_assets | ||
.github | ||
LICENSE.md | ||
README.md |
Personal Security Checklist
A curated checklist of tips to protect your dgital security and privacy
Contents
Passwords
2 Factor Authentication
Browsing the Web
Email
Social Media
Networking
Mobile Phones
Personal Computer
Passwords
Most reported data breaches are caused by the use of weak, default or stolen passwords (according to this Verizon report). Massive amounts of private data have been, and will continue to be stolen because of this.
Use strong passwords, which can't be easily guessed or cracked. Length is more important than complexity (at least 12+ characters), although it's a good idea to get a variety of symbols. Ideally you should use a different and secure password to access each service you use. To securely manage all of these, a password manager is usually the best option. This guide gives a lot more detail about choosing and managing passwords.
Security | Priority | Details and Hints |
---|---|---|
Use a strong password | Recommended | Try to get a good mixture of upper and lower-case letters, numbers and symbols. Avoid names, places and dictionary words where possible, and aim to get a decent length (a minimum of 12+ characters is ideal). Have a look at HowSecureIsMyPassword.net and How Long will it take to Crack my Password to get an idea of what a strong password is. See this guide for more information. |
Don’t save your password in browsers | Recommended | Most modern browsers offer to save your credentials when you log into a site. Don’t allow this! As they are not always encrypted, hence can allow someone to gain easy access into your accounts. Also do not store passwords in a .txt file or any other unencrypted means. Ideally reputable use a password manager. |
Use different passwords for each account you have | Recommended | If your credentials for one site gets compromised, it can give hackers access to your other online accounts. So it is highly recommended not to reuse the same passwords. Again, the simplest way to manage having many different passwords, is to use a password manager. Have a look at LastPass, DashLane, KeePass or Robo Forms 8. |
Be cautious when logging in on someone else’s device | Recommended | When using someone else's machine, ensure that you're in a private session (like Incognito mode, Crt+Shift+N) so that nothing gets saved. Ideally you should avoid logging into your accounts on other peoples computer, since you can't be sure their system is clean. Be especially cautious of public machines, or when accessing any of your secure accounts (email, banking etc). |
Avoid password hints | Optional | Some sites allow you to set password hints. Using this feature makes it easier for hackers. |
Never answer online security questions truthfully | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information. Instead, create a password inside your password manager to store your fictitious answer. |
Don’t use a 4-digit PIN to access your phone | Optional | Don’t use a short PIN to access your smartphone or computer. Instead, use a text password. Pins or numeric passphrases are much easier crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code). |
Use an offline password manager | Advanced | Consider an offline password manager, encrypted by a strong password. If you work across two or more computers, this could be stored on an encrypted USB. KeePass is a strong choice. |
If possible, try to avoid biometric and hardware-based authentication | Advanced | Fingerprint sensors, face detection and voice recognition are all hackable. Where possible replace these with traditional strong passwords. |
2-Factor Authentication
This is a more secure method of logging in, where you supply not just your password, but also an additional code usually from a device that only you have access to.
2FA Apps: Authy (with encrypted sync), Google Authenticator, Microsoft Authenticator, FreeOTP (open souce), LastPassAuthenticator (synced with your LastPass), Duo and Authenticator Plus.
Security | Priority | Details and Hints |
---|---|---|
Enable 2FA on Security Critical Sites | Recommended | In account settings, enable 2-factor authentication. Ideally do this for all your accounts, but at a minimim for all security-scritical logins, (including your password manager, emails, finance and social sites). List of sites that support 2FA. |
Keep backup codes safe | Recommended | When you enable 2FA, you'll be given a few one-time codes to download, in case you ever lose access to your authenticator app or key. It's important to keep these safe, either encrypt them and store on a USB, or print them on paper and store them somewhere secure like a locked safe. Delete them from your computer once you've made a backup, incase your PC is compromised. |
Don't use SMS to recieve OTPs | Optional | Although SMS 2FA is certenly better than nothing, but there are many weaknesses in this system, ( such as SIM-swapping) (read more), therefore avoid enabling SMS OTPs, even as backups. |
Don't use your Password Manager to store 2FA tokens | Optional | One of the quickest approachs is to use the same system that stores your passwords, to also generate and fill OTP tokens, both LastPass and 1Password have this functionality. However if a malicious actor is able to gain access to this, they will have both your passwords, and your 2FA tokens, for all your online accounts. Instead use a seperate authenticator from your password manager. |
Consider a hardware 2FA Key | Optional | A physical 2FA key generates an OTP when inserted. Have a look at NitroKey (open source), YubiKey or Solo Key. You can also use it as a secondary method (in case your phone is lost or damaged). If this is your backup 2FA method, it should be kept somewhere secure, such as a locked safe, or if you use as physical key as your primary 2FA method, then keep it on you at all times. |
Browser and Search
Most modern web browsers support add-ons and extensions, these can access anything that you do online, avoid installing anything that may not be legitimate and check permissions first. Be aware that ever website that you interact with, including search engines will likely be keeping records of all your activity. Last year Kaspersky reported over a million data exploits caused by malicious sites.
