> You could store [2fa backup codes] in your password manager
Aaand we're down to single-factor authentication: your password from your password manager plus your backup codes from your password manager.
I do recommend a password manager, but not to keep would-be-two factors in one vault.
Also the very first item in the guide makes a blanket statement about dictionary words being really crackable. I forgave that one for simplification reasons (reality: passphrases are equally secure if you use enough random words, just like using a password with enough random characters), but I've now read the recommendation for 3 points and 2 are bad and mediocre advice.
> Aaand we're down to single-factor authentication
We're not, not really. The only single password that can unlock 2FA is that for the password manager, but most phishing attacks I'm aware of target the specific services, not password managers, since it's usually way easier to fake a banking login. Good password managers will have dedicated apps, so entering that password on some janky website is not something victims will be used to, plus there should be something 2FA-ish as well (biometrics on an iPhone etc.), so that particular password should be considerably harder to get ahold of than most. That doesn't protect against a fully compromised device, but that's not something 2FA is very effective against anyway. I'd say it's good enough for now.
Perfect shouldn't be the enemy of the good; security is always a trade-off between less-than-perfect alternatives, and the obvious alternative for lots of people will be a .txt on their Desktop or in their Dropbox or even an email to themