote location… It is important to note that network eavesdroppers can still tell that you’re using Tor — they just can’t tell what you’re doing within Tor. If you’re looking for real anonymity, avoid sharing personal information in websites you access through Tor Browser.

Another good resource, Tor’s official overview, adds: to stay anonymous while using the Tor Browser, “[d]on’t provide your name or other revealing information in web forms.” In other words, you probably don’t want to log in to Facebook.

More secure texting/voice calls/instant messaging

Apple’s iMessage is pretty secure for everyday use, but if you want to step it up a notch (or you have any Android users in your group text), consider using Signal or Wire, which both use “end-to-end” encryption.

As mentioned above, periodically review which devices you’re logged in on. Both services also support disappearing messages. Here’s a beginner’s guide to Signal and one for Wire.

Private note-taking

I use Standard Notes for taking notes (rather than Evernote or other alternatives).

Level 5: Understanding methods by which your passwords can be reset

This section is probably only necessary for journalists/activists/political folks, but we’ll press on. If someone can easily reset your account’s password, they can also gain access and lock you out. While this is sometimes mitigated by 2-factor authentication, it’s worth thinking through some examples.

For example, SIM-jacking or SIM-swapping is when attackers get your cellphone service provider to route your calls and text messages to their phone rather than yours. They can then (usually) do a bunch of other things at this point, like reset passwords to your online accounts. Scary, right?

As Lorenzo Franceschi-Bicchierai writes for Motherboard, the general advice to avoid getting SIM-jacked is to consider removing your real phone number from your online accounts. If the online service requires a phone number, consider creating a Google Voice phone number for that purpose. Then remove your real phone number from these accounts. Alternatively, you can call up your cell phone service provider and ask to set a PIN that will need to be given to get access to your account.

Why you may want to disable SMS-password recovery altogether

You may want to remove SMS as a password recovery method altogether. This is safer and may be good for your Google account (this is NOT the same thing as SMS as a second authentication factor).

To do this, first go to the “Signing in” section of Google’s security page. Scroll down a bit to the section titled “Account recovery options”. Now remove the “Recovery phone” option.

Google account recovery options: none

Guides I cited or recommend

See Something Say Something

I’m low-key terrified that there is misinformation above. If you see something wrong or misleading here, or you have suggestions, feel free to ping me on Twitter or Mastodon, or send me an encrypted message using one of the services listed here.

Last updated: January 2, 2019