“Just because I’m paranoid… doesn’t mean they’re not watching me.”
Passwords
Use strong passwords (password manager preferred):
- DO NOT share the same password between multiple accounts
If you create your own password:
- BAD —-
myp@$$w0rd
————————-> hard to remember, easy to crack - GOOD -
notacommonphraseorpredictable
-> easy to remember, hard to crack (length)
Wifi
Secure your home/office network with a strong password ☝️
- Ensure your network is encrypted with
WPA2
orWPA3
. - Reboot your router at least once a month! (Increases performance and can disrupt malware)
Public Wifi
Avoid public wifi when possible (man in the middle attacks), tether from your device instead.
When using public wifi:
- Using a VPN is recommended (I like Mullvad)
- DO NOT click banners (Update your browser now! etc) hackers can insert banners in your browser (yes, really)
- DO NOT update your passwords or sign up for new services
- Autofill passwords when possible, rather than typing
Websites / Browsers
Use your web browser wisely!
- Use browser plugins like
ublock origin
(ad blockers) andhttps everywhere
- Avoid websites without SSL encryption –> https(good) vs http(bad)
- NEVER give credit card or personal info to a http site (unencrypted)
- Avoid seedy websites, advert links, and pop ups (
ublock
helps with this) - Watch out for url typos -
faceboot
vsfacebook
, http vs https - Private / incognito mode DOES NOT prevent third parties from seeing your browsing history, only OP from seeing your history. Mostly only useful if you’re using someone else’s computer…
On someone else’s computer:
- Use incognito mode, for example at the library or at a friends house. DO NOT use their profile when signing in to personal or business accounts!
Provenance matters!
- Avoid links and downloads from unknown sources
- Be skeptical about strange requests, even from your own contacts
- Contacts can be spoofed, for example
gregshoal@gmail
vsgreggshoal@gmail
- unknown senders can appear as if they are someone you know. - For emails having to do with money (Banks, IRS) - don’t follow links from email. Look it up or sign in to your account. Assume you might be getting misdirected to a malicious site!
Personal Information:
- Email is historically not secure. Avoid sharing sensitive information. For example, I would prefer to send my SSN over an https (SSL encrypted) form rather than an email. If use of email is needed, use PGP keys and encrypt sensitive information.
2FA
2 factor authentication is useful and adds security; however, you must make sure to back up your credentials so you don’t lock yourself out if you lose your phone etc.
Updates & maintenance
Schedule a routine:
- Update your OS regularly (security updates patch vulnerabilities)
- Backup your machine and valuable data on the cloud regularly.
- Run
cleanmyMac X
or other virus scanning software regularly
Do a personal security audit once a year:
- Change passwords for primary email and password manager (others if necessary)
- Check your personal and business email addresses on HaveIBeenPwned
- What was leaked? What risks can be mitigated?
- Close unused accounts
- Erase old emails and sensitive documents on the cloud where possible
Pro tips
Some extra helpful info:
- You can modify your email by adding
+
and a modifier to the prefix. For example, if I were signing up for BestBuy I could usegeorge+bestbuy@openaq.org
.- This way you can have “unlimited” email handles, and can trace who shared your email if you start getting spammed.
- Be proactive rather than reactive. Don’t blindly follow links; investigate and sign in to accounts directly. Don’t make rash decisions out of fear, ask a friend or a colleague for a second opinion
- These days anything can be spoofed - even a video or the voice of a loved one.
Some of these ideas apply offline as well; be suspicious of calls, mail, and texts. For instance, if someone calls “from the IRS’ threatening you with legal action, hang up and contact the IRS directly if you think it might be legit.
Store your passwords and keys
Anyone can forget their passwords or lose their device. Having a paper backup or maybe a thumb drive with your passwords in a safe or lockbox is recommended. At the bare minimum:
- Your computer password
- Your primary email password
- Your password manager password
- Crypto wallet passwords or private keys
- PGP keys
- Safe combinations etc…