sts10

As 2019 approaches, I thought I'd write a new, updated version of my casual security guide from 2016. Same disclaimers apply: I am still not an expert. I'm writing this mostly to have something to send to friends and family who ask me questions about this stuff. Note: I reference a lot of work by Martin Shelton, a researcher at Google. Also, this is a work in progress!

Level 1: Enable 2-factor authentication (at the very least, on your email)

Turning on two-factor authentication (2FA) for an online account means that whenever you log into the account, a code will be sent to your phone that you’ll have to enter after entering your correct password. The idea here is that even if someone gets ahold of your password, they would also need your phone to get this code.

You should set up 2-factor authentication for all of your online accounts that support it. Here's a general guide, and here are some how-to guides from some popular services: GMail, Twitter, Facebook, Dropbox, GitHub and a list of other services. If you enable 2-factor for only one account, do it on your email.

Note: There are different ways to receive/present this 2nd factor code. Not all of them are equally secure.

More on Security Keys

As mentioned above, you can also use a physical piece of hardware called a security key as your second factor.

Compared to SMS or TOTP (Google Authenticator), a security key is a more secure second factor, since you need the key to login to a new computer. It also helps mitigate phishing attempts better than alternative methods.

One such example of a security key is a YubiKey. Facebook, Twitter, and Google all support using a YubiKey as a second factor. Once you purchase a YubiKey, you can follow these guides from Google, Facebook, Twitter. (Here's an alternate Google guide from Yubico if you need.)

What happens if you lose your phone/security key?

Most services give you back-up codes when you enable 2-factor for just this reason (here's more info on GMail backup codes). In a pinch, you can use these codes as your 2nd factor.

Store these somewhere safe, like on a piece of paper you store somewhere secure. Once you use a backup code to login, you can choose to temporarily disable two-factor authentication until you get your phone back or get a new one.

Level 2: Check which devices and third-party applications have access to your accounts

It's important to periodically check the devices you're currently logged into an account with. Here's how to...

This is something you'd want to do after you log in to one of these accounts on a hotel or friend's computer, or, say, after a breakup. Change your password to these accounts as well (see below for more on passwords).

It's also very important to periodically review which third-party applications have access to your accounts. This is because some of these applications may well have permission to read your otherwise private information or even post on your behalf. You should only keep the access permissions that are absolutely necessary. Remove any apps you don't recognize or look sketchy. BuzzFeed has a good article on this if you want to learn more.

Google/GMail users should also periodically complete Google's “Security Checkup” and “Privacy Checkup”.

Level 3: Use better passwords

You should use long, randomly generated passwords for every account, but even more important is that you should never reuse passwords (even if you give them small variations). This is because services get breached and passwords leak all the time, and someone could simply try your password from the leaked service for your other services (you can see which services you use that have been breached at haveibeenpwned.com).

What's a good password look like? Vy<{t/W~Ee.5}k(D[Bm(N and uncoiled armful polymer appeasing shredder recast are both examples of strong passwords. StarWars13... not so much.

Since our goal is to not reuse any passwords, we're going to have tens if not hundreds of long passwords to remember. The easiest way to handle this problem is to use a password manager, which is software that stores all of your passwords within a password “vault.”

As long as you choose a good manager (see below) and make the password to open this vault very strong, you'll likely be more secure overall.

One way to create a strong, but memorable password is to generate a passphrase using dice (more info on diceware passphrases). This process will create a passphrase like “rubdown cytoplasm sculptor kindred unsubtle roamer”, which should be easy for you to memorize, but very hard for anyone else to guess (this invaluable xkcd comic explains the concept well).

Password manager recommendations

Easiest to use: LastPass is an easy-to-use online password manager that has a free option. Here's a beginner's guide to LastPass by Shelton.

A solid, paid option: 1Password is another popular option, though it costs a fee, paid either monthly or yearly ($36). Here's a guide to getting started with 1Password from the same author.

More secure: KeePassXC is a free, “offline” password manager, meaning that your encrypted passwords only lives on your computer — think of it as Excel For Passwords. I've got three guides for you on KeePassXC: Shelton's, the Electronic Frontier Foundation's, and mine.

Once you have a manager you like, and a strong vault password, go through each of your online accounts and reset your password to a unique, long, and random password.

You can read more about creating and storing strong passwords from the EFF.

Level 4: General tips

Don't get phished

Basically don't click on sketchy looking links, especially in your email. One apparently common trick is to send you an email (“Fraud alert” it might say) with a link to go log into an account, like your bank account. It may look like your bank's website, but it could be faked to steal your password. To avoid this, just open your browser and type in your bank's website and log in there.

Here are some examples of phishing emails. Don't click anywhere inside of emails like this!

Here's the EFF's guide to avoid phishing attacks and one from Security in a Box. If you see a suspicious-looking URL and want to check if it's safe, Google has a service for that.

Think you've got a hang of it? Try this phishing quiz from Google.

Keep your apps and operating systems up-to-date

It may be annoying to keep everything up-to-date, but it's often important for security. Hackers are constantly looking for vulnerabilities in software, and software companies are constantly “patching,” or updating their software to prevent this. But you only get the benefit of these patches if you click that sometimes-annoying “Update” button, rather than continuously put it off till tomorrow.

Your browser

For desktop, Firefox is generally thought of as more privacy-respecting than Google Chrome, but they're both good choices. Personally I use both: Chrome when I need to be logged in under my real name (email, banking, most social networking, etc.), Firefox for everything else.

On your iPhone, you can use Firefox's iOS app or Firefox Focus, which blocks more trackers and some ads. Alternatively/additionally you can add a privacy-protecting add-on like to Safari like Better. Personally I've been using Brave, though I'm keeping an on eye some concerning business practices.

For bumping up your browser security/privacy, I'd recommend the following extensions:

If you want to make your Firefox installation more privacy-respecting, you can follow these steps and, to further disrupt sites that try to track your browsing habits, install the Multi-Account Containers add-on and/or the Cookie AutoDelete add-on. You can also change Firefox's default search engine from Google to DuckDuckGo.

If you want to browse more anonymously, consider using the Tor Browser. However there are some important things to note about the Tor Browser, which Shelton summarizes nicely:

Tor Browser encrypts your traffic and bounces your secured connection within the Tor network before connecting to the Web from a remote location... It is important to note that network eavesdroppers can still tell that you’re using Tor — they just can’t tell what you’re doing within Tor. If you’re looking for real anonymity, avoid sharing personal information in websites you access through Tor Browser.

Another good resource, Tor's official overview, adds: to stay anonymous while using the Tor Browser, “[d]on't provide your name or other revealing information in web forms.” In other words, you probably don't want to log in to Facebook.

More secure texting/voice calls/instant messaging

Apple's iMessage is pretty secure for everyday use, but if you want to step it up a notch (or you have any Android users in your group text), consider using Signal or Wire, which both use “end-to-end” encryption.

As mentioned above, periodically review which devices you're logged in on. Both services also support disappearing messages. Here's a beginner's guide to Signal and one for Wire.

Private note-taking

I use Standard Notes for taking notes (rather than Evernote or other alternatives).

Guides I cited or recommend

See Something Say Something

I’m low-key terrified that there is misinformation above. If you see something wrong or misleading here, or you have suggestions, feel free to ping me on Twitter or Mastodon, or send me an encrypted message using one of the services listed here.

I recently started using a text editor called Vim. For the uninitiated, Vim is a lightweight text editor often used for writing code. It comes pre-loaded on some if not all remote servers. Since it’s designed to be used without a mouse, there are tons of keyboard shortcuts to learn. This part isn’t a huge deal—for now just know that Vim is a text editor, like Notepad or Sublime Text or Word. (And note that I am still pretty shitty at using it.)

Like most programs, Vim has a bunch of preferences you can set however you like. If you’re like me, when you download a new program like TweetDeck or Slack or Adium or whatever, sooner rather than later you go into the program’s preferences and see what things you can tweak to your taste. It’s usually a series of GUI tabs, checkboxes, and drop-down menus. Here’s the “General” panel of my Adium settings:

settings

However, since you can run Vim without a graphical interface, users set their preferences and settings in a text file called “vimrc”. Necessarily, this text needs to be written in a certain way, so it’s technically code. But let’s not freak out. What does that look like? Well, here is a portion of my vimrc file (Note that lines that begin with a double quotation mark are comments, not read by Vim, only us humans.)