For more browser security pointers, check out: Here’s How To Get Solid Browser Security.
Security | Priority | Details and Hints |
---|---|---|
Deactivate ActiveX | Recommended | ActiveX is barley used nowadays, but Microsoft browsers have it enabled by default. It acts as a middleware between Java and Flash applications and your PC. But it is commonly used for malicious sites to run scripts directly on your PC. See this article for more details. |
Disable Flash | Recommended | Adobe Flash has been around since the dawn of the internet, however it has been falling in popularity for a while. It brings with it many unpatched vulnerabilities (a few of which you can read about here). See this guide, on how to disable Flash player, or this guide for more details on how dangerous it can be. |
Block Trackers | Recommended | Consider installing a browser extension, such as Privacy Badger, to stop advertisers from tracking you in the background. |
Block scripts from bad origin | Recommended | Use an extension such as uBlock Origin, to block anything being loaded from an external or unverified origin. |
Force HTTPS only traffic | Recommended | Using an extension such as HTTPS Everywhere, wil force all sites to load securely. |
Only use trusted browser add-ons and extensions | Recommended | Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while. Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malitious intentions. |
Always keep your browser up-to-date | Recommended | Browser vulnerabilities are constantly being discovered and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can see which browser version your using here, or follow this guide for instructions on how to update. |
Use a private search engine | Optional | Google tracks, logs and stores everything you do, but also displays biased results. Take a look at DuckDuckGo or StartPage. Neither store cookies or cache anything. Read more about Google Search Privacy. |
Consider a privacy browser | Optional | Google openly collects usage data on Chrome usage. There are several privacy browsers out there which minimise the amount of data collected. The most popular of which is Brave Browser, or Firefox. Others include Epic Browser Yandex, or Comodo. The most secure option is Tor Browser. |
Use DNS-over-HTTPS | Optional | Traditional DNS makes requests in plain text for everyone to see, it allows for eavesdropping and manipulation of DNS data by man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS resolution via the HTTPS protocol, meaning data between the you and your DNS resolver is encrypted. You can follow this guide to enable in Firefox, for see CoudFlares 1.1.1.1 Docs. |
Disable WebRTC | Optional | WebRTC allows high-quality audio/ video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are using a proxy or VPN. In FireFox WebRTC can be disabled, by searching for, and disabling media.peerconnection.enabled in the settings. For other browsers, the WebRTC-Leak-Prevent extension can be installed. uBlockOrigin also allows WebRTC to be disabled. To learn more, check out this guide. |
Use Tor | Advanced | The Tor Project privides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from intercaption and tracking. The draw backs are speed and user experience, but it is the most secure browser option. |
Disable JavaScript | Advanced | Many modern web apps are JavaScript based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will reduce your attack surface. Read more about the growing risk of JavaScript malware. |
Route all desktop traffic via Tor | Advanced | Whonix allows for fail-safe, automatic, and desktop-wide use of the Tor network. It's based on Debian, and runs in in a virtual machine. Straigt-forward to install on Windows, OSX or Linux. |
Emails
Nearly 50 years since the first email was sent, they’re still very much a big part of our day-to-day life, and will probably continue to be for the near future. So considering how much trust we put in them, it’s surprising how fundamentally insecure this infrastructure is. Email-related fraud is on the up, and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised, therefore email security is paramount for your digital safety.
It's strongly advised not to use non-encrypted email, but if you follow these guides for simple steps to improve security: Yahoo, Gmail, Outlook and AOL. The easiset way to stay protected, it to use a secure mail provider, such as ProtonMail.
