"Only the paranoid survive."
A master checklist to secure your online life.
This is a work in progress. Comments and feedback are much appreciated. If you have any suggestions, please submit a PR or tweet @adilmajid.
The whole document and each individual section begin with the simplest changes.
Note: I'm not affiliated with any products linked below, nor do I get any kind of commission/freebies/highfives for linking to them. They're just good products for the job that I have used.
Disclaimer: this is a list of good practices, but no guarantees, obviously.
- TLDR
- Lockdown
- How to secure your online accounts, phone, laptop, and finances.
- Control the data you've shared
- What to do about the data you've already shared.
- Go Pro
- Other Stuff
- Set up 2FA on all of your logins
- Set different passwords for all of your accounts. Use a password manager like 1Password, LastPass, or KeePass.
- Pay attention to whether a website uses http or https. Never type a password or other sensitive info into a website that only uses http.
- Update your Google settings to limit what Google tracks and update Facebook to limit what you share with others. (Jump to Google)(Jump to Facebook)
- Delete online accounts you don't need or use
Virtually every online service you use stores some of your personal information. It could be as basic as your name and email address. Or it could be highly personal, like your sexual orientation, your notes and documents, your credit card information, your messages… so on. This is information you want kept safe.
Many services are broadcast platforms, meaning you want to make sure nobody should be able to access these accounts other than you.
- Use a different password for every online service.
- Generate secure passwords using 1password Password Generator or LastPass Generate. A secure password is not necessarily composed of complicated combinations of special characters. These are difficult to remember. Instead, a long password (like an easy-to-remember phrase of 5 or more words) is more secure because it has more characters is harder to guess by brute force.
- Use a password manager like 1Password, LastPass or KeePass. Change the master password periodically.
- Set up two-factor authentication (2FA) on your accounts where its available. Twofactorauth.org has a full list of apps that support 2FA.
- Don’t use phone numbers for 2FA. See SIM Swap Attack Protection below.
- Set up login notifications on apps/services that allow it. If somebody does manage to compromise that account, you'll be notified and can take action to get it back.
- Keep your OS and apps updated
- Set a passcode / password of 6+ characters
- Disable TouchID / fingerprint unlock. If a federal agent wants to search your device, they are allowed to ask for your fingerprint, but not your passcode. (Update: this may no longer be necessary, but the decision is expected to be challenged. Better safe than sorry.)
- Restrict what someone can see/do with your phone from the lock screen (restrict access to lock screen widgets, notification privacy, Apple Pay/Android Pay/Samsung Pay)
- Disable location services for any app that doesn't really need it. Disable "always on" location services from all apps.
- Get rid of your Android and get an iPhone (not intentionally pretentious - it's hard to fully secure an Android device. And there are great iPhones at basically any price point these days. And Google doesn't get to vacuum up all your data.)
- Install a VPN (See more at in the Browse Securely section)[#browse-securely]
- Install a content blocker to prevent you from being tracked by advertisers
- Keep your OS and apps updated
- Turn on Firewall on your Mac (via System Preferences -> Security)
- Cover your computer webcam with a Post-it
- Set your laptop locks itself quickly if you are inactive
- Require password immediately once your computer goes to sleep
- Install Micro Snitch to monitor when your webcam and microphone are turned on
- Install Malwarebyte on your computer, and run it periodically to check for malware
- Set Mac lockscreen notifications to private
- Use Privacy.com when doing online transactions. Enable transaction notifications to be notified every time money is spent from those cards
- Disable paper bank statement mailings (they can be lost/stolen)
Whether you've been affected by the Equifax hack or not, take the following steps to secure your credit.
- Check your credit report. Make sure there are no unexpected hard pulls on your credit.
- Freeze your credit reports with all three agencies: Equifax, Experian, and Transunion.
- Sign up for Identity Theft Monitoring. There are a number of services offered that you can Google. I personally use Civic.
- Stop getting prescreened offers of credit. You can learn more about prescreened offers of credit here. The FTC recommends this service for opting-out, aptly named OptOutPrescreen.com.
- These guys have GARBAGE websites. So you'll probably need to get live phone support. Equifax: Call 888-202-4025 and select option 6. Experian: Call 714-830-7000, press 2 (the business line option), then ask for live help. TransUnion: 800-916-8800.
Most people don't think about this one, but it matters. Leaving personal information lying around is a liability.
- Consolidate external hard drives and USB thumbdrives so you have fewer things to keep track of.
- Consolidate notebooks and papers that could have sensitive info, shred the ones you don't need. Archive papers by scanning into (a secured) Evernote account if you don't need the physical copy.
- Wipe and/or destroy unused old computers, phones, tablets, hard drives, etc.
You have personal data in all of your accounts. Some of those accounts can broadcast information to the internet on your behalf (think Instagram, Twitter, or a blog). If you aren’t using an account, delete it. They’re a vulnerability.
- Delete accounts you no longer use.
- Use Have I Been Pwned or Firefox Monitor to see if any of your accounts have been compromised
- Secure your Skype account, if you need it. Delete it if you don't need Skype. Skype is a top offender for getting hacked.
- Delete your Yahoo account. If you need it for Flickr, set a long password, set up 2FA, and enable login notifications. Yahoo is another common offender
- Limit what Google tracks about you. See how
- Limit what Facebook tracks about you. See how
- Think carefully about new services you sign up for and the data you share with them.. Do you trust them with your data?
