A resource guide to basic solutions and tools for securing your digital assets and privacy.
Using a password manager is one of the best lines of defense against hacking and data breaches. In essence, they are designed to store credentials to all of your online accounts (email, financial services, etc) in a secure manner utilizing heavy encryption. Thus, the use of a password manager allows one to have complex and unique passwords for every single account they use but only need to remember one password to actually access the password. The use of password manager apps and browser extensions even make it so that one does not even have to type their credentials to log into a website or mobile app, saving time and maximizing security at the same time. Some password managers will even let one export a user’s passwords to an offline spreadsheet that can be used as an emergency resource (this file must be stored in a secure location). Follow the links below to read on what password manager solution might be the best for you. (My personal recommendation would be Bitwarden or 1Password). Avoid Lastpass as they have had issues with security in the past.
- Your Password Has Likely Been Stolen and Here’s What To Do About It
- How Password Managers Work and Why You Should Use One
- Get a Password Manager. No More Excuses
- The Best Password Manager For You
Additionally, you can go to https://haveibeenpwned.com to see if any of your online accounts or passwords has been breached and publicly exposed.
Password strength can be summarized in a nutshell with the following well-known XKCD comic.
To make a long story short, the strength of a password from being cracked by a computer comes from its length rather than its “complexity”. Thus, a proven way to generate passphrases, which are more memorable and more secure than traditional passwords, is using Diceware, a method originally developed by Arnold Reinhold in 1995. Essentially, by using an established wordlist and dice (which can produce true entropy) one can generate a random and secure six word passphrase. The method is easy to use and can maximize online security. Such a passphrase is secure enough to even lock one’s password manager. Follow the links below for detailed information on producing Diceware passphrases of your own.
- Diceware - A brief introduction
- EFF Dice-Generated Passphrases - Instructions on how to use the method with established wordlists
- EFF’s New Wordlists for Random Passphrases - An in-depth explanation of the EFF wordlists
- How to Roll a Strong Password with 20-Sided Dice and Fandom-Inspired Wordlists - For nerds or anyone with d20 dice
Using Diceware to generate your passphrases is highly recommended as humans are very bad at producing randomness.
I would also recommend using d10 dice (available in a standard set of polyhedral dice like this or this) for generating the digits of a PIN code for your phone, debit card, etc. Again, humans are really bad at producing randomness on their own.
Two-Factor Authentication (2FA)
If you haven’t heard of the epic hack that wreaked journalist Mat Honan’s life, it’s a must read.
- How Apple and Amazon Security Flaws Led to My Epic Hacking
- Mat Honan: How I Resurrected My Digital Life After An Epic Hacking
Essentially, nearly all of Mat Honan’s digital assets were compromised by a hacker that didn’t even need to brute-force crack his passwords, but more cleverly used social engineering to game support services. This highlights how even if you secure each account with a unique and individual password, an adversary can exploit flaws in the recovery model utilized by the companies and services that handle your assets. In retrospect, Honan admits that had he enabled two-factor authentication (2FA) on his accounts, the majority of the damage from the hack might have been prevented. 2FA protects a user by authenticating them through something they know (the password) as well as something they have (a physical device such as a cellphone). Generally, 2FA is accomplished by requiring a user to enter a code sent to their phone via SMS when logging into a website or by entering the code from an authentication app (like Google Authenticator). Though it introduces some level of inconvenience, 2FA can protect a user in ways that a secure password cannot. Follow the links below for more information on how what 2FA is and how to enable it on your accounts.
- Using 2-step verification - The best video I’ve seen that breaks down the process
- What is 2-Factor Authentication and Why Should You Care?
- How To Secure Your Accounts With Better Two-Factor Authentication
- Google 2-Step Verification
Generally, using an authenticator app is more secure than SMS as this verification method has been shown to be exploitable. However, there are additional tradoffs in convenience. For example if your phone is wiped, then you lose all of the information in the app and must use recovery codes that were printed and stored in a secure location or risk losing access to your account. This would not be the case for SMS 2FA.
You can check what companies and services offer 2FA at https://twofactorauth.org/
You can also install a few browser extensions that increase the security and privacy of your browsing activity. Firstmost, you should always use websites with an
https:// header rather than an
https is more secure as it encrypts the data packets transmitted from your computer unlike
http which does not. For example, if you submitted a form or sent a message containing your credit card number on a website with an
http header, it is trivial for an adversary on the same network to steal your information. However, they would be thwarted if the information was sent on a website with an
https header. Thus, you should use
https websites whenever possible. An extension called HTTPS Everywhere that can be installed on most browsers will force the majority of websites to connect you via
https. More information about installing the extension can be found at https://www.eff.org/https-everywhere
Another way to enhance your online privacy is to block trackers. Trackers are browser cookies that do not respect the “Do Not Track” setting in your browser (which you should enable if you have not already). Trackers essentially allow websites to share information between themselves about you in order to produce more relevant and targeted advertisements. This is how a Google search for a specific pair of shoes can result in an Amazon advertisement on Facebook for those exact same shoes a few minutes later. One extension that can prevent this “tracking” is Privacy Badger which operates by blocking these cookies being stored on your browser. More information about installing the extension can be found at https://www.eff.org/privacybadger
Additionally, you can install an ad blocker to prevent advertisements from even loading on the sites you browse. There are several good options available, visit your browser extension store to install one. My personal favorite is AdBlock, which you can find more information about installing at https://getadblock.com/
A VPN, or Virtual Private Network, is a service that redirects your device’s network traffic through an encrypted tunnel to a remote server. Essentially, what this does is prevents your Internet Service Provider from seeing what you are doing online (even when you are using Incognito Mode) as well as preventing the sites you’re visiting from knowing your IP address (which can be used to locate you even when you’re using Incognito Mode). Additionally, the encrypted connection can prevent an adversary on your network from seeing your internet traffic (even when you visit an
http website). This is useful for when you connect to public WiFi at Starbucks or the airport. Additionally, a VPN can get you access to content that is restricted by your geographic location by allowing you to mask your IP address and simulate it from coming from somewhere else. This can be useful when travelling abroad (by watching BBC when you’re not in the UK, for example). Using a VPN can also offer several other benefits and is one of the best ways to maximize online safety and privacy. More information about VPNs can be found by following the links below.
- Why You Need VPN
- What Is a VPN, and Why You Need One
- What is a VPN?
- How Does a VPN Work?
- VPN Connection Guide
- 7 Most Interesting Uses of a VPN
My personal pick for a VPN service is NordVPN based on reputation (no logging), pricing, and quality. There’s currently a deal for a subscription of $125 for 3 years which is one of the best deals I’ve seen on the market. You can get more information at https://nordvpn.com
There is no magical and perfect single solution to cybersecurity, but you can proactively take steps to protect yourself and your digital assets from being breached along with your online privacy. Additional tools to look into to protect yourself even further are data backup and disk encryption solutions that protect your data in the case of hardware malfunction, loss, or theft.