Security | Priority | Details and Hints |
---|---|---|
Have more than one email address | Recommended | Keeping your important and safety-critical messages separate from trivial subscriptions such as newsletters, is a very good idea. Be sure to use different passwords. This will also make recovering a compromised account after an email breach easier. |
Keep security in mind when logging into emails | Recommended | Your email account is one of the most important to protect with a secure password. Only sync your emails with your phone, if it is secured (encrypted with password). Don’t allow your browser to save your email password. Prevent man-in-the-middle attacks by only logging in on a secured browser. |
Always be wary of phishing and scams | Recommended | If you get an email from someone you don’t recognize, don’t reply, don’t click on any links, and absolutely don’t download an attachment. Keep an eye out for senders pretending to be someone else, such as your bank, email provider or utility company. Check the domain, read it, ensure it’s addressed directly to you, and still don’t give them any personal details. Check out this guide, on how to spot phishing emails. |
Don’t share sensitive information over email | Optional | Emails are very very easily intercepted. Also you can’t know how secure your recipients environment is. Don’t share anything personal, such as bank details, passwords, confidential information over email. Ideally, don’t use email as a primary method of communication. |
Don’t connect third-party apps to your email account | Optional | If you give a third-party app (like Unroll.me) full access to your inbox, this makes you vulnerable to cyber attacks. The app can be compromised and, as a consequence, cyber criminals would gain unhindered access to all your emails and their contents. |
Consider switching to a more secure email provider | Optional | Email providers such as ProtonMail, CounterMail, HushMail (for business users) or MailFence allow for end-to-end encryption, full privacy as well as more security-focused features. See this guide for a details of the inner workings of these services. |
Social Media
Security | Priority | Details and Hints |
---|---|---|
Check your privacy settings | Recommended | Most social networks allow you to control your privacy settings. Ensure that your profile can only be viewed by people who you are in your friends list, and you know personally. |
Only put info on social media that you wouldn’t mind being public | Recommended | Even with tightened security settings, don’t put anything online that you wouldn’t want to be seen by anyone other than your friends. Don’t rely solely on social networks security. |
Don’t give social networking apps permissions they don’t need | Recommended | By default many of the popular social networking apps, will ask for permission to access your contacts, your call log, your location, your messaging history etc.. If they don’t need this access, don’t grant it. |
Revoke access for apps your no longer using | Recommended | Instructions: Facebook, Twitter, LinkedIn, Instagram. |
Remove metadata before uploading media | Optional | Most smartphones and some cameras automatically attach a comprehensive set of additional data to each photograph., This usually includes things like time, date, location, camera model, user etc. Remove this data before uploading. See this guide for more info. |
Don’t have any social media accounts | Advanced | It may seem a bit extreme, but if your serious about data privacy and security, stay away from entering information on any social media platform. |
Networking
This section covers how you connect your devices to the internet, including configuring your router and setting up a VPN.
A Virtual Private Network (VPN) protects your IP, and allows you to more securely connect to the internet. Use it when connecting to public WiFi or to restrict your ISP from seeing all sites you've visited. Note, VPNs are not a perfect solution, and it is important to select a reputable provider, to entrust your data with. Tor provides greater anonimity.
