Let me begin by stating that there is no such thing as perfect security. At least not anymore. From around 1780–1850 were the only period in human history that we had what is considered perfect security. This ended in 1851 when A.C. Hobbs picked what was then considered an un-pickable lock.
But I’m not here to talk with you about lock picking.
Who are you protecting yourself against?
Security doesn’t exist in a vacuum. Unless you know who you are protecting yourself from you won’t be able to choose the appropriate countermeasures. A good example of this is your choice in how you secure an iPad. When securing an iPad you can choose to allow unlocking with a password or thumbprint. Your decision here hinges on whether you are protecting yourself from a 3-letter government agency or from someone sitting behind you on the bus lifting your password as you type it in.
I personally believe that bio-metrics based unlocks like thumbprints are poor choices for security, but chances are that the guy behind you on the bus won’t have a copy of your thumbprint, nor will they be able to compel you to unlock it against your will. So in the case of protecting yourself from the guy on the bus, your thumbprint is probably a decent choice. If however you want protection from a 3-letter government agency, or just law enforcement in general, your should use a password. There is established legal precedent that the government can compel you to unlock a device that is secured with bio-metrics like a fingerprint, but the 5th amendment protects you from having to disclose the unlock password.
The lesson here is to stop and think about who you are protecting yourself from. Are there people actively targeting you? Does where you live or your standard routine expose you to attacks of opportunity like a pick-pocket on the subway or someone snatching your backpack on the bus? Do you live a pleasantly boring and safe existence in an area with near zero crime? Are all of your threats likely to be the passive kind such as having your credentials leaked by one of any of the hundreds of organizations that have your information poorly secured.
Now that we have setup a framework to think about these things, here is my take on best practices for securing your digital life.
My personal threat model
I take following things into consideration to establish my personal threat model.
- I have personal crypto-asset holdings.
- I maintain a number of open source software projects that people use to interact with crypto-assets. Thus I’m not just protecting my assets, but also by proxy all of the people who use and trust my software.
- I am on a sufficiently public position to be individually targeted.
- I choose to take above average measures to mitigate against passive threats (like Target getting their customer database hacked).
So with these things in mind, I have established the following security practices.
- Always use a password manager for everything. I use 1Password but there are lots of choices both paid and free (open source).
- I don’t actually know my master password. Instead I only know half of it. The other half comes from a YubiKey4. I have this blog post to credit for that password scheme.
- Never fill in recovery questions with real answers. This data is almost always publicly available. Instead use a randomly generated answer that is stored in your password manager (don’t forget to store what question the answer pertains to).
- Never use services that require you to input your credentials for another service. If a site is asking for your username and password to another site it’s probably a bad idea.
Crypto Asset Security
- Use a hardware wallet. I recommend and use the Ledger Nano S.
- Separate your funds between cold and hot storage. Cold storage is where the bulk of your funds live. Hot storage is what you regularly unlock when you need to send transactions. You should very rarely access your cold storage.
- Don’t keep your funds on an exchange. Coinbase might be the only acceptable exception to this but you should still know that you are exposing yourself to both the risk of them botching up their security or having your assets seized or frozen arbitrarily.
- Treat any funds or tokens that aren’t secured with multi-signature or a hardware wallet as you would cash in your wallet. Most people don’t risk walking around with $10,000 in their wallets.
- Use separate accounts for all-the-things. Use a different account for every type of token you own.
- Make sure you have backups of every one of your private keys. Your password manager is good for this.
- Always send a test transaction before sending a big one. Even if you’re really sure.
- Never ever ever ever ever ever ever ever ever type in an address by hand.
- If you’re one of the many non-technical people and you aren’t sure if what you’re doing is safe, ask someone who knows more than you.
This one is complex. If the Black Phone by Silent Circle was compatible with my cell phone provider I would be using it. Since I’m not currently willing to accept the overhead of rooting my phone and ensuring that I truly own it so instead I choose to treat my cell phone as a largely un-trusted device. In addition to this, I use Google Voice which doesn’t allow me to switch to an iPhone
- iPhone is currently likely to be more secure than Android.
- If you are using Android, assume that your carrier has full access to your device.
- Don’t load your password manager vault/keychain on your phone.
- Keep your phone authenticated with the bare minimum set of accounts.
- Install an ad-blocker. I recommend ublock-origin.
- Install privacy badger.
- Install https-everywhere.
- Chrome and Firefox are likely similar in security. I prefer Firefox.
- Use private browsing mode liberally.
- Don’t allow your browser to store passwords. I am not entirely up to date on the current state of affairs but historically this has been an insecure option (and you should already be using a password manager).
- Use a VPN. It’s much easier to trust a single VPN provider than every coffee shop and public hotspot you connect to.
- Check what jurisdiction your VPN provider is in. Avoid providers who are in the United States. I use and recommend IPredator.
- For added security, setup your home router to send all of your traffic over the VPN as well. Flashrouters is a nice lazy option for this as they will sell you a router running DD-WRT pre-configured for your VPN provider.
- Never plug a device into your computer that you don’t own such as a USB key or to charge someones phone.
- Get a USB condom for cases where you do need to plug something in to charge.
- Be paranoid, especially if being compromised means significant financial losses.
- Never log into anything that matters on a device you don’t own. Don’t use public computers or your friend’s laptop to check your email.
- Facebook Messenger is scary. It asks for or requires permissions that no chat app should need. It’s been reported to turn on your microphone while you are typing. Consider just not using Facebook because it’s evil and terrible.
- Don’t share passwords with your significant other, or anyone for that matter. My wife was upset for a long time that I refused to share any of my passwords with her. It took a while to get her to understand that I was not hiding things, but rather that her grasp of digital security was not sufficient and that by sharing a password with her I expose myself to her incidentally leaking that information. If you must share logins, use a separate vault in your password manager.
- People are probably always going to be your weakest link. Be aware that social engineering is often trivial and your phone company is probably the weakest link in your security. Burner phones are not very expensive.
Security and usability are often a trade-off. If you want a high level of security you will also likely have to accept a higher amount of general overhead in your day-to-day computer interactions as well as a certain level of inconvenience at times. Refusal to plug a USB device into your laptop to transfer a powerpoint presentation might be inconvenient but will it have been worth it when your crypto accounts are suddenly empty?