- Be careful when granting Location permissions to apps on your phone. Google and Facebook apps, for instance, keep a horrifyingly detailed log of your location history.
- Be careful when granting Contacts access to apps on your phone. Are they going to sync your contacts to their server? (FYI: Facebook Messenger does! And is super shady about it.)
- Use Signal or WhatsApp for end-to-end encrypted messaging
- Use Sync.com or MEGA for end-to-end encrypted file storage
- Use Standard Notes for end-to-end encrypted note-taking
- Use Day One for end-to-end encrypted journaling
- Use Keybase for end-to-end encrypted chat and file-sharing. Also good for publicly verifable online identity verification
- Install Little Snitch to monitor outgoing connections (basically a reverse Firewall). Your computer sends a lot of dat in the background that you might not know about. With Little Snitch you can see when and where information from your computer is being sent
- Use ProtonMail for encrypted email
- Use DuckDuckGo as your search engine. They're great, they don't track you, and they're profitable, so no need to worry about them shutting down one day
- Use Tor for web browsing. The more people use it the better the network is
- For the super-paranoid, not tied to Mac or Windows: consider using QUBES OS or Tails OS
- Use a browser plugin like uBlock Origin, privacy badger, and ghostery to prevent third parties from tracking you
- Install a VPN client on your computer. Check out PCWorld's reviews of popular VPN clients. My favorite is Mullvad. They don't require any personal info to sign up (like your name or email address) and you can pay in cash or crypto, so they can't identify you via payment info either.
- Install a VPN client on your phone (Encrypt.me and Tunnelbear are pretty good). I prefer Mullvad here as well.
- Don't use unsecured wifi networks without a VPN
- Use Panopticlick to test whether your browser setup is safe against tracking
- Use DNS Leak Test to test whether your VPN setup is working
- Switch away from Google Chrome and Microsoft Edge and use Firefox, Safari, or Brave instead
- Use Firefox Focus, DuckDuckGo Browser, or Brave Browser on iOS
- Set cookies, history, etc. to delete after 30 days (or less!)
- Delete Facebook and Google. This is obviously easier said than done. But Facebook and Google are the worst offenders against individual privacy. They vacuum personal data like a surveillance state. They are dishonest about data leaks. And Facebook's business model forces it to deliberately work against your best interests.
- Support companies that protect your data. This can mean paying for their service, donating, or just spreading the word.
- Follow the Electronic Frontier Foundation. And donate! They do great work.
- Don’t use phone numbers for 2FA. See SIM Swap Attack Protection below.
- Do a regular security audit. Regularly change passwords for your most important accounts—email, banking, social media, etc. Check for active logged-in sessions that you don’t recognize.
- Make sure that any device or app you store sensitive info in supports end-to-end encryption, or at least encryption at rest. You can generally find out from their marketing site or FAQ, and if its not there, then contact their support team.
- Don't buy knockoff smart home appliances. This includes security cameras.
- Get rid of your Amazon Alexa and Google Home. (Go to (Google MyActivity)[myactivity.google.com] for a good scare.)
Google accounts store some of our most personal information—emails, photos, docs, location history. If you use Gmail for email, then your Google account is the portal through which other accounts can be compromised (if someone gets control of your Gmail, they can use "Forgot Password" on other sites and lock you out of everything). Securing it is high-leverage use of time.
- Set up 2FA
- Set up login notifications
- Review your active sessions and end sessions you don't recognize
- Review what apps have access to your data via Google login
Go to Google MyActivity and...
- Clear search history
- Disable search history
- Clear location history
- Disable maps and location history
- Switch to DuckDuckGo as your main search engine. (You can set it as default for Brave, Safari, Chrome, Firefox, and iOS Safari now)
- Switch to Brave Browser as your browser instead of Chrome.
Facebook may be the only account that is as valuable as your Google account. Below are some Facebook-specific features to help to lock it down.
- Set up 2FA
- Set up login notifications
- Review your active sessions and end sessions you don't recognize
- Review what apps have access to your data via Facebook login
- Set up "Approve Posts on Your Timeline". This allows you to approve posts on your Timeline and photos/statuses you're tagged in.
- Remove excess info on your profile. Go through your "About" section — most of these are set to public or Friends. Limit them as you see fit, and remove excess info.
- Limit past posts to "Friends", make sure these aren't public
- Go through each of your Profile Pictures and set them to Friends or stricter. Profile Pictures are Public by default.
- Go through each of your Cover Photos and set them to Friends or stricter. Your current Cover Photo will always be Public, but older ones can be restricted to Friends.
- Go through old photos and clean up! If necessary, ask friends to take down ones you no longer want online.
- Use Dataselfie to see how machine learning algorithms map your personality
- Don't keep your coins on an exchange. Always make sure you control your private key.
- Use a paper wallet or hardware wallet like Ledger Nano S or Trezor.
- MetaMask users: be aware of these risks: 6 Ways a Site Can Attack your MetaMask
A SIM swap attack is when a hacker calls your cell provider and convinced them to transfer your phone number to them. They then use your number to gain access to your other accounts. More Info
- Set a pin on your SIM
- Don't use SMS for two-factor authentication. Use Google Authenticator, Authy, or a USB-key instead.