A master checklist for securing your online life.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
.gitignore
README.md
readings.md
topics-requests.md

README.md

Online Security and Privacy for the Paranoid

A master checklist to secure your online life.

This is forever a work in progress. If you have any suggestions, please send a PR or tweet @adilmajid.

Note: I'm not affiliated with any products linked below, nor do I get any kind of commission/freebies/highfives for linking to them. They're just good products for the job that I have used.

Table of Contents


TLDR

If you only do five things...

  • Set up 2FA on all of your Logins
  • Set different passwords for all of your accounts. Use a password manager like 1Password, LastPass, or KeePass.
  • Pay attention to whether a website uses http or https. Never type a password or other sensitive info into a website that only uses http.
  • Update your Google settings to limit what Google tracks and update Facebook to limit what you share with others. (see below)
  • Install a VPN on your computer and phone Reviews

Beginner

Logins

  • Set up 2FA (two-factor authentication) on all of your accounts that support it. Twofactorauth.org has a full list of apps that support 2FA.
  • Set up login notifications on apps/services that allow it. If somebody does manage to compromise that account, you'll be notified and can take action to get it back.
  • Use different passwords for all of your accounts
  • Generate secure passwords LastPass Generate
  • Use a password manager like 1Password, LastPass or KeePass. Change the master password periodically.
  • Update login information (or entirely delete the account) for compromised accounts
  • On services that allow it, check for active sessions, and delete any unused, forgotten, or unapproved sessions

Cleanup

  • Delete your all of your unused and unnecessary accounts
  • Use Have I Been Pwned to see if any of your accounts have been compromised

Browsers

  • Pay attention to when a website is using https, and never type a password or other sensitive info into a site that doesn't use https
  • Use a browser plugin like uBlock Origin, privacy badger, and ghostery to prevent third parties from tracking you
  • Switch away from Google Chrome and Microsoft Edge and use Firefox or Brave instead
  • Set cookies, history, etc to delete after 30 days (or less!)

Banking

  • Use Privacy.com when doing online transactions. Enable transaction notifications to be notified every time money is spent from those cards
  • Disable paper bank statement mailings (they can be lost/stolen)

Phones

  • Keep your OS and apps updated
  • Set a passcode / password of 6+ characters
  • Disable TouchID / fingerprint unlock. If a federal agent wants to search your device, they are allowed to ask for your fingerprint, but not your passcode.
  • Restrict what someone can see/do with your phone from the lock screen (lock screen widgets, notification privacy, Apple Pay/Android Pay/Samsung Pay)
  • Disable location services for any app that doesn't really need it. Disable "always on" location services from all apps.
  • Get rid of your Android and get an iPhone (not intentionally pretentious - it's hard to fully secure an Android device. And there are great iPhones at basically any price point these days.)
  • Install a VPN
  • Install a content blocker to prevent you from being tracked by advertisers

SIM Swap Attack Protection

A SIM swap attack is when a hacker calls your cell provider and convinced them to transfer your phone number to them. They then use your number to gain access to your other accounts. More Info

  • Set a pin on your SIM
  • Don't use SMS for two-factor authentication. Use Google Authenticator, Authy, or a USB-key instead.

Computers

  • Keep your OS and apps updated
  • Turn on Firewall on your Mac (via System Preferences -> Security)
  • Cover your computer webcam with a Post-it
  • Set a short screensaver time - 5 min or less - so your laptop locks itself once you're away
  • Require password immediately once your computer goes to sleep
  • Install Micro Snitch to monitor when your webcam and microphone are turned on
  • Install Malwarebyte on your computer, and run it periodically to check for malware
  • Set Mac lockscreen notifications to private
  • For the super-paranoid, not tied to Mac or Windows: consider using QUBES OS or Tails OS

Other

  • Secure your Skype account, if you need it. Delete it if you don't need Skype. (Good alternative is Google Duo, which saves some metadata but has encrypted calls.) Skype is a top offender for getting hacked.
  • Delete your Yahoo account. If you need it for Flickr, set a long password, set up 2FA, and enable login notifications. Yahoo is another common offender
  • Set strict privacy options on Facebook (see below). They have a lot of your info, important to protect it
  • Set strict privacy options on Google (see below). Same as FB, they know a looooot about you
  • Don't buy knockoff smart home appliances. This includes security cameras
  • Get rid of your Amazon Alexa and Google Home. They're listening

Advanced

Secure Browsing

Secure Communication

  • Use encrypted communication methods - Signal, ProtonMail
  • Make sure that any device or app you store sensitive info in is encrypted. (Evernote, Day One, etc.) You can generally find out from their marketing site or FAQ, and if its not there, then contact their support team.

Secure Your Offline Life

  • Consolidate external hard drives and USB thumbdrives so you have fewer things to keep track of.
  • Consolidate notebooks and papers that could have sensitive info, shred the ones you don't need. Archive papers by scanning into (a secured) Evernote account if you don't need the physical copy.
  • Wipe unused old computers, phones, tablets, hard drives, etc.

Google

Secure Login

  • Set up 2FA
  • Set up login notifications
  • Review your active sessions and end sessions you don't recognize
  • Review what apps have access to your data via Google login

Reclaim Your Data

  • Clear search history
  • Disable search history
  • Clear location history
  • Disable maps and location history
  • Check Google+ for what data Google has made public, set anything you don't like to private

Beast Mode

  • Switch to DuckDuckGo as your main search engine. (You can set it as default for Safari, Chrome, Firefox, and iOS Safari now)

Facebook

Secure Login

  • Set up 2FA
  • Set up login notifications
  • Review your active sessions and end sessions you don't recognize
  • Review what apps have access to your data via Facebook login

Reclaim Your Data

  • Set up "Approve Posts on Your Timeline". This allows you to approve posts on your Timeline and photos/statuses you're tagged in.
  • Remove excess info on your profile. Go through your "About" section — most of these are set to public or Friends. Limit them as you see fit, and remove excess info.
  • Limit past posts to "Friends", make sure these aren't public
  • Go through each of your Profile Pictures and set them to Friends or stricter. Profile Pictures are Public by default.
  • Go through each of your Cover Photos and set them to Friends or stricter. Your current Cover Photo will always be Public, but older ones can be restricted to Friends.
  • Go through old photos and clean up! If necessary, ask friends to take down ones you no longer want online.
  • Use Dataselfie to see how machine learning algorithms map your personality

Credit

Whether you've been affected by the Equifax hack or not, take the following steps to secure your credit.

  • Freeze your credit reports with all three agencies: Equifax, Experian, and Transunion.
  • Sign up for Identity Theft Monitoring. There are a number of services offered that you can Google. I personally use Civic.
  • Stop getting prescreened offers of credit. You can learn more about prescreened offers of credit here. The FTC recommends this service for opting-out, aptly named OptOutPrescreen.com.
  • These guys have GARBAGE websites. So you'll probably need to get live phone support. Equifax: Call 888-202-4025 and select option 6. Experian: Call 714-830-7000, press 2 (the business line option), then ask for live help. TransUnion: 800-916-8800.

Crypto

  • Don't keep your coins on an exchange. Always make sure you control your private key.
  • Use a paper wallet or hardware wallet like Ledger Nano S or Trezor.
  • MetaMask users: be aware of these risks: 6 Ways a Site Can Attack your MetaMask