" set font for gui vim
set guifont=DejaVu\ Sans\ Mono:h17
" for color scheme
colorscheme mustard
set background=dark
" Turn syntax highlighting on 
syntax on
" show command as you type them
set sc
" set tab as 4 spaces
set tabstop=4
set shiftwidth=4
set expandtab
" auto indent
set autoindent
" turn on the wildmenu cuz everyone says to
set wildmenu
" search characters as they're entered
set incsearch
" have vim re-load files when they're changed outside of vim
set autoread

So let’s take an example: set tabstop=4 means that I want my tabs to be equal to 4 spaces. I could change that to 2, or I could remove the line from my vimrc file altogether and Vim would fall back to the default tab size (which is 8 I think?). The important thing to note is that it’s just text. You, reader, could copy and paste that code block into your vimrc file and once you restarted Vim you’d be using my settings. Thus I’m calling it “text-file preferences,” a phrase I made up today.

Now, depending on your experiences, this may seem like a confusing and unnecessary disadvantage over the graphical preferences menus that more “normal” programs like Adium have. But I argue that having your user preferences stored in a text file like this is incredibly powerful.

Why This Is Good

There are two reason I think it’s very powerful. The first is that your setup becomes extremely portable. When I setup Vim on my work computer, all I had to do was copy and paste my vimrc file into the appropriate location and boom, all my settings were good to go. If I had needed to manually enter all of these settings into a graphical interface, it would have taken much longer.

With all of my preferences in a text file, I could have hundreds of settings set just how I like them and it would take me the same amount of time to transfer them to a new environment as if I had only 2 settings specified. In this way text-file preferences make it easy for applications makers to offer more options for power users without confusing newbies (assuming they have sensible defaults). Also, backing-up your preferences is as easy as saving a text file.

The second, and far more important reason that text-file preferences are awesome is that they make sharing settings very easy. If you Google “vimrc example” you’ll find tons of example vimrc files of Vim users. I picked up a bunch of tips for my personal vimrc file, learning new settings I didn’t know about or alternate ways of changing defaults that I didn’t like, for poking around in the settings of other users. Sample vimrc files can be advertised as optimized for a specific task, style, or programming language. Thus these settings and customizations can be debated in the public forum of the internet, helping everyone find a set of preferences that best suits them.

NOTE: This second argument is a bit inflated because developers (of which almost all Vim users are, from what I can tell) are comfortable with the philosophy of open sourcing code and have working knowledge of Git and GitHub (an insanely powerful system). But perhaps the general population of computer users will start to move in that direction. Certainly they are always gaining more ways of publishing and sharing text publicly.

Additionally, Vim’s color settings and custom keyboard shortcuts (called mappings) are stored as text, so these additional customizations benefit in the same way.

This is Just For Power Users. And Isn’t The Power User is Dead?

Obviously the bulk of the benefits of text-file preferences I’ve described really only apply to power users. Maybe some of you never dive into the GUI preferences menus of your applications, or never use keyboard shortcuts, let alone have a desire to add custom ones. Hell, maybe you think good programs should only need a handful of setting options. My now-colleague Charlie Warzel declared the power user dead way back in October of 2013, with the formidable thesis that for large, established companies like Facebook and Twitter, the eyeballs of a new user are just as valuable as that of a power user. Perhaps I am a strange outlier overly-influenced from my dabbling as a programmer.

But!

I have faith that as more and more people become more computer literate and, more importantly, become even a bit more comfortable with “code,” they will begin to care about seemingly small things like granular customizations and portability of their user settings. And as a response, app developers will both feel more comfortable, and eventually NEED, to offer users more options and customizations.

Of course developers could offer users both a graphical menu for their settings AND a text file option, assuming the graphical interface allows users to easily import and export their settings.

Naturally the next step here would be allowing third-party plugins for applications, for which I’ve added 3 to Vim already. But that’s a battle for another day.