Online Security Part 1
Hello. This post was inspired by a couple of interactions that I've had recently with family members who wished to do something that required some measure of privacy and security, but who also don't need to be given an entire handbook of online security best practices to read. This post shall hopefully function as a primer for those of you who wish to tighten up your online security practices, starting from square 0.
The entire point here is to make it harder to a) get into your private information and b) get something useful out of your private information should someone get in. Your entire goal here is just to make it harder than the next guy; the digital equivalent of locking your car when you park in public.
Q: But there's so much information/accounts/junk out there, how would anyone find me, or why would they bother to find me?
A: They're not looking for you. They have scripts and bots to do the sifting of interesting looking data, email addresses, password combinations to try. By this point all of our data is out there from the Equifax hack, the Adobe hack, the LinkedIn hack, and a thousand others that we never heard about.
(Probably) nobody is going to be targeting you directly, they just have computer scripts that trot around the internet and try the digital equivalent of walking through the mall parking lot looking for an unlocked car. Just don't be that car.
Step 1: Password manager
Q: What is a password manager?
A: Just what it sounds like. It is a system that stores your passwords and account names for you. They can also generate very strong passwords for you and store those. What this accomplishes is two fold:
- It prevents you from having to remember what password you used for this site or that site, and it can automatically fill the user and password fields on whatever it has stored. Just click a button in your browser to have the login fields populated when you want to log in to something. This alone is life-changing in a minor way.
- Since you don't have to keep the password in your head anymore, it prevents you from reusing the same or almost the same password on multiple sites. It generates strong and unique passwords for you.
We've all heard that we shouldn't reuse passwords but it's impossible not to do that if you're relying on your brain to store them. I personally used small variations of 3 different passwords on hundreds and hundreds of accounts over the last 10-12 years. I finally began using an honest to God password manager when I started this Platform.sh gig 2.5 years ago and have since added ~170 account logins to my password manager.
Only a dozen or so of these are sites I use regularly – work and banking stuff. The rest are random sites with which I've transacted some kind of business – the online printer for the kids schoolbooks that I used once so far, that cool wood stove that I bought online for my brother in law for their new house, etc. I may never do business with these outlets again, or maybe I will, but the point is that they don't have another copy of that same password I use everywhere else in their database*. If they get hacked, at most the Bad Guys get my email address (though I've gotten wide to that lately, too).
Q: So how does this work?
- You sign up for an account, may I recommend Bitwarden, and choose 1 strong master password that functions as the encryption key for everything that you store in the password manager. This really should be a strong thing that you'll be able to remember but that you haven't used anywhere else. This is the last password you'll need to remember ever, so take your time.
- You install the plugin for whatever browser you use. Look in the middle of the front page: https://bitwarden.com/ and click on the plugin for whatever browser you use. You'll need to login after you install it, but this will manage saving user/password combos on sites when you log in (it'll offer to save new ones for you) and will auto-fill the user/password field on sites that you've previously saved your credentials.
- Optional, but recommended: I think all of my family members are on iPhones at this point, so install the Bitwarden iPhone app as well. This will give you the same benefits on the phone, and integrates with your apps as well.
Q: Store my passwords in an online service, are you nuts?!
A: You're not actually storing anything on their servers except for encrypted gibberish. Actually, it's not even gibberish, it's binary bits. They don't even know what information of yours they're storing because all the encryption and decryption happens on your computer/phone/whatever before it gets sent to them. They're just storing encrypted blobs so if they ever got hacked, the payoff for the hackers would an encrypted pile of blobs. Useless, and safer than using the same password over and over.
Like I said at the top, all you're trying to do is make it harder then the next guy who isn't practicing good security and this is the first thing you should do.
Step 2: Never send sensitive information via email. Never.
But I'll just delete it from my “sent” box after I send it.
That doesn't mean that the recipient deleted it. That doesn't mean that the email service that you use deleted it. That doesn't mean that the email service you use has good security practices and there's not somebody watching the entire system for emails with the header “account information” or “credit card” or “wiring instructions”. I mean, the last one is possibly a little hyperbolic but I know for a fact that some of you are still on AOL for email. Can you count the number of times AOL has changed hands since you've had that address? Each of those acquiring companies has a vested interest in mining data out of AOL's user base and that means making copies of whatever might be useful some day. Do you trust all of them?
So what should I use?
Honestly: Apple Messages is actually end to end encrypted, which makes it as safe a communication method as anything you are likely to use. If you don't have an iPhone then just get one. They are the only big company out there right now that treats their users with respect with regards to their private information. When you and the recipient each delete the message, it's actually deleted, since whatever other data remains out there is encrypted and safe.
I'd recommend not using an email address that's tied to your internet provider or your job or some service that you used a long time or anything related to Google or Facebook or any other business whose model is not respecting your privacy. If you're looking for suggestions, I use a service called Fastmail that provides a lot of cool features and lets me use my own domain for email. I also pay for it, so I have an amount of trust that they'll still be in business 5 years from.
If you don't care about that but still want to have a portable email address (not tied to ISP or job) then I'd recommend ProtonMail.