As 2019 approaches, I thought I’d write a new, updated version of my casual security guide from 2016. Same disclaimers apply: I am still not an expert. I’m writing this mostly to have something to send to friends and family who ask me questions about this stuff. Note: I reference a lot of work by Martin Shelton, a researcher at Google. Also, this is a work in progress!
Level 1: Enable 2-factor authentication (at the very least, on your email)
Turning on two-factor authentication (2FA) for an online account means that whenever you log into the account, a code will be sent to your phone that you’ll have to enter after entering your correct password. The idea here is that even if someone gets ahold of your password, they would also need your phone to get this code.
You should set up 2-factor authentication for all of your online accounts that support it. Here’s a general guide, and here are some how-to guides from some popular services: GMail, Twitter, Facebook, Dropbox, GitHub and a list of other services. If you enable 2-factor for only one account, do it on your email.
Note: There are different ways to receive/present this 2nd factor code. Not all of them are equally secure.
- Worst: No 2nd-factor at all
- OK: SMS (text message)
- Better: Storing a “time-based one-time password” (TOTP) in an app on your smartphone like Google Authenticator or Authy.
- Best: Using a physical security key, like a YubiKey, as your 2nd factor
More on Security Keys
As mentioned above, you can also use a physical piece of hardware called a security key as your second factor.
Compared to SMS or TOTP (Google Authenticator), a security key is a more secure second factor, since you need the key to login to a new computer. It also helps mitigate phishing attempts better than alternative methods.
One such example of a security key is a YubiKey. Facebook, Twitter, and Google all support using a YubiKey as a second factor. Once you purchase a YubiKey, you can follow these guides from Google, Facebook, Twitter. (Here’s an alternate Google guide from Yubico if you need.)
What happens if you lose your phone/security key?
Most services give you back-up codes when you enable 2-factor for just this reason (here’s more info on GMail backup codes). In a pinch, you can use these codes as your 2nd factor.
Store these somewhere safe, like on a piece of paper you store somewhere secure. Once you use a backup code to login, you can choose to temporarily disable two-factor authentication until you get your phone back or get a new one.
Level 2: Check which devices and third-party applications have access to your accounts
It’s important to periodically check the devices you’re currently logged into an account with. Here’s how to…
- Check which devices are logged in to your Google account
- Check which devices are logged in to your Facebook account (under “Where You’re Logged In”)
- Check which devices are logged in to your Twitter account (under “Recently used devices to access Twitter”).
This is something you’d want to do after you log in to one of these accounts on a hotel or friend’s computer, or, say, after a breakup. Change your password to these accounts as well (see below for more on passwords).
It’s also very important to periodically review which third-party applications have access to your accounts. This is because some of these applications may well have permission to read your otherwise private information or even post on your behalf. You should only keep the access permissions that are absolutely necessary. Remove any apps you don’t recognize or look sketchy. BuzzFeed has a good article on this if you want to learn more.
- Check third-party access to your Google account
- Check third-party access to your Twitter account
- Check third-party access to your Facebook account
Level 3: Use better passwords
You should use long, randomly generated passwords for every account, but even more important is that you should never reuse passwords (even if you give them small variations). This is because services get breached and passwords leak all the time, and someone could simply try your password from the leaked service for your other services (you can see which services you use that have been breached at haveibeenpwned.com).
What’s a good password look like?
uncoiled armful polymer appeasing shredder recast are both examples of strong passwords.
StarWars13… not so much.
Since our goal is to not reuse any passwords, we’re going to have tens if not hundreds of long passwords to remember. The easiest way to handle this problem is to use a password manager, which is software that stores all of your passwords within a password “vault.”
As long as you choose a good manager (see below) and make the password to open this vault very strong, you’ll likely be more secure overall.
One way to create a strong, but memorable password is to generate a passphrase using dice (more info on diceware passphrases). This process will create a passphrase like “rubdown cytoplasm sculptor kindred unsubtle roamer”, which should be easy for you to memorize, but very hard for anyone else to guess (this invaluable xkcd comic explains the concept well).
Password manager recommendations
More secure: KeePassXC is a free, “offline” password manager, meaning that your encrypted passwords only lives on your computer – think of it as Excel For Passwords. I’ve got three guides for you on KeePassXC: Shelton’s, the Electronic Frontier Foundation’s, and mine.