Security | Priority | Details and Hints |
---|---|---|
Use a VPN | Recommended | Use a reputable, paid-for VPN. Choose one which does not keep and logs and preferably is not based under a 5-eyes jurisdiction. See That One Privacy Site for a detailed comparison. As of 2020, NordVPN and SurfShark are both good all-rounders (for speed, simplicity and security), and Mullvad, OVPN and DoubleHop are excelland for security. |
Don’t use a default router password | Recommended | Change your router password- here is a guide as to how. |
Use WPA2 | Recommended | WPA and WEP make it very easy for a hacker to gain access to your router. Use a WPA2 password instead. Ensure it is strong: 12+ alpha-numeric characters, avoiding dictionary words. |
Keep router firmware up-to-date | Recommended | Manufacturers release firmware updates that fix security vulnerabilities, implement new standards and sometimes add features/ improve the performance your router. It's important to have the latest firmware installed, to avoid a malicious actor exploiting an un-patched vulnerability. You can usually update your router by navigating to 192.168.0.1 or 192.168.1.1 in your browser, entering the credentials on the sticker on the back of you of your router (not your WiFi password!), and following the on-screen instructions. Or follow a guide from your routers manufacturer: Asus, D-Link, Linksys (older models), NetGear and TP-Link. Newer Linksys and Netgear routers update automatically, as does Google's router. |
Configure your router to use VPN | Optional | If you set your VPN up on your router, then data from all devices on your home network is encrypted as it leaves the LAN. Again, it's important to select a secure VPN provider, as they will see what your ISP previously had been logging. Follow a guide from your router manufacturer or VPN provider, or see this article to get started. Note that depending on your internet connection, and VPN provider, this could slow down your internet. |
Stay protected from DNS Leaks | Optional | A DNS leak is the act of monitoring, storing and filtering your DNS traffic at ISP level. To prevent this you can either use a DNS server provided by your VPN, or use CloudFlares DNS (set nameservers to 1.1.1.1 ), or maintain your own DNS server. You can check your protection, by running a DNS Leak Test, or run nslookup whoami.akamai.net in your terminal. Read more about preventing DNA Leaks. |
Use a secure VPN Protocol | Optional | OpenVPN is widley used, and currently considered a secure tunneling protocol, it's also open source, lightweight and effiecient. L2TP can be good, but only when configured correctly, whereas it's much harder to go wrong with OpenVPN. Don't use PPTP, which is now legacy, and not considered secure, and avoid SSTP (proprietary, owned by Microsoft and due to lack of transparency, could be vulnrable to exploits). IKEv2 and WireGuard (experimental) are also good options. |
Ideally hide your SSID | Optional | An SSID (or Service Set Identifier) is simply your network name. If it is not visible, it is much less likely to be targeted. You can usually hide it after logging into your router admin panel, see here for more details. |
Avoid the free router from your ISP | Optional | Typically they’re manufactured cheaply in bulk in China, and firmware updates which fix crucial security flaws aren’t released regularly. Consider an open source based router, such as Turris MOX |
Use the Tor Network | Advanced | VPNs have their weaknesses, since the provider knows your real details, whereas Tor is anonymous. For optimum security, route all your internet traffic through tthe Tor network. On Linux you can use TorSocks and Privoxy, for Windows you can use Whonix, and on OSX follow thsese instructions. Finally, you can use OnionPi to use Tor for all your connected devices, by configuring a Raspberry Pi to be a Tor Hotspot |
Kill unused process and services on your router | Advanced | Services like Telnet and SSH (Secure Shell) that provide command-line access to devices should never be exposed to the internet and should also be disabled on the local network unless they're actually needed. In general, any service that’s not used should be disabled to reduce attack surface. |
Mobile Devices
Most smart phone apps will run in the background, collecting and logging data, making network requests and ultimately creating a clear picture of you you are, just from your data. This is a big problem from both a security and privacy perspective.
Even non-smart phones, (and even when the screen is off) are constantly connecting to the nearest cell phone towers, (it does this by broadcasting it's IMEI and MEID number). The towers then relay this information, along with any communications, to your mobile carrier, who will store these records indefinitely. The movements of your phone are the movements of you as a person, so all phone proximity and data records can always be linked directly back to you. So whenever your phone is on, there is a record of your presence at that place, being created and maintained by companies.
SMS texting and traditional phone calls are not secure, so it's imprortant to avoid using that to send or recieve anything secure (such as log in codes, OTPs or any personal details). Instead use encrypted messaging, like Signal whenever you can. Be wary of who you share your phone number with.
Security | Priority | Details and Hints |
---|---|---|
Turn of connectivity features that aren’t being used | Recommended | When you're not using WiFi, Bluetooth, NFC or anything else, turn those features off. These are commonly used to easily hack individuals. |
Uninstall apps that you don’t need | Recommended | Don’t have apps that your not using on your phone, as they can be collecting data in the background. Don’t install apps from non-legitimate sources, or apps with few reviews. |
Don’t grant apps permissions that they don’t need | Recommended | If an app doesn’t need access to your camera, don’t grant it access. Same with any features of your phone, be wary about what each app has access to. |
Monitor Trackers | Optional | A tracker is a piece of software meant to collect data about you or your usages. εxodus, is a great service, which lets you search for any app, by it's name, and see which trackers are embeded in it. They also have an app, which shows trackers and permissions for all your installed apps. |
Install a Firewall | Optional | To prevent applications from leaking privacy-sensitive data, you can install a firewall app. This will make it easier to see and control which apps are making network requests in the background, and allow you to block specific apps from roaming when the screen is turned off. For Android, check out NetGuard, and for iOS there is LockDown, both of which are open source. Alternatively there is NoRootFirewall Android, XPrivacy Android (root required), Fyde iOS and Guardian Firewall iOS. |
Use secure, privacy-respecting apps | Optional | Mainstream apps have a reputation for not respecting the privacy of their users, and they're usually closed-source meaning vulnrabilities can be hidden. Prism-Break maintains a list of better alternatives, see Android and iOS. |
Don’t use SMS - Use E2E encrypted messaging apps | Optional | iMessage is secure. For non-Apple users Signal is the most secure option. As of late 2016 WhatsApp is also end-to-end-encrypted using the Signal protocol. Keep in mind that although the transmission may be secured, messages can still be read if your, or your recipients' devices have been compromised. |
Use a secure email provider | Optional | Most email providers completely invade your privacy intercepting both messages sent and received. ProtonMail is a secure email provider, that is open source and offers end-to-end encryption. There are alternative secure mail providers (such as CounterMail, HushMail and MailFence)- but ProtonMail has both a clear interface and strong security record. |
Avoid using your real phone number when signing up for an account or service | Optional | Where possible, avoid giving out your real phone number while creating accounts online. You can create phone numbers using services such as Google Voice or Skype. For temporary usage you can use a service like iNumbr that generates a phone number that forwards messages and calls to your main number. |
Consider running a custom ROM if you have an Android device | Advanced | Your default OS tracks information about your usage, and app data, constantly. Consider a security-focused custom ROM, such as Lineage or CopperheadOS. |
Personal Computers
Although Windows and OS X are easy to use and convenient, they both are far from secure. Your OS provides the interface between hardware and your applications, so if compromised can have detrimental effects.
Security | Priority | Details and Hints |
---|---|---|
Keep your OS up-to-date | Recommended | Microsoft, Apple and Google release regular OS updates, which fix security risks. Always keep your device updated. |
Consider Switching to Linux | Optional | Linux is considerably more secure than both OSX and Windows. Some distros are still more secure than others, so it’s worth choosing the right one to get a balance between security and convenience. |
Avoid PC Apps that are not secure | Optional | Mainstream apps have a reputation for not respecting the privacy of their users, and they're usually closed-source meaning vulnrabilities can be hidden. See here for compiled list of secure PC apps for Windows, OSX and Linux. |
Use a Security-Focused Distro | Advanced | QubeOS is based on “security by compartmentalization”, where each app is sandboxed. Whonix is based on Tor, so 100% of your traffic will go through the onion router. Tails is a has no persistent memory, and is ideal if you don’t want to leave a trace on the device your booting from. Subgraph is an “adversary resistant computing platform”, but also surprisingly easy to use |
Password protect your BIOS and drives | Advanced | A BIOS or UEFI password helps to make an inexperienced hackers life a bit harder if they get a hold of your PC or hard drive, here is a guide on how to do it. |
Canary Tokens | Advanced | Network breaches happen, but the longer it takes for you to find out about it, the more damage is done. A canary token is like a hacker honeypot, something that looks appealing to them once they've gained access to your system. When they open the file, unknowingly to them, a script is run which will not only alert you of the breach, but also grab some of the hackers system details. CanaryTokens.org and BlueCloudDrive are excellent sites, that you can use to generate your tokens. Then just leave them somewhere prominent on your system. Learn more about canary tokens, or see this guide for details on how to create them yourself. |
Notes
Thank you for taking the time to browse this list, I hope the content here was useful. If you have any feedback, feel free to email me at alicia@as93.net.
Contributions are welcome, and would be much appreciated - to suggest an edit you can open an issue, or upload changes by opening a PR. There are some contributing guidelins in CONTRIBUTING.md
.
I owe a lot of thanks others who've conducted research, written papers, developed software all in the interest of privacy and security. Full attributions and referenses found in ATTRIBUTIONS.md
.
Disclaimer: This is not an exhaustive list, and aims only to be taken as guide.
© Alicia Sykes 2020, Licensed under Creative Commons, CC BY 4.0. See LICENSE.md