Super basic security advice

The actual bare minimum you can do to protect your data

Insert generic hacker-in-hoodie-looming-over-laptop image here

Almost everyone is terrible at online security. That’s understandable, since a lot of it is very technical, not related to common sense, and advice about it that’s clear and reasonable to implement is hard to find.

The following are a few of the easier things you can do that can go a pretty long way in protecting yourself.

Use a password manager

Using the same password for different accounts is a really bad idea. If one website you signed up for gets hacked, the hackers are going to try to log into a bunch of other services you might use with the login info they stole in the hopes that you reused your credentials.

You can’t be expected to memorize a different password for every website you sign up for, which is where a password manager comes in.

Password managers are services that store all your usernames and passwords. This allows you to not have to memorize those passwords, which in turn lets you use different passwords for every service. They usually work as a web service with a browser extension along with a built-in password generator (which you should definitely use).

There’s not a perfect password manager to recommend, but I’d suggest BitWarden for most people.

Note that using a password manager service is a big security trade-off, as you’re trusting all your passwords to one place. That said, most security people agree it’s worth the risk.

Use multi-factor logins

There’s a lot more info about multi-factor logins and how to set it up at the EFF

Some websites and services offer or require that you verify yourself through a code sent to your phone or email each time you log in. This is called a few different things, like phone/email verification, two/multi-factor authentication, or 2FA.

This adds a pretty hefty level of security to your accounts, so you should set it up where possible.

There are a couple caveats to this, though:

• If you use your phone number to authenticate yourself, people can steal (“port”) your phone number and gain access to your accounts. You can add port-out protection through your phone service provider, but that’s still only as secure as the kid working at the phone kiosk at the mall. I believe Google’s Fi phone service will only port out your number to someone who knows your Google login info, so that’s the only service I’d truly trust on this issue.
• If you use an authentication app like Google Authenticator or Authy, you can run into problems if you lose or break your phone. Make sure you understand how those services work and to securely store the backup codes they provide. The same goes for physical security keys like Yubikey and Titan.

Don’t give out your private information

The more websites and services you sign up for and put information in, the more you could be putting yourself at risk. It doesn’t take much for someone to steal your identity, so think twice before handing out your birthday, address, credit card details, or social security number to anyone. Even if you think it’s trusted and safe, it’s probably not.

For entering credit card information, I personally prefer to use PayPal since it’s the same sort of security trade-off as a password manager. Some banks let you create one-time credit card numbers, which is a really good idea. There are also services like Privacy.com that offer this, but I haven’t used them and I don’t know their track record, so I won’t explicitly recommend them.

Limiting the information you give out applies to in-person interactions as well, since any physical form you fill out will just be digitized and most likely stored insecurely for hackers to grab at their leisure.

Don’t install stuff

Everything you install on your computer or device is a huge risk. Each application you find could have been made to be malicious, could have been unknowingly modified to be malicious, or could have security holes in it that allow malicious things to get in later.

Some people think this doesn’t apply to software used by lots of people or made by big companies, but that couldn’t be further from the truth. Treat everything you invite on your device as a risk.

Obviously you’ll need to install software for various purposes over time, but wherever possible, just don’t. The more stuff you install, the greater your risk is.

Make sure to keep the software you do install (including your operating system) up to date, as updates often patch security vulnerabilities.

Don’t install anti-virus software

Most anti-virus software doesn’t work and is just a pointless expense that will cause you headaches. Just let Windows Defender do its thing on Windows (it’s built in).

This advice doesn’t mean your computer is safe without anti-virus software, it’s just that it’s not any less safe without it.

Don’t install browser extensions or add-ons

This could also fall under the “Don’t install stuff” advice, but I see a lot of people with a specific blindspot to the dangers of browser extensions. Most extensions have direct access to all the information you see and enter into your web browsers, which makes them very dangerous.

Take the extra time to manually copy-paste stuff in to Pinterest or Buffer or whatever and leave all those extensions off your browser bar.

The only extensions I install are my password manager, uBlock Origin, and Privacy Badger, because I believe the security benefits they provide outweigh the risks they introduce.

Don’t trust emails and phone calls

Email addresses and phone numbers can be faked. Don’t trust that the person or service calling you or emailing you is who they say they are.

Common scams involve but are definitely not limited to:

• Pretending you have a notification and linking you to a fake login page to capture your password
• Pretending to be a contractor or supplier emailing an invoice to a company
• Pretending to be from the IRS and calling you to say you owe money
• Pretending to be your boss and asking for login information or a money transfer
• Pretending to be from Microsoft to say your computer is infected
• Pretending your family member is in trouble and needs you to transfer bail or medical fees

People in my family have fallen for scams like these at least twice that I know of, so I can personally recognize how prevalent and surprisingly convincing they can be.

A good way to avoid these sorts of scams is to use an alternate communication method to verify someone is who they say they are. If you’re not sure about an email from your boss or someone sending you an invoice, just give them a quick call to check it’s legit.

If you’re not sure someone on the phone is who they say they are, try to call them back through a publicly-listed phone number that you look up yourself. Even this isn’t foolproof and there are lots of tricks related to phone numbers and calls, so the safest thing to do is to never pick up calls from outside your contacts on your personal phone and never give out any info to people who call you.

Photo by Paweł Czerwiński

Security is tough. Nothing you do will protect you completely, but following the above advice will go pretty far.

Hopefully this article wasn’t too overwhelming or difficult to act on.

Keep in mind that things do change over time and information/advice does get outdated, so it’s not a bad idea to try to stay tuned in to tech and security news.

If you disagree with any of my points or have suggestions for other basic things that you think should have been included, please let me know in a comment.