Information security is important. Yet lots of folks do things that diminish or even eliminate their personal or professional information security. In this article, I detail numerous information security best practices and the rationales behind them.
Use Strong Passwords
Strong password design is tricky because people don’t understand the concept of entropy. So, rather than make specific suggestions about length or characters, or spend time emphasizing how you shouldn’t reuse passwords, I’m going to simply say: use LastPass.
LastPass is a browser extension which remembers passwords and other forms for you. It generates strong passwords for you and saves them for you securely. When it’s time to log into one of your LastPass-guarded sites, all you have to do is click the LastPass icon in the password box on that site (protecting you from keyloggers). In other words, it makes having strong passwords easy.
Tin Foil Hat Alternative: DIY Password Generator
Using LastPass is adequate for most people, but it isn’t open source. If you are a software developer and want to write your own password generator, here are some key considerations.
- Your password generation method should have adequate entropy.
- Your output (generated passwords) should conform to most sites’ password rules. If it doesn’t, you’ll end up manually modifying the output so that it does conform to said rules and you’ll have to remember the modifications.
- Your input should be some easy to remember attribute of the account the password is being generated for.
No Browser-Remembered Passwords
Do not let Google Chrome or any other browser remember your passwords. Anyone who knows basic HTML can reveal your remembered password by changing the login form’s “type” attribute from “password” to “text”. It takes five seconds and makes you vulnerable to anyone who has physical access to your device.
No Biometrics (Yet)
There are three very simple rules for email safety which will do more for you than most other items in this article.
- Don’t respond with important information, ever.
- Use browser-based email. Using Outlook or Thunderbird puts you at risk because nasty attachments come straight to your PC. If you use Gmail, Yahoo Mail, Hotmail, etc., you shift all that risk to Google/Yahoo/Microsoft’s servers instead. Just checking your email in a browser makes you far less likely to install a keylogger or some other nastiness.
- Check the “From” address. If that account deletion warning from your bank seems strange, who is the sender? If your bank is XBank and the “From” address is email@example.com, you’re probably safe to respond. If it’s firstname.lastname@example.org or email@example.com, then NO you don’t want to click that link.
Encrypt and Lock Your Devices
Encrypt + Lock = Good
Every device you own should be encrypted: your phone, your laptop, your desktop, your tablet, etc. It is trivially simple to remove the hard drive from a stolen device and plug it into another device. Did you think your files were protected by your log in password? Think again.
Encryption sounds difficult and scary, but it’s really not. Most Android phones and Apple phones and laptops have encryption options built into the operating system. You can encrypt your phone or MacBook from the settings menu. Windows devices aren’t much harder. Google “encrypt my xxxxx” to learn how to encrypt each of your devices.
That said, if you encrypt your devices but don’t lock them, you’re missing most of the benefits of encryption. What good is the encryption doing you if anyone can get into your files by just swiping up on your phone? Encryption and locking go hand in hand. Do both or reap the benefits of neither.
Tin Foil Hat Addendum: Hidden Volumes
If you’re in a situation in which you may be forced to decrypt your device, consider using a hidden volume. A hidden volume is a part of your hard drive which looks like empty space unless you decrypt the hard drive with the hidden volume password instead of the normal encryption password. Be careful though! Since the hidden volume looks like empty space even to the operating system (after you’ve decrypted the fake volume), it can easily be partially overwritten by saving files on the fake volume, and therefore irreparably corrupted.
Two-Factor Authentication (2FA)
Using 2FA means that an attacker will have to both have your password and some secondary means of authentication (ideally a physical device like a cell phone) to access your account. It adds a little bit of hassle to your life because it also means that you have to have access to that secondary means of authentication when you want to log in, but the trade-off is more than worth it.
Tin Foil Hat Warning: Backup Codes Awareness
Some sites offer to give you one or more “backup codes”, in case you lose access to the account. (That is, you forget your password, lose your cell phone for phone 2FA, get locked out of the email you set as the password recovery email, etc.) Backup codes are great, but you should be aware of what an attacker would get if they got your backup codes. It’s different for different sites. Here are some examples.
- Hotmail backup codes: let you reset the account password, change the recovery email, and access the account.
- Gmail backup codes: even after entering a backup code, Gmail will still ask for another method of authentication before letting you in. If you do not provide one, Google will “review your request”.
- Dropbox backup codes: can be used in place of a phone.
Let me first say as a website administrator, that security questions are the poor man’s 2FA. Security question answers are often easy to find in public records or elsewhere. If you must use them, use them with care.
Only You Should Know Your Answers
Try to select questions and answers which are not available in public records. Here are some bad questions.
- Where did you go to high school?
- What was your mother’s maiden name?
- What was the make and model of your first car?
For contrast, here are some
good arguably better questions.
- What was the name of your first pet?
- Where did you meet your significant other?
- What is your favorite food?
A great point about security questions, which was raised a few months back by journalist Brian Krebs: don’t answer personality (or other) quizzes online. You’re giving away information about yourself for free to potentially unscrupulous sources who may then try to use it to account-recovery or phish their way into your accounts.
No Repeat Questions
Another point to take into consideration is that phone service operators and website admins may have access to your answers in plain text. Therefore, you’ll want to vary your selection of questions across sites in order to minimize cross-site exposure by malevolent operators or site admins.
