Digital Security 101

Post-election, there has been an explosion in the discussion around the increasingly urgent need for people to secure their digital lives.

Digital Security 101
Two YubiKeys sit on a wood desk.

Post-election, there has been an explosion in the discussion around the increasingly urgent need for people to secure their digital lives. Honestly, it was already a critical topic -- but I think a lot of people who may have "trusted" the Obama admin have been forced to rethink or confront the realities of the modern surveillance state and what that could mean under a Trump admin.

But just to say it right now, these basic tips won't protect you if you're targeted. There's something called "threat modeling", which is really important to security, but is also complex and sometimes a bit much for people new to digital security who just want to protect themselves quickly and easily. If you're being targeted by a state actor (whether it's the US gov or a foreign gov), then these basic steps won't be enough. But if you just want to improve your every-day privacy and security from website hacks and dragnet surveillance, then these basic steps are a good place to start.

Use a password manager

This, above all else, is my major recommendation to people looking to improve their digital security. You're not going to remember all 200+ website logins you have, and you especially aren't going to remember unique passwords for each one. Even better, password managers can help you generate truly random, long, strong passwords for each website. And both 1Password and LastPass have built-in tools to help audit your existing logins for data breaches, duplicates, and overall password strength.

You can also sync your password manager across devices (there are lots of ways to do this), so that you can access your passwords securely across computers and even on your mobile phone. I'm personally a fan of 1Password, but there are lots of other options, including LastPass and KeePassX.

Use long & unique passwords

While password managers make it easy to generate and "remember" long and unique passwords, you might be wondering why it's so important. Here's the thing... data breaches will happen. If you haven't been caught in one yet (Target, OPM, Tumblr, Adobe...), I promise you will be in the next 5 years. Probably even the next year. In fact, you can check to see if your email address has appearened in any of a number of public data breaches thanks to the site Have I been pwned?.

So what does this have to do with your passwords? Unique passwords for every login you have ensures that when one of them is exposed, all of your other logins aren't exposed with it.

To explain why password length & complexity matters, I recommend checking out the excellent XKCD: Password Strength comic.

Turn on 2-factor authentication (2FA) everywhere

The idea behind 2FA is that to login to sites, you need two things:

  • something you know (your password)
  • something you have (email, sms, authenticator app on your phone, special USB key)

With data breaches becoming increasingly common, just knowing your password doesn't ensure that it's really YOU logging into a website account. But by pairing it with something you physically have access to as well, it improves the chances it is actually you logging into the account.

So how do you turn it on? And where can you turn it on? Not everyone has it yet, but wherever it is available, you should turn it on. Thankfully, there's a great guide for how to do that for a lot of sites. Check out Turn It On.

You can also take a look at this Two Factor Auth (2FA) site for a pretty comprehensive list of who does and does not have 2FA enabled... and makes it really easy to ask them on Twitter or Facebook to add 2FA if they don't have it yet.

Some quick notes, though:

  • SMS is better than nothing, but it's still widely insecure - if you can, use an authenticator app
  • Email is better than SMS, but again, better if you can use an authenticator app
  • In the world of authenticator apps, my two favorite are Authy and more recently AuthenticatorPlus - both offer backup/recovery options
  • Keep your authenticator configs and backup codes safe - treat them like your password

Secure messaging - use Signal

I've been using Signal for awhile. It's easy to use, it's open source so that it can be independently audited, and it's easy to exchange encrypted messages with others who use it.

Usability. It's something often missing in security.

Is Signal perfect? No. And yes, it's better if you have a more advanced understanding (checking people's identity keys, etc.). But it's better than a lot of other options out there, and without getting into the complexities of threat modeling, it's a good start.

Yes, there are other chat apps out there, a lot of them boasting encryption, but I like Signal for both it's openness and usability.

Be aware of the data you expose to social media and apps

This is really critical, and I don't think it's something people think about enough. Whatever you put on the internet -- Facebook, Twitter, Reddit, even your email and IM conversations (unless you take advanced steps to secure them and know what you're doing) -- is something to be potentially exposed to the internet, whether it's your government, foreign governments, or bad hackers. The same goes for unecrypted phone calls and SMS these days.

Likewise, be mindful of the apps you install on your computer and your phone, and what kind of data you might be exposing to them by installing them. Yeah, some of them might be malware, but even for perfectly "safe" apps there are concerns about your data -- look at Uber tracking riders after they're dropped off, for example.

Keep that in mind, and try to choose wisely.