Once you have a manager you like, and a strong vault password, go through each of your online accounts and reset your password to a unique, long, and random password.
Level 4: General tips
Don’t get phished
Basically don’t click on sketchy looking links, especially in your email. One apparently common trick is to send you an email (“Fraud alert” it might say) with a link to go log into an account, like your bank account. It may look like your bank’s website, but it could be faked to steal your password. To avoid this, just open your browser and type in your bank’s website and log in there.
Here are some examples of phishing emails. Don’t click anywhere inside of emails like this!
Keep your apps and operating systems up-to-date
It may be annoying to keep everything up-to-date, but it’s often important for security. Hackers are constantly looking for vulnerabilities in software, and software companies are constantly “patching,” or updating their software to prevent this. But you only get the benefit of these patches if you click that sometimes-annoying “Update” button, rather than continuously put it off till tomorrow.
For desktop, Firefox is generally thought of as more privacy-respecting than Google Chrome, but they’re both good choices. Personally I use both: Chrome when I need to be logged in under my real name (email, banking, most social networking, etc.), Firefox for everything else.
On your iPhone, you can use Firefox’s iOS app, or add a privacy-protecting add-on like to Safari like Better. Personally I’ve been using Brave, though I’m keeping an on eye some concerning business practices.
For bumping up your browser security/privacy, I’d recommend the following extensions:
- Privacy Badger - Block trackers
- uBlock Origin (Firefox / Chrome) - Block ads
- HTTPS Everywhere - Ensure you’re using HTTPS when you can
If you want to make your Firefox installation more privacy-respecting, you can follow these steps and, to further disrupt sites that try to track your browsing habits, install the Multi-Account Containers add-on and/or the Cookie AutoDelete add-on. You can also change Firefox’s default search engine from Google to DuckDuckGo.
Tor Browser encrypts your traffic and bounces your secured connection within the Tor network before connecting to the Web from a remote location… It is important to note that network eavesdroppers can still tell that you’re using Tor — they just can’t tell what you’re doing within Tor. If you’re looking for real anonymity, avoid sharing personal information in websites you access through Tor Browser.
Another good resource, Tor’s official overview, adds: to stay anonymous while using the Tor Browser, “[d]on’t provide your name or other revealing information in web forms.” In other words, you probably don’t want to log in to Facebook.
More secure texting/voice calls/instant messaging
Apple’s iMessage is pretty secure for everyday use, but if you want to step it up a notch (or you have any Android users in your group text), consider using Signal or Wire, which both use “end-to-end” encryption.
I use Standard Notes for taking notes (rather than Evernote or other alternatives).
Level 5: Understanding methods by which your passwords can be reset
This section is probably only necessary for journalists/activists/political folks, but we’ll press on. If someone can easily reset your account’s password, they can also gain access and lock you out. While this is sometimes mitigated by 2-factor authentication, it’s worth thinking through some examples.
For example, SIM-jacking or SIM-swapping is when attackers get your cellphone service provider to route your calls and text messages to their phone rather than yours. They can then (usually) do a bunch of other things at this point, like reset passwords to your online accounts. Scary, right?
As Lorenzo Franceschi-Bicchierai writes for Motherboard, the general advice to avoid getting SIM-jacked is to consider removing your real phone number from your online accounts. If the online service requires a phone number, consider creating a Google Voice phone number for that purpose. Then remove your real phone number from these accounts. Alternatively, you can call up your cell phone service provider and ask to set a PIN that will need to be given to get access to your account.
Why you may want to disable SMS-password recovery altogether
You may want to remove SMS as a password recovery method altogether. This is safer and may be good for your Google account (this is NOT the same thing as SMS as a second authentication factor).
To do this, first go to the “Signing in” section of Google’s security page. Scroll down a bit to the section titled “Account recovery options”. Now remove the “Recovery phone” option.
Guides I cited or recommend
See Something Say Something
I’m low-key terrified that there is misinformation above. If you see something wrong or misleading here, or you have suggestions, feel free to ping me on Twitter or Mastodon, or send me an encrypted message using one of the services listed here.
Last updated: January 2, 2019