Tin Foil Hat Alternative: Don’t Know Your Own Answers
Some sites and services do not let you pick good questions. If you are a software developer, you can write a security answer generator for security question answers. The input would be the question itself, and the output, ideally, is a human-readable phrase, since some services have operators who will ask you the answers to your security questions over the phone in order to authenticate you.
Protection From Yourself: Single Points of Failure
This is a category that people often fail to consider completely. If your important stuff (read: bitcoin wallet, family photos, work documents) is on your laptop and you drop your laptop into the sea, your important stuff is now gone. You have failed to protect yourself from yourself.
You want to prevent the existence of any single point of failure in your setup. Any one account or device should be able to go without the whole system collapsing or being seriously damaged.
Any important files should be stored redundantly. You get some level of automatic redundancy from using services like Dropbox, Google Drive, or OneDrive, but with those services, there are a few points to keep in mind.
- They might go away at any time. (Remember Google Reader? — yes I’m still bitter, so what?)
- You sacrifice privacy by using them. This might be fine, or it might not, depending on what you’re storing.
Regardless, for an extra layer of redundancy, you should have backups of very important files on multiple external media.
If any of your email/other accounts gets hijacked or you forget the password, you should be able to recover from it. This means that account recovery options on those accounts should be well explored and considered. You should leave yourself a bread crumb trail to get out of the lost accounts woods. And you should do full tests of those breadcrumb trails. Pretend like you actually got locked out of that important account and try to get back in.
Your Monkey Brain
Don’t create a system which is too hard for you to use. Twenty five character passwords are super secure (at present), but if you’re not going to be able to remember them, don’t use them. You also need to protect yourself from your own monkey brain’s inadequacy. It’s not a hard drive. It just forgets stuff sometimes.
Also worth mentioning in this section are some self-defeating platitudes about security that you sometimes hear.
- “No one would come after me.” You’re probably right that no other individual person is targeting you. The energy spent in targeting an individual is usually not worth the payoff. But it won’t be a person targeting you and you alone. It will be an algorithm targeting everyone with a wide net, and pulling in the suckers.
- “Security is too hard and it’s just too much effort.” This essentially amounts to, “I can’t secure everything, so I’m going to secure nothing.” Grab the low-hanging fruit! Do the easy stuff instead of doing nothing at all. Incremental improvement for the win.
20th Century Security Techniques
Our world is increasingly digital, but a handful of older security practices bear mentioning here.
Carrying cash or debit means that if you lose your wallet, get robbed, or get scammed, you’ve denied yourself the motherload of consumer protections built into almost every credit card. If you need to carry cash, carry just a little bit or put low withdrawal limits on your debit/bank card.
Your social security number is effectively public information. If you think that it provides any level of account security, take a moment and think about the multitude of entities to whom you have provided it. That’s all I’m going to say about that.
Take a lesson from Battlestar Galactica: if it’s not digital, a hacker can’t touch it. You might want to keep some things offline: in your desk or a safe. Of course, if it’s not digital, it’s also not encrypted.
Tin Foil Hat Credit Firewall: Freeze Your Credit
Equifax, TransUnion, and Experian all offer free credit un/freezing service. If you’re not planning on buying a car or a house, signing a new apartment contract, or opening new credit cards, what reason do you have not to freeze all three (and Innovis and ChexSystems while you’re at it)? If you are planning on doing something which involves credit checks, you can always temporarily unfreeze the relevant credit bureau.
If you think that putting files in the Recycle Bin is the same as deleting… well, you’re probably not reading this article. But even actually-deleted files can be recovered. I once bought a laptop from a guy on Craigslist. The very first thing I did with it was undelete all of his files and look at his stuff.
You might be asking, “isn’t this overkill if I’m encrypting my entire drive?” It is, but you don’t always have the option of encrypting the entire drive. For instance, you might be on a work computer.
Be Careful With Installers
After email, installers are the best way to get keylogged or otherwise hijacked. Even installers from some reputable companies will come loaded with crapware.
- Whenever given the option, choose “Custom Install” and pay attention to what you’re clicking “Next” to.
- Where you download something from matters. The same software might be wrapped in spyware when downloaded from one site and clean from another.
- The more you get into the weeds with random third party programs, the more you put yourself at risk.
If you’re tech savvy enough, sandboxing and monitoring the installation is a good route when dealing with unknown new programs. For everyone else, just be cautious.
Reduce Your Digital Footprint
Whether or not you care about Big Brother or Big Data having all of your personal information, you probably don’t want random third parties having it. That means
- downloading old emails and data via services like Google Takeout,
- archiving it if it’s important to you,
- and then deleting it from website X if you’re not actively using it.
Even if website X is trustworthy, when they get compromised, you can bet that Random Blackhat and friends are not.
Tin Foil Hat Defense: Hiding Your Browsing
If you care about your ISP seeing all of your activity, you’ll want to hide it from them by using a VPN and Tor together. There are two ways to do this, Tor over VPN and VPN over Tor, and the differences and trade-offs are beyond the scope of this article. Regardless, if you don’t like targeted ads or are in a politically sensitive situation, masking your browsing activity is something you’ll want to do. Switching your computer’s name server to CloudFlare will also help in this respect as (at time of writing) they are the only DNS provider to use DNS over HTTPS.
Don’t use cloaking sites or free proxies! They may not all be bad, but trusting random strangers with the entirety of your web traffic is even worse than trusting your ISP.
We’ve covered lots in this article, but there is plenty more good material out there. Here’s some of it!