Updates

Use a password manager

I use LastPass. 1Password is also very good.

It’s good to use a unique, random password for every site on which you have an account; a password manager helps you keep all of them straight (and it can generate new, high-quality, random passwords right in the sign-up form for many sites). If you reuse the same password at multiple sites, then when one of them has its password database breached and cracked, thieves have access to your password for multiple sites. If every site gets a different password, the damage is limited. And using randomly generated non-dictionary passwords makes your password for any individual site harder to break.

If you want an open-source solution, KeePass and the cross-platform KeePassX are pretty good.

Enable 2-factor authentication

Use 2-factor authentication (‘2-step verification’, as it is sometimes called; also known as 2FA) for crucial services. At a minimum, enable this for your primary email. It is supported by Gmail and several other providers. If your email provider does not support 2FA, I recommend changing your primary email to one that does. I would personally recommend Outlook.com for U.S. residents, as they support 2FA and also pledge not to data-mine your e-mails to serve you ads. Services you pay for are also often a good idea, such as Zoho or Microsoft Office 365. Fastmail has a good reputation, but it is based in Australia so I cannot recommend it to U.S. residents¹.

The basic idea of 2FA is that you need two things to log in: your password and something else, in most cases your smartphone. There are multiple ways that it can work. The method I like, supported by many Web services, is using a mobile phone app (Google Authenticator or Microsoft Authenticator; there is an equivalent app for iOS). Services that support the protocol used by these apps do not require your phone to have data access in order to log you in (they work based on time²), so you can log in even if your phone has no signal.

Your email is the ‘keys to the kingdom’ for a lot of the rest of your online life. If an attacker gets into it, not only can they rifle through your data and contact your friends, they can use it to take control of just about any other online account you might have, since so many of them have email-based password reset systems. Your email account needs to be guarded at least as securely as the account you think is the most sensitive (such as your online banking).

To turn this on, go to the security settings in the service’s account settings.

Most services will have some mechanism for you to regain access to your account should you lose your phone. Make sure you turn this on, keyed to a home phone or printing out a key and putting it in a bank vault.

Use secure passwords

While most of your passwords will be randomly generated and stored in your password manager, you still need passwords to log in to a few things: your computer, your password manager, and your phone. Since your password manager is storing all your other passwords, these passwords are particularly important. Their security is paramount — if someone can crack your LastPass password, they can get in to everything.

LastPass and most modern computer logins allow you to have long passwords. So for your LastPass password and computer login password, I recommend using a passphrase: a long, multi-word password rather than a single short but hopefully complicated string. Passphrases are both more secure and easier to remember, as XKCD observes.

To create a password that I have to memorize, I use the Diceware system to create a passphrase that is 7-10 words long. Diceware is a procedure for using ordinary 6-sided dice to randomly select words from a list. This has a few advantages:

• Lists of words are relatively easy to remember.

• The password is truly secure, in a mathematical sense. Even if someone knows that you created a 7-word Diceware passphrase, there are still \(6^{35}\) possibilities for that passphrase. A 10-word passphrase gives you \(2^{128}\) possibilities, which is as secure as the strong encryption protecting well-secured web sites. If you use a 10-word Diceware passphrase, then your password is unlikely to be the weakest link in the security of whatever it is protecting.

Many online services have unreasonably short limits on the maximum length of passwords, and require extra characters (length is more important than complexity in password strength, but this wisdom is not widely followed). However, for everything but your computer login and password manager passwords, your passwords will all be in the password manager, so you don’t have to worry about having memorable, secure, 12-character passwords. Just generate random secure passwords with 1Password or LastPass, and have a secure but memorable passphrase protecting that.

If your computer is on an older network that does not support long passwords, then you will need a traditional numbers-and-letters-and-symbols password that is as secure and memorable as you can make it. Do not attempt to create this password yourself; instead, use a password generator such as the one built in to LastPass. DiceWare also has a procedure for generating traditional passwords. The human brain is a profoundly terrible random number generator. Anything an attacker can learn about your thought processes in generating a password reduces the difficulty of guessing it; using a random (computerized or dice) process means your password is as unpredictable as possible.

Secure your phone

First, use a lock code on it. Swipe to unlock is convenient, but if your phone is a key piece of your security setup, you want it to be protected from theft and misuse. Android unlock patterns are better, but I recommend using a numeric unlock PIN or a password. Passwords are a bit annoying to type on a phone, so a PIN seems to me like a good balance of security and usability. Generate a random PIN using your password manager. If you use a 10-digit PIN, you can memorize it like a phone number.

Second, turn on device encryption. This provides some protection should your phone be stolen or misplaced. Encryption also requires a PIN code or password, forcing the answer to the first part of this tip. On Android, you can turn on encryption in the Security section of the settings.

On Windows Phone, there is unfortunately no user interface to enable encryption. However, encryption can be enabled by a business e-mail server. If you have an Office 365 Business account that includes Exchange (either Business Essentials or Business Premium), you can go in to the Exchange admin settings in the admin portal and set up device policies; one available setting in the policy is to require devices to be encrypted. If you then add this Exchange account to your phone, it will encrypt itself.

Third, if your phone offers a ‘find my device’ feature with a remote reset capability, make sure that is enabled³. If you lose your phone, being able to initiate a remote wipe is useful. Google, Apple, and Windows all have such a service, I believe. If you use Android, I recommend using Google’s service, not your phone manufacturer’s or wireless provider’s.

Do not let others use your phone.

Keep your software up to date

Set your operating systems to automatically install updates, and on Windows, to check for updates for other Microsoft programs. Both Chrome and Firefox take care of updating themselves (just make sure you shut them down from time to time to install the updates). If you use Windows, when Windows 10 is released later this year, make sure that you upgrade to it within the first year (upgrades will be free for Windows 7 and 8 users for the first year, and once you have 10 they will be free forever). If you are still running Windows XP, upgrade to Windows 7 now, and upgrade Vista as soon as you can. Out of date software, particularly talking to the Internet, is the easiest way to get malware (viruses, trojans, things that lock up all your data unless you send BitCoin, you know the drill).

Don’t install Flash

Do not install the Flash player, and if you have it, uninstall it. Also, do not install the Java plugin; if you must have Java installed, make sure that the plugin is disabled (in Firefox, go to Add-ons → Plugins).

If you need to browse sites that use Flash, use Google Chrome, which includes a version of the Flash player that runs in a sandbox to protect your computer and receives security updates as a part of Chrome’s automatic updates. I personally use Firefox as my primary browser, and open a site in Chrome if it requires Flash and I want to use it badly enough. It is a little annoying, but the Flash and Java plugins both have long histories of security vulnerabilities and are the other easiest way to get a malware infection. Modern versions of Firefox help this quite a bit by asking before using a plugin on each site, but not even having the plugin means you won’t accidentally click ‘yes I want malware’.

If you are a web developer, for the love of your users, drop Flash from your toolbox. To deploy a new site with Flash in 2015 is professionally irresponsible.

Use an ad blocker

Use an ad blocker in your web browser. I use uBlock Origin myself.

I do not like to recommend this, because good sites rely on advertising revenue to support their operations. However, advertising is a significant means of distributing malware (the ad will have bad code that exploits a security vulnerability in the Flash plugin, or your browser, and infects your computer). It’s possible to do some more targeted blocking, but it takes skill and expertise to assess risks and keeping your computer clean is more important than seeing ads. Until the web advertising industry devises effective solutions for stopping malware propagation, this is the world we live in⁴. You can configure the block lists that uBlock subscribes to; if you want to allow advertising generally but turn off known trackers and known malware sites, turn off ‘EasyList’, turn on ‘EasyPrivacy’, and turn on things in the Malware Domains list. This will reduce your risk, but not be effective against new malware delivered via advertising that hasn’t made the lists yet. Do make sure that your lists are set to auto-update.

Don’t keep data you don’t need

Yes, Google encourages you to keep every e-mail you ever received, and there have been times when I’ve deleted an e-mail only to want it back. But data is risky: if someone does break in to your e-mail, for example, the data there could help them launch additional identity attacks. It could also provide them with the information needed to attack your friends and family. For example, old contact information (addresses, phone numbers, etc.) are one of the ways that credit bureaus verify your identity; if that information can be lifted from your e-mail, it can be used to significant ill effect. The best defense against abuse of data is not having data to abuse.

Developers: there is a feature I would like. A mechanism to automatically delete all e-mail conversations that have had no activity in 90 days and have not been explicitly marked for retention. I like threaded e-mail, so as long as some mail is relevant I’d like to keep the whole conversation, but auto-expiring mail on a conversation basis seems like a very useful way to approach the problem. Users, I’m sorry, but I don’t know of any software that does this yet.

Closing Thoughts

I hope this is helpful. If you are likely to be explicitly targeted (you’re Edward Snowden, or a journalist, or a dissident or activist), it is by no means sufficient. But I hope that it provides some help to ordinary users.

[2FA]: two-factor authentication [OATH]: Open authentication [TOTP]: Time-based One-Time Password [NSA]: National Security Agency *[U.S.]: United States