This guide is a straightforward primer covering the basics of protecting your online life. Our aim is to give you simple, practical measures you can take immediately to make your life more private and secure by default and to explain what these measures do in easy-to-understand ways. Each of these steps will make you more secure and they don't have to be done all at once; any one of them is worthwhile on their own. However, if we have done our job, you should be able to sit down with this guide and your devices after lunch on Sunday and be better protected by the time you go to bed.
This guide is written by Bex Fortin and Eli Morris-Heft. Bex is a software developer; they've spent most of the last ten years writing enterprise software. Eli has also spent the last ten-plus years writing software, and has done IT for volunteer organizations. Both of us are tech hobbyists and maintain a keen interest in securing and protecting our digital lives.
We'd like to acknowledge and thank Billy, Garrett, Harold, Kristin, and Sonia for being our beta readers. This guide is easier to read and follow, addresses more use cases, and is generally better in all ways thanks to their suggestions and insight.
This guide is designed for people who are familiar with how to use their computers, phones, and tablets but aren't necessarily super tech-savvy. For the most part, we'll be installing or uninstalling software and changing settings, so if you're comfortable doing that, you'll have no problem following along. When we can't give exact instructions for your situation, the specifics should be easily searchable on the internet, so you should also be comfortable doing that.
We're also going to assume that it's 2021 or sometime thereabouts and that you live in the United States, at least when talking about some of the legal privacy concerns or scenarios you might encounter. Regardless of where you live, our advice will make your online life more private and secure, even if your level of need for it is different.
Lastly, the recommendations in this guide are good baselines for security and represent what we feel is a balance between security and convenience. However, we also want to point interested readers toward next steps they can take if they have the time and interest. Sections marked with One Step Further will talk about extra projects you can do to continue securing your online presence beyond our baseline steps. Likewise, sections labeled Paranoia Alert! will discuss strategies that you can take to trade off some convenience for a little more security. Both sections are totally optional and you should feel comfortable skipping them if you want to.
If you are a security professional or a techie with strong opinions, this guide isn't for you. If you run Linux on the desktop, this guide might be helpful, but we'll be focusing on Windows and macOS users, so you're on your own for specific instructions. We also do not recommend this guide as an inspiration for corporate IT policies, though it may be useful to help you formulate your Bring-Your-Own-Device policies, especially if you have many employees working remotely.
Also, if you are a journalist, politician, or anyone else whose profession or public profile makes you a specific target for hacking, or if you want personalized recommendations for your digital life, this guide is not going to be enough for you. Our recommendations are a good baseline, and you should at least be doing what we recommend here, but you should also seek out a professional to help secure your online life.
Finally, this guide is intended for everyday security. If you are taking part in an activity like a protest or a strike and need increased security or privacy because of it, there are plenty of other guides out there that are aimed at those particular use cases. Use this guide as a baseline, and then follow those guides' recommendations.
First, when it comes to terminology, we've prioritized "widely understood" over "technically correct". For example, when you change your wi-fi password, you're modifying your wi-fi access point, but since everyone calls it a router, we will too. If we need to make a distinction in a certain context, we'll call it out and explain the differences.
Next, our views are our own and do not represent the views of our employers, associates, roommates, and so on. Our recommendations of specific products or services are based on our own personal experience, and we have received no compensation in any form for mentioning them. This includes 1Password, which — for the sake of disclosure — employs one of the authors of this guide; our experience with 1Password predates that employment and we have received no extra compensation for recommending it here.
Lastly, we are not responsible for any harm that comes to you, your devices, your data, or any other aspect of your life because of or in spite of you following our recommendations. Do your research and ask the techie in your life to review this guide if you are nervous about it. We vouch only that these practices work for us, and that (with the exception of a One Step Further or Paranoia Alert! section here and there) we use them in our daily lives.
Okay, that probably took a whole hour out of our afternoon, and we've got a lot to cover. Let's get going!
Before we talk about how to secure your devices — and by that, we mean your computer, tablet, and phone — it's worth pointing out some good habits that will make sure all your hard work is worth it. Everyone who uses technology and the internet will benefit from adopting these practices.
If something seems off, listen to that instinct! If a friend sends you an email asking you to buy a bunch of gift cards and send them the codes, or a customer service agent asks you to email them the password to your account, be suspicious and try to verify the request some other way (like by calling or texting your friend or calling the customer service line). If you're calling customer service, don't use the phone number in the email you just got; go to the company's website instead and look for their "Contact Us" page.
Scammers will often send emails that appear to be from official sources (like your bank or a store you shop at) but whose links take you to a site they control and ask you to log in. Sending those emails is called phishing, and it's a common way for scammers to collect passwords and other sensitive info. If you're not sure if an email is a phishing attempt, don't click the link in the email; instead, open a new tab in your browser and type in the company's URL by hand, or search for the company and go to their website that way.
Many sites will send you an email when you log in or change your password. Don't ignore these! They are an important way to keep an eye on your online security.
If you get a notification that you've logged in but you didn't actually log in recently, go change your password to the account. (This will be easy if you're using a password manager, which we'll talk about later.) On many sites, you can also see your login history and what devices you're currently logged in on. Check them every so often, and if what you see doesn't track with what you expect, log out of your devices and change your password.
Also, don't just click through error messages. Most of them contain instructions on what to do to fix the error or where to go for more information. Even if they don't, putting the error message into a search will usually lead to useful information about it. (This is what your techie friend is doing when they run into something they can't fix. Now you know the secret!)
When it comes to your digital life, it's best to try to keep some sort of division between home and work. To a lesser extent, this can also apply to other parts of your life, like if you work with volunteer organizations. That said, it can be tricky to completely separate these areas, since most of us only have one phone.
Ideally, if your work involves a computer, your employer provides you with one. If so, use it only for work-related things. Whether they choose to or not, your employer has the ability to monitor everything that happens on the computer they provided for you. (You may have even signed an acknowledgment of this — check your employee handbook.) Avoid signing into your personal email, your social media accounts, or even your password manager on your work computer. Doing so allows your employer to see your personal life and, depending on how draconian your company's IT setup is, this may even allow them to discover your passwords.
If you need to sign up for an online service in order to do your job (like Dropbox or Office 365), use your work email address instead of your personal email address, and don't reuse your personal account for work. One possible exception to this is your employer's HR software, since you may need to access it to request a sick day from home or to access personal records like your W-2 after leaving your employer.
Doing personal work or side projects on a device owned by your company may give the company a claim on the intellectual property rights for that work. Similarly, doing company work on a personal device makes it much more murky as to where each party's rights begin and end. However, this guide is about security, not copyright law, and the authors are not lawyers, so we're just going to leave it at: as much as you can, keep work on company-owned machines, and keep personal stuff on personal machines.
Sometimes, you don't have access to an employer-provided device. If you work for yourself or if you only have a work-issued device (or if you are unexpectedly working from home), it can be hard to create the kind of separation we recommend above. In that case, do as much as you can to delineate your work from your personal life. Consider making a separate user account on your computer that is work-only, and be vigilant about when you're accessing work resources or on a work VPN versus when you're using the device for personal use.
Ideally, if your work requires a mobile device, your employer should provide one for you (and that may be an option if you ask). If that's the case, you're all set! Keep your work life only on the company-provided device, and keep your personal life on the device you own.
However, this isn't the reality for most of us. We often put our work email and calendar on our personal phone, whether for convenience or necessity. Be aware, though, that if you log into your phone with your corporate account, your employer may have more control over your phone than you expect. In some cases, your company may even have the ability to lock or remotely wipe your entire phone! Unfortunately, there aren't a lot of ways to avoid this except just not logging into your corporate account on your phone. (By the way, Google Calendar has a "secret address" link that allows you to view your work calendar from your device without logging into the account.)
On Android, there is a feature called Work Profile that separates your work apps and data from your personal apps and data and only allows your employer to have control over the work side. You may need to work with your IT department to enable it, but it's a much more secure way for both you and them to operate. Sadly, there is no equivalent feature on iOS.
More and more IT departments these days have created Bring-Your-Own-Device (BYOD) policies that apply to employees using a personal phone, tablet, or computer for work purposes. If your employer has one, read it so you understand what you're getting into if you decide to log into a corporate account on your personal device.
Throughout this guide, we recommend various services and recommend against using others. While the specific services we recommend are based on our experience and evaluations, you'll notice a thread that runs through the ones we advise against: they are often from companies that do not specialize in that service.
For example, we recommend using Firefox and not using Chrome. Why? Firefox is made by Mozilla, and Mozilla's main business is making browsers. Chrome is made by Google, and Google's main business is selling ads.
We also recommend using a dedicated password manager and not using the one built into your browser. Why? Because password managers like 1Password and BitWarden are built by companies that are focused on making the best password manager they can, whereas the password storage in your browser is built by a team that's focused on making a good browser.
This isn't to say that Chrome is a badly-made browser or that the password manager in Firefox is insecure. But given the choice, we think it's wiser to use services made by specialists rather than ones made as a side gig. When a company is focused on a single kind of product, their knowledge of the field will be deeper, and they will often fix bugs and security issues faster. We also think there's less of a chance that the service will go away without warning — we've seen Google and others unexpectedly disable services outside their main lines of business enough times to be wary.
This also means we often recommend a service that is paid over one that's free. Free is an attractive feature in a service, no doubt, but every service costs money to run. If it's free to you, ask yourself: who's paying for it? Oftentimes, if you're not the customer, your data is the product, and that's exactly what we're trying to protect you from in this guide.
Having long, strong passwords that are unique for each service is one of the best things you can do to level up the security of your online presence. Moreover, if you get your password game in shape, it'll be easier to do many of the other things in this guide. For those reasons, we're going to talk about passwords and other things related to signing into services first.
Your passwords should be resistant to two main attacks: someone guessing your password by chance (a brute force attack) and someone reusing a password of yours they got from somewhere else (known as credential stuffing). Protecting against both of these attacks is easy: brute force attacks are foiled by long, random passwords, and credential stuffing just doesn't work if you use a different password for every site.
It's hard to remember a long, random, distinct password for every site though, and that's why you should use a password manager. We'll cover this in the next section.
If you need to create a password that won't go in your password manager for some reason (like the main password for your password manager), pick the longest password you can remember (or that the site will allow). A good way to create a long, memorable password is to make up a sentence. Sentences are longer than passwords, make it easy to add numbers and punctuation if needed, and are easier for you to remember than a long string of random numbers, letters, and symbols.
We strongly advise against password creation schemes, like using variations on the same password for each new site (for example, p@ssw0RdGoogle123 for Google and p@ssw0RdPaypal123 for PayPal, etc.). Schemes like this make it hard for you to change that password if you need to, and you'll be more vulnerable to credential stuffing. Always make your passwords unrelated to the site they're for and to each other.
Whatever your password strategy is, it's a good idea to make provisions for someone else being able to access your accounts in case of emergency or death. One option is to put important passwords and other account information in a physical lockbox or fire safe and give a friend or loved one a way to access its contents if necessary. Some password managers have features to allow emergency access to some or all of the passwords in your account.
Sign up for a password manager, use it to store all your passwords, and make sure all your passwords are unique and randomly generated. We use and recommend 1Password, and we also trust BitWarden and KeePass. 1 However, do not use the password-saving functionality in your browser, which doesn't work the same way a password manager does.
A password manager stores all of your passwords behind a single main password, encrypted so that no one can access your passwords without your main password, even if they steal your laptop or hack the company that makes the password manager. Password managers also have built-in password generators, which make it easy to change your existing passwords to something long and random, or create a good, unique password to a new account.
You don't have to start by putting every one of your passwords in immediately. Add your passwords to your password manager as you log into things (this a lot easier if you use your password manager's browser extension) and, after a few weeks, the majority of your passwords will have been added.
Some password managers will alert you if you have the same password for multiple sites, or if your username was found in a breach. If you get these alerts, change your password for those sites to something new and randomly-generated.
There are a few passwords you should memorize and maybe even keep out of your password manager. For example, you should always know the password to your main email address and the passwords to log in to your devices.
Two-factor authentication (sometimes called Multi-Factor Authentication, or MFA) provides an extra layer of security when you log in, and you should turn it on for every service that offers it. 2
Each factor in two-factor authentication is a different way to prove you're you. Typically, factors fall into three types: something you know (like a password or the answer to a security question), something you have (like a phone or a key), and something you are (like a fingerprint or a retina scan). By using more than one factor, it makes it harder for someone else to pretend to be you.
If you have an ATM card, you're already using 2FA: the card is something you have, and your PIN is something you know. If your house has an alarm, that's 2FA too: you have your key, and you know your alarm code. In fact, something you know plus something you have is the most common form of 2FA. For online accounts, the thing you know will be your password, and the thing you have will be your phone, where, after logging in with your username and password, you'll be asked to enter a code either from an authenticator app or from a text message that the service sends you.
The system used by authenticator apps for 2FA is a standard, so any of the major authenticator apps will be compatible with it: Google Authenticator (Android, iOS), Microsoft Authenticator, Authy, and Aegis (which gets a bonus point for being open source) will all work exactly the same way. Pick one and use it for all of your 2FA-enabled services. 1Password and LastPass build a 2FA app right into their password managers, so if you're already using one of them, you don't need an extra app. Because the system for 2FA apps is a standard, even if a service specifically says it uses (for example) Google Authenticator, you can use any one of these apps and it'll work just fine.
When setting up 2FA, if you are given the choice between using an authenticator app or receiving text messages, we recommend using the authenticator app.3 If the service can only send text messages, that's fine too. The authenticator app strategy is slightly more secure, but not enough that we're going to make a big deal out of it.
When you set up 2FA, you'll be shown a QR code to scan into your authenticator app, and then asked to enter the code your app shows you to confirm that it's set up right. You'll also get a list of recovery codes to download. You won't be able to access your recovery codes again later, so keep them safe and in a place where you can get to them without needing to log into an account that might require a recovery code. Storing printed copies in a safe is another good option.
A YubiKey is a hardware security token that is a more secure version of the system that uses authenticator apps. (There are other hardware security token manufacturers, but YubiKey is the big one.) If you work in a sensitive industry like journalism, consider getting a YubiKey to use for your second factor. However, be aware that support for hardware security tokens is not as widespread as for authenticator apps or SMS-based 2FA.
Hardware security tokens also have the drawback that there's no way to replace a lost token, and some models — though not Yubikeys — have expiration dates. If you lose yours (or it expires) and you don't have the recovery codes, you'll lose all your access and cannot get it back. Because of this, we recommend buying two tokens in your first order, setting them both up, and putting one in a secure location as a backup. In any case, if you're thinking about using hardware tokens, get familiar with how they work and read up before diving in.
Single Sign-On is a way to use your account on one site to log into a different site. For example, if a site offers you a choice to "Log in with Facebook" or "Log in with Google", you're using SSO provided by Facebook or Google. It's also common for workplaces to use SSO internally, but that's different and we'll cover that case below.
Let's say you want to log into Etsy through your Google account. When you first click "Log in with Google", Etsy will redirect you to Google (the SSO provider), where you'll log into your Google account and tell Google that it's okay for Etsy to use your account. Once you've given your approval, Google creates a token for Etsy to access your account with, and sends you back to Etsy. When you log into Etsy in the future, it can use the token to access your account and get your info instead of storing a username, password, and other profile data on Etsy's own servers.
On the surface, this seems like a good idea. After all, if some site doesn't even have a username and password for you, how could you be affected by a breach? In reality, though, you have now linked the fate of the two accounts together and possibly allowed access to your account with the SSO provider in the event of the site having a breach — and because SSO providers like Google and Facebook tend to know a lot about you, this can be a big deal. Therefore, as a rule, we recommend creating an account on the site you want to log into rather than using SSO.
However, some websites or apps only allow login via SSO, or you might decide to use SSO for convenience in some circumstances. In this case your initial login will include a step where the site asks for certain types of information from your SSO provider. You'll have to authorize the release of that information before you can continue to log in. This is similar to your phone telling you what permissions an app will use before you download it. Don't just click through this! Ask yourself if it makes sense for the website to be collecting that information. If you don't want to release the information, abort your login.
It's a good idea to go through your account at your various SSO providers every so often and look at the tokens that are still authorized. If you see a service you no longer use or do not recognize, remove the token for that service.
As noted above, your workplace may use SSO for signing into services provided by your company. In that case, our advice is exactly the opposite: use SSO for as much as you can. The difference here is that your company controls the SSO provider and your IT department has done the work to ensure it's acting how they want it to, so consolidating your logins under a single account controlled by the company makes sense. In many cases, if your IT department has configured everything correctly, the only way to get into your corporate accounts will be via SSO.
For these steps, you'll be logging into your router and changing some settings. If you're not sure how to do that, consult your router's manual, which you should be able to download from the support section on the manufacturer's website.
Your wi-fi network should be secured with WPA3 or WPA2 (AES, not TKIP) security and a good password. (If your router has both 2.4GHz and 5GHz networks, it's okay to use the same password for both.) A sentence works well as a password for your wi-fi; it's long, easy to share with guests, and difficult to guess. If your router does not support WPA2 encryption, buy a new router — WPA2 has been mandatory on all new wi-fi devices since 2006, and wi-fi passwords on networks using WEP and WPA (the precursors to WPA2/3) are crackable in minutes with common hardware.
You'll need to log into your router's admin panel to make these changes. (You can find out how to do this in your router's manual.) If you didn't change the password for the admin panel from the default when you were first setting up the router, now is a good time to change it. Don't make it the same password as the wi-fi password.
While you're changing settings, turn off Wi-Fi Protected Setup (WPS) and Universal Plug-n-Play (UPnP). WPS is a feature that is meant to allow devices to automatically join wi-fi networks, and UPnP is a protocol that allows some devices (such as game consoles) to make themselves contactable from outside your network without any setup. However, both have security flaws that are hard to fix and defend against, so it's safer to just not allow your network to use them in the first place.
Check to see if there's a new version of your router's firmware and install it. These updates usually include security and bug fixes. Installing new firmware incorrectly can brick your router, so make sure you read the manual's instructions before your start. If you take this step, remember to periodically check for updates in the future as well.
DNS is the phonebook of the internet. When you text your friend, your phone looks up their phone number in its contact list and sends your message to that number, not the person's name. Similarly, when you put a URL in your browser's address bar, your computer actually needs an IP address to connect to, so it asks a DNS server to look up the IP address for that URL. The URL is like your friend's name, and the IP address is like their phone number. If your DNS server logs your activity (and many ISPs' DNS servers do), it has a pretty good record of every website you've visited.
You can change your DNS server in your router's settings, which will change it for every device using your network. There are a bunch of privacy-focused DNS servers out there, and you can see a list at https://www.privacytools.io/providers/dns/. We recommend Cloudflare for reliability (and because the IP addresses are easy to remember: 1.1.1.1 and 1.0.0.1), but any of the options on that list are good.
Pi-hole is DNS software that you install on a small computer called a Raspberry Pi (or any other server you have laying around) and hook up to your network. It acts as your network's DNS server and blocks DNS requests to common tracking domains, effectively blocking tracking for any computer on your network — which has the nice side effect of blocking a lot of ads too. Pi-hole also lets you use DNS over HTTPS, which protects your DNS inquiries from being eavesdropped on. With a premade kit, a little research, and a weekend, setting up a Pi-hole is a good project for anyone looking to boost their techie skills and the privacy of their network.
When you make a DNS request, the request is sent unencrypted and could be eavesdropped on by third parties. You can protect against this by using DNS over HTTPS (DoH), DNS over TLS (DoT), or DNScrypt. While support for DoH is coming soon to Windows 10 and macOS 14, you can use it now if you have a Pi-hole or if you browse with Firefox (as is our recommendation — see below).
For most peoples' personal use cases, we don't recommend a VPN as a way to step up your privacy or security. You can read why at Privacy Tools' article about VPNs, but the gist of it is that most web browsing is already protected from prying eyes by HTTPS (which we'll talk about later in the guide) and our other recommendations take care of most of the other concerns. In our opinion, using a VPN for privacy is like wearing a poncho over your rain jacket in stormy weather.
However, if you do decide you need a VPN, do your research, look for independently audited providers, and above all, avoid free VPN providers. Free VPN providers make money by logging your actions and selling those logs. Remember: if you're not the customer, you're the product.
Your employer might provide a VPN as a way for remote employees to access resources on their local network — that's a different use case than what we're talking about here. Your employer's VPN won't magically make your connection more private or secure, and in fact, you should keep in mind that (depending on how it's set up) all your online activity while using it will be visible to them while you're connected to the VPN. Basically, it's about the same as connecting from your office network.
This section is about securing your Windows or macOS computer. Some of this will also apply to computers running Linux or Chrome OS, but we'll be focusing on the big two here.
The easiest thing you can do to make your computer more secure is to make sure that all the user accounts on your computer have a password. This is one of the few passwords that you'll have to remember; most password managers can't help you log in. You should do this even if the computer never leaves your home, especially since this password can also be used to encrypt your data — see below.
While you're setting up your account's password, have a look at what other accounts are on your computer: if there are any accounts you don't remember setting up, or if the "guest account" option is on, consider whether you still need them, and disable or delete them if you do not. If anyone else regularly uses your computer, make them an account of their own.
You should also set the computer to go to screensaver or to sleep after a short period of inactivity — say, 5-10 minutes — and get in the habit of locking the computer whenever you stand up or walk away. On Windows, locking is easy: just hit Windows + L. On the Mac, you can hit Control + Shift + power button4 or set a hot corner in the Screen Saver preferences. If you have a Mac with a Touch Bar, you should add a lock button to the Touch Bar instead and use that.
Microsoft and Apple put out updates for Windows and macOS frequently, and those updates often contain fixes for security holes in the operating system. Although that update popup never really comes at a good time, it's also very important that you keep your operating system up to date. Don't go longer than a week without installing those updates!
This advice is specifically for updates to the same version of the OS you're currently running. It's usually okay to wait to upgrade your OS to a whole new version for quite a while.
In days of yore, it was necessary to have malware scanners installed on your computer to detect and remove malware that found its way onto your system. However, these days, both Windows and macOS have built-in malware scanners, so no additional anti-malware software is needed. This one's a freebie — no work needed on your part! On Windows, this scanner is called Windows Defender; on the Mac it's called Xprotect. Both work automatically under the hood, scanning away while you use your computer.
It's worth noting that third party anti-malware software can sometimes get in the way of the built-in scanner and cause false positives. If you have Norton Antivirus or something else installed on your computer, we recommend uninstalling it and depending on the built-in scanners instead.
Consider your data backup situation — what is your plan in case your computer crashes or gets water spilled on it? A good backup situation needs to be more than "I move data to an external disk every once in a while"; it needs to happen on a regular basis and, preferably, automatically. It's also best if the backups are offsite, so a cloud backup service is a good choice. We have used Carbonite and Backblaze for offsite backup, and recommend them. If you're on macOS, iCloud offers a remote backup service, which is convenient but we're not wild about it — we think it's a better choice to use a service that exclusively focuses on backups.
When you set up your online backup, be sure to use the option to encrypt your files before they leave your computer.
If you want to go further, the best advice for backups is called the "3-2-1 strategy": 3 copies of your data, in 2 devices, with 1 offsite. In general, this means you'd have the data stored on your computer, your convenient onsite backup drive, and an offsite, automatic backup.
What's the point of locking your computer down with passwords if someone can remove your hard disk and connect it to their own computer? Both Windows and macOS have built-in tools to encrypt your hard drive so a password5 is needed to read the disk. On Windows, this functionality is called BitLocker; on macOS, it's called FileVault. Both are easy to enable and configure. Be sure to write the recovery key down and store it someplace safe, preferably printed or written on paper, just in case you forget the password and need to unlock the disk!
Now let's look at your Android or iOS mobile devices. If you're using a device with some other OS, the same principles apply, but the details may be different.
You'll be shocked to learn that our first recommendation is to add a password to your device! As usual, longer is better, but especially on phones, passwords can be difficult to type. Both Android and iOS have the ability to configure numeric passcodes of any length you choose so you get the security of a longer code with the ease of entry of fewer, larger buttons. On Android, this is the "PIN" screen lock. (We don't recommend using the "Pattern" unlock, as it's too easy for someone to learn your code by looking over your shoulder.6) On iOS, you'll need to choose the "Custom Alphanumeric Code" option when setting a new passcode. This will let you set a passcode using both letters and numbers, but if you only use numbers for your code, iOS will present the numeric keypad when you want to unlock your device instead of the full keyboard.
Biometric authentication (via fingerprint, face, or iris recognition) can be very convenient! But there may be a legal difference between these methods of unlocking your device and a passcode or password. In the United States of America, the Fifth Amendment to the Constitution protects you from being forced to reveal self-incriminating information. Most jurisdictions in the US consider forcing you to reveal your passcode to be self-incrimination, but allow forcing you to operate a biometric unlock. The analogy is, broadly, that if you were searched and a key to a safe was found, the authorities can use the key to unlock it; if that safe required a combination to unlock, they cannot force you to tell them the combination.7
Note also, though, that the absence of biometric unlock can't prevent authorities from trying to break into your device or holding you in jail until you reveal the passcode. Because of this, the authors of this guide recommend using passwords over biometric methods wherever possible. It is worth reiterating, though, that the authors are not lawyers and this is not legal advice; if this may be an issue for you, please consult your own legal professional. Also, laws and the interpretations thereof change; this is current case law as of January 2021.
Phones are usually pre-set to call themselves "Jane's Phone" or something similar, based on how you first set it up. That name is then broadcast over Bluetooth and, if it's an iOS device, AirDrop, where other people's devices can see it. There's no need for strangers to find out your name just because they're nearby, so go into Bluetooth and Airdrop settings and change your phone's name to something less identifiable.
You should also make sure your phone's Bluetooth isn't scanning by default (so that it won't broadcast its name) and, if it's an iOS device, set AirDrop to "contacts only" or "receiving off".
Use Signal for personal messaging when at all possible. Of all the messaging apps out there, Signal is the only one that has provable (open source8, tested) encryption and also isn't run by a big company with a central key repository that can let governments read your messages.
None of the alternatives live up to this standard. SMS text messages are totally unencrypted. iMessage is encrypted, but Apple controls the encryption keys and you have no way to know who can access them. Google's Hangouts messages are not encrypted before they leave your device. WhatsApp is owned by Facebook. Telegram uses home-grown, unproven encryption. (For more information about this, check out Privacy Tools' page on messaging apps.)
We also advise you to try to get your friends and family to use Signal as well. If you and the person you're talking to are using Signal, then your messages will be encrypted. If you're on Android and set Signal as your default text message app, and the person you're talking to isn't on Signal, your messages are sent as normal, unencrypted text messages.
We should note from a privacy perspective that, like a lot of messaging apps, if someone already has your phone number in their contacts, you may automatically show up if they install Signal. We're not worried about the way Signal has implemented this, but rather it may be jarring to know that someone can find you on Signal just because they have your phone number. Fortunately, Signal's block feature also works quite well, and they are also actively working on a way for people to have Signal accounts that aren't attached to a phone number.
Keep your device up to date! Like your laptop and desktop, and for the same reasons, you should install updates within a week of them showing up. In addition, make sure you update your applications regularly as well. Usually this happens automatically, but it's worth it to go into the Play Store (on Android) or the App Store (on iOS) every so often just to make sure.
Look through all the apps on your device. If you're done using an app for a while, uninstall it. There's no need to have excess apps cluttering up your settings screens and sharing options, and the fewer apps you have, the fewer avenues for vulnerabilities your device has. Both Apple's App Store and Google's Play Store remember what apps you've downloaded and purchased, as well as any in-app purchases you've made, so if you want to reinstall them later, you'll be right back where you were.
As you install and use apps on your device, they'll ask for various permissions. Don't just click through these — think about each one and see if they make sense! If it doesn't seem like something the app needs, deny it.
Use these examples, taken from real-world apps, to help you think about what kind of access you want to give someone else's app on your phone: A map app probably needs location access, but why would it need to record from the microphone? Do you want to give that fitness app access to your contacts, or would you rather manually add the friends that get to see your gains? That camera app you just downloaded needs access to the camera, sure; should it have access to your location or address book?
You can set these permissions based on how you intend to use each app, and you can always change them later if you want to use a feature that does require that permission. It's also a good idea to occasionally review what permissions you have given to various apps to make sure they still make sense.
Similarly to application permissions, you should occasionally look at what Bluetooth devices are paired with your phone and remove any you don't use anymore or don't recognize. You're probably going to do this while you're waiting at the DMV or something, so go ahead and prune your wi-fi network list while you're at it.
Yep, if your car is reasonably recent, it counts as a device. Many modern cars can connect to your phone via Bluetooth and have built-in GPS-enabled computers. Some of them even have built-in cellular internet or the ability to run apps on your phone. Their software also gets updated infrequently (if ever) and so can't nimbly patch security vulnerabilities like computers, phones, and tablets can.
Because of this, there isn't a lot you can do at the Half-Day Security level other than be aware of what's going on in your car. Do what you can to make sure the car only has access to the data on your phone you want it to, and if you sell your car, delete your personal data (including contacts, texts, GPS history, and stored GPS locations) first.
If you're using a rental car, it's much the same: remember to remove your phone and its associated data from the car before you drop it back off. You don't know who's going to get the car after you, and you don't know how much data the car has stored from your phone. (Even better, don't connect your phone to a rental car via Bluetooth if you can help it.)
The "Internet of Things" is a catch-all term for devices in your house that connect to the internet (and probably don't need to). The variety of these devices is vast, including smart thermostats, color-changing lightbulbs, smart speakers, refrigerators with web browsers, and even miniature home-surveillance drones.
Their potential for security vulnerabilities is also vast, so every one of them needs to earn their place in your home. Few of these devices are made with privacy or security in mind, and even fewer will ever get updates if a bug is found. Since these devices are often controllable over the internet, that means that a vulnerability can expose your home network to the entire world.
Many of these IoT devices also have vague or confusing privacy controls, if any exist at all. And many of these device manufacturers are new, small companies whose business plan is explicitly to get bought by a larger company like Google, Amazon, or Microsoft, at which point any previous guarantees about your data privacy go out the window.
Basically, you should consider each of these devices to be a tiny computer you don't have control over and can't update, hanging out on the same network your laptop and phone are on. Therefore, our blanket recommendation is: avoid buying smart devices.
We know that this is a hard line to take, and it pulls hard for the security side of the security/convenience tradeoff. However, if a smart device makes a big quality-of-life difference for you, or if you've already got some in your home you're not willing to part with, then we've got a backup recommendation for you: do your research. Figure out what data the device collects and sends back to its manufacturer, and what policies that manufacturer makes about the data. Also be sure to install updates promptly and keep an eye out for changing data policies or company acquisitions. We also encourage you to implement the Three Dumb Routers setup described in the One Step Further section below. If you're going to have smart devices in your home, we'd rather you go about it as securely as possible.
If you absolutely want to have smart devices all over your home, you can mitigate the risk with a network configuration called the Three Dumb Routers network, which creates a Trusted Devices network and an IoT Devices network.9 The Trusted Devices network hosts your computers, phones, tablets, printers, and so on. The IoT Devices network is where you put your internet-connected fridges, smart TVs, color-changing light bulbs, smart speakers, and so on.
:image[]{className="inline" src="images/3dr-diagram.png" title="Image showing layout of the three dumb routers system."} Because of the way routers work, it's difficult for a device on the IoT Devices network to see devices on the Trusted Computers network, so they have limited ability to cause problems. And because IoT devices are generally designed to be controlled from anywhere, you generally have no problem doing so from the Trusted Computers network.
If you want to set it up, here's how you do it. Connect your first router directly to the internet via your modem. This router will provide internet to the two other routers in this setup, each of which will broadcast a different wi-fi network. No other devices will connect to it, so you can turn its wi-fi off. Next, connect your second router to the first and use it as your Trusted Computers network. Last, connect your third router to the first and use it as your IoT Devices network. Make sure its wi-fi name and password are different from the Trusted Computers network.
If you have a smart speaker, throw it out.
Smart speakers like Alexa and Google Home sit in your house and can listen to everything you and your family say, then send those recordings back to Amazon and Google, where you have no control over who can listen to them or give them to someone else. Even with the privacy policies that accompany these devices, even with the quality-of-life improvement, even with the Three Dumb Router approach, we think the potential tradeoffs are too high. We just don't think it's possible to confidently and securely host a smart speaker in your house — so don't.
Much like our recommendation for Internet of Things devices in general, the recommendation is to not buy a smart TV (though it's getting harder and harder to do this). Failing that, turn off the smart TV features and avoid connecting the TV to the internet at all if you can. Some smart TVs continually send fingerprints of the screen video back to the manufacturer,10 so they can track you and send you ads. Much like smart speakers, the potential tradeoffs are too great to chance.
If the TV requires an internet connection to set up (and you aren't using the Three Dumb Routers setup), use an Ethernet cable or temporarily change the password on your WiFi before connecting your TV to it. (Don't forget to change it back!) Then, once it's set up, turn the internet connection on your TV off.
Set-top boxes like Roku, Chromecast, or Apple TV and game consoles like an Xbox or PlayStation are generally more trustworthy than the smart TV itself, or at least mean you don't have to throw the whole TV out if you decide later that you don't want the privacy risk.
If you want to watch YouTube and Netflix and all that good stuff on your TV without using a smart TV's features, you can set up a small computer (such as an Intel NUC or a Raspberry Pi) running a well-secured Linux home theater pc (HTPC) distro. Do note that this is quite the rabbit hole, as there are a lot of options available in this space.
Home security devices include security systems, motion detectors, doorbell cameras, and more. Our advice from the top of the section goes double here: if you must get one of these things, make extra sure you do your research. Pay attention to what each device manufacturer's policies say about the ownership, use, and retention of your data. You are inviting these devices into your home and trusting them keep your family and belongings secure on your behalf, so make sure you know what they're doing.
There are a lot of new IoT-based security systems out there, but we have no opinions about any specific one. That's because neither of us has one of these systems, and we don't think they're a good investment. Instead, our recommendation is to have an expert set up a traditional keypad-based system for you. These days, even traditional systems are accessible via app, so you can still access them anywhere in the world. Traditional systems are also backed by phone lines, not the internet, so they will stay accessible if the internet goes down.
If you decide to put cameras in your house, be extra cautious. Know where the footage is being stored, and store it on-premises or somewhere you control if possible. Some systems have privacy zones that you can set on each camera so that they don't record parts of their field of view — if you have a driveway camera that happens to be able to see into your front room window, for example.
The Amazon Ring doorbell merits a special mention here. Ring has a program where local police departments can access footage from your doorbell camera through a request to Ring. And while users are supposed to be given a choice of whether to let police use the footage, courts can order Ring to release footage without your consent. Though it's possible to opt out of the program entirely, Ring doesn't make it easy. What's more, it's not clear whether a court order can still compel Ring to hand over your footage even if you've opted out. We don't like this. The data that your devices collect should belong to you, and you should get to decide who sees it.
Use Firefox as your primary browser. Unlike Google Chrome, it's not made by an advertising company that makes money from your data, and unlike the Safari or Edge browsers, it's not the default browser on your computer, so it's less integrated into the operating system update cycle and feature set. Instead, Firefox is made by Mozilla, a not-for-profit organization that has a track record of fighting for an open, private web. Moreover, Firefox is built to protect your privacy as you browse by default, and it has a thriving extension ecosystem with extensions that can help extend its privacy-preserving powers.
Firefox is available on Windows, macOS, iOS, and Android (as well as others). Install it and make sure it's your default browser on all your devices.
Here are a few extensions that we recommend you install to prevent tracking and preserve your privacy:
- Privacy Badger is a browser extension that blocks trackers. It is made by the Electronic Frontier Foundation, an organization that champions digital privacy rights.
- HTTPS Everywhere, also by the EFF, makes sure that, if possible, you are always visiting websites via secure HTTP (HTTPS), which prevents other devices on your network from seeing your traffic.
- Facebook Container isolates any Facebook activity in your browser (including Instagram) from the rest of your browsing so Facebook is less able to track you across the internet.
- ClearURLs removes tracking information and redirects from URLs you might copy or click on.
You'll note that none of these extensions are ad blockers (though a couple of them might block ads as a side effect). There is nothing inherently anti-privacy about ads, and while most website ads out there do include trackers, not all do. By blocking trackers instead of ads, you deny malicious advertisers your data and reward sites that go the extra mile to use ads that don't track you.
Optionally, if you have an iPhone, you can use Firefox Focus to block trackers while you browse. Firefox Focus is a Content Blocker that integrates with Safari and apps' built-in web views to help block trackers.
Instead of using Google for your web searches, use DuckDuckGo. Google collects your search history and uses it to power their advertising business, and they don't need any more of your data than they already have. DuckDuckGo doesn't collect any more information from you than they need to.
You can switch your browser's default search engine in the browser settings.
If you get a message from your bank or a retailer with a link to your account or an invoice, don't click the link — especially if the message was unexpected. Instead, open a new tab and navigate to the site yourself to log in.
By making a habit of this, you'll avoid phishing attacks, which is when well-crafted emails or text messages trick you into clicking a link that takes you to a website that looks just like your bank's or retailer's site but collects your username and password for an attacker instead. Some of these messages are very good and can even fool experts, but if you make a habit of signing in manually by default, you'll insulate yourself against this whole class of attacks.
Whenever you're about to put in sensitive information like a password, credit card number, social security number, etc., check the URL of the page you're about to type it into and make sure it's correct. The most important thing to look at is the domain (the part that usually ends in ".com") and make sure it is what you expect for the company or service that the page claims to be. Some modern browsers will highlight the domain to make this easier for you.
Another thing to check for is that the site is using HTTPS. Though some browsers will show a padlock or put "Secure" next to the URL when a site is using HTTPS, the best way to check for HTTPS is to look for "https://" at the start of the URL — though you may need to click the address bar to make the browser display it. This is extra important if you clicked on the link in an email or text message. (Because let's be real: you know you're not supposed to click links in emails or text messages, but you're going to anyway. So do what you can to keep it rare and be extra cautious when you do so.)
Consider using multiple browsers and/or Firefox's Browser Containers extension. The ways that web trackers (including Google and Facebook) track you are restricted to the browser, so if you visit Facebook in Edge and then go to a site with a Facebook tracker in Firefox, it's harder to link those sessions together. Having multiple browsers also allows you to install different extensions; one author uses their password manager in Firefox only, so they can't accidentally log into websites in other browsers. If you want to go overkill on the paranoia, don't install your password manager's browser extension in your default browser. That way, when you click a link in an email, you'll have to think for a moment before logging in, since you'll need to open your password manager app.
Browser Containers provide much of this benefit within Firefox itself and also allow you to log into multiple accounts at the same site at the same time. However, neither of these strategies is perfect, as both browsers and all containers will be coming from the same IP address. Some linking may still be possible.
Security breaches that leak credentials and personal information are more frequent than most of us realize, and even leaks from sites you have never visited can contain your personal information, due to tracking and sharing data. If you never have, it's worth checking if your email address or common usernames have been found in a breach. (They almost certainly have.)
The best way to do this is to use Have I Been Pwned, a site run by well-known security researcher Troy Hunt that is a reliable source of information about breaches. Go to HIBP and search for your email address and usernames. You'll get a list of breaches that your email address or username was found in; for each service listed, sign in and change your password (which will be super easy because you have a password manager, right?), and check the recent activity to make sure it all looks legitimate.
Consider using multiple email addresses for different sites. If you use a "public" email in general on the web, use a "private" email to log into your bank or other secure sites. This way if someone tries to guess your bank account credentials based on information from another site, they are even less likely to be correct.
The smaller your online footprint is, the more protected you are. If you have multiple services that are doing roughly the same thing, decide if you could get away with consolidating them. For example, Dropbox and Google Drive are both ways to store and share files in the cloud. If you have both a Dropbox account and a Google Drive account, do you need both, or could your needs be fulfilled by just one?
Before you delete an account, remember to export your data from the account so that it's not lost to the abyss of the internet forever. It's also a good idea to look up the service's data retention policies — your account data might not be deleted until awhile after you've deleted your account, up to several months. This isn't necessarily bad, as it means you could reactivate that account in the meantime, but it's a good thing to know.
After you've narrowed down the online services you need, check your privacy settings on each one and make sure that you're comfortable with how they're set. Many services offer options to turn off tracking or personalized ads, but they're deep in the settings and can be tough to find.
If a service offers a "privacy checkup" or something similar, start there but don't trust that it will cover everything. Always explore the settings yourself. For social media sites, review who can see what information about you and your posts, and who can comment on or share your posts.
Sometimes, in order to use an app, it'll ask you to sign into a social media account via SSO so it can use data from that account. For example, a site might want access to your Spotify account so it can make snarky comments about your listening history, or an app on Facebook might want access to your profile so it can show you what you'll look like when you're 90. As part of your privacy checkup, look at what apps you've connected to your services (usually under a "connected apps" heading) and if you don't need them anymore, delete them. Even better, once that app is done making fun of your most-listened playlists, revoke its access immediately.
We hope you found our recommendations helpful! Our goal is to make you feel more secure, and make sure you know how to safeguard your data. We think everyone should have some basic internet privacy literacy, and hope that this guide was a step in that direction for you.
If there's something we missed, you have a question, or think this document needs an update, you can contact us at half‑day‑security‑[email protected].
Footnotes
-
We used to recommend LastPass, but after their November 2022 data leak and, maybe more importantly, their public announcements around the breach, we have removed that recommendation. Our current recommendation is to export your data from LastPass and pick a new password manager, and if you were using LastPass, to consider changing important passwords. ↩
-
If you prefer to listen to audio explanations, Tom Merritt has a 9 minute podcast episode about Multi-Factor Authentication. ↩
-
Google also has a two-factor authentication system where, if you have an Android phone, it will pop up a screen on your phone asking if you're signing in. This only works for Google apps, but it's also a valid choice if you want to use it. Apple has a similar system that pops up a code on iOS devices and Macs when you sign into Apple services. ↩
-
On older Macs or external keyboards, use the Eject button; on Mac laptops with a Touch Bar, use the Touch ID button at the top right. ↩
-
The OS's disk encryption is usually configured to use account login passwords, so there's no need to remember another password. ↩
-
See, e.g.:
- Court rules against man who was forced to fingerprint-unlock his phone
- Virginia judge: Police can demand a suspect unlock a phone with a fingerprint
- Federal, state court rulings on whether biometrics protected by Fifth Amendment get murky
-
"Open source" means that the source code for the program is available for anyone to see. This is especially good for security-related apps because it means that even people outside the company that made the app can check to make sure it's not doing anything unexpected. ↩
-
See, e.g.:
↩ -
See, e.g.:
- Smart TVs like Samsung, LG and Roku are tracking everything we watch
- Some Smart TVs Watch What You Watch
- In Defense of Dumb TVs.