I think the most basic security advice I could give is:
- Have a strong password on the email address you use for all your important things like finances and signing up for accounts.
- Keep your phone or computer software up to date (implying automatic updates where available).
- Migrate to a password manager and use a different strong password than your email address.
The password manager I know is a big ask, but I think that really protects you against the most vulnerable attack vectors.
Also, I guess that the three most important things and the three most basic things someone can do to improve their security can be different, so I’m interested in hearing different takes on this.
I think that the 3 most important things would be to:
- Use a Password manager and do it properly
- Use 2FA and again, do it properly
- Keep your software and hardware up to date.
The first 2 rules are (in my humble opinion) the basic requirements to stop the most popular kind of attackers.
The 3rd option is to avoid all kinds of issues related to mass scale attacks and potential data loss.
I think the three most important things to do would be:
- Use a offline password manager [Make your passwords using the diceware method or a long random string]
- Use encrypted messaging/phone calls [Signal, Matrix, etc]
- Disable unused radios via toggles or even better a faraday bag.
It’s hard to pick only three, but I would say these go a long way.
Take back control of your data.
Zero trust model.
Don’t rely on reactive security practices.
These are ~3 things you should absolutely be doing.
1. Better passwords:
- go change them all, seriously, right now!
- use strong/non-unique passwords
- never mix or reuse them across services/accounts
- use a password manager (@jas_framework: offline is better)
- avoid sharing passwords and use something that notifies you of breaches (but don’t rely solely on reactive security)
- enable 2FA/MFA, possibly use hardware keys/tokens
- backup everything just in case
- update your OS with security updates and employ active IDS/IPS (it’s not as hard as it sounds)
- disable and/or avoid telemetry from your OS, browser and IoT devices
- don’t use browser storage for sensitive info including passwords
2. Better browsing:
- block ads at the host level (Pi-hole, DNSSEC/DNSCRYPT, /etc/hosts)
- uBlock Origin, LibRedirect, Smart Referrer
- ensure website integrity (in Tor, you can verify a site’s /mirrors.txt)
- use a private search engine (SearXNG, DuckDuckGo)
- don’t use unnecessary extensions (cf. https://github.com/arkenfox/user.js/wiki/4.1-Extensions) - useless bullshit
- use HTTPS (default in your regular browser usually)
- DNS over HTTPS (DOH)
- containerized and/or in-between sessions, sanitize browsing (again, Arkenfox/user.js)
- minimize your footprint/fingerprint (Firefox FRP)
- plain-text emails only, question all attachments from all sources
3. Practice your OPSEC:
- don’t login on another person’s device and use privacy shields if you can
- avoid password hints or use answers that have nothing to do with them (confuse the enemy :))
- don’t use a 4-digit pin for your devices, use a strong password
- minimize or eliminate the SMS 2FA for services to avoid SIM swaps
- avoid using your password manager for OTP
- avoid face and biometric unlocks
- never reuse usernames
- use a mail forwarding service to combat spam (and further confuse the enemy)
- everything else here should be considered: personal security checklist
There’s a lot that someone can do to increase their digital privacy and security. I think the key is to target your audience with the actions that they most likely will understand and implement on their own. Even baby steps are better than doing nothing for most people. Just using a legit password manager & changing their passwords to longer/more complex, using 2fa/mfa will do a lot for most people.
That’s my thought process as well, but it’s interesting to see that the general consensus seems to be that stronger password manager is maybe the first thing to get a handle of.
Agree…that goes hand in hand with the gazillion studies that show just how bad people are with making and reusing crappy passwords over and over. Toss in that most people use the same email for years and it makes for a mess.
I think this might be too advanced for an average person to try, but it’s good insights nonetheless! I wasn’t aware that some organizations might want to track whether someone is starting to become more private, which could create a desire to pay more attention to that person.
#1 Use a good password manager. Bitwarden is pretty much best of breed for normal folks.
#2 Use signal and get your friends to use it instead of regular phone SMS where possible.
#3 Move to protonmail. They even have a convenient tool that pulls all your stuff from gmail or whatever. Once there set up some alias emails and use those for those random email demanding things that have no business knowing your main email (or true name) and/or are likely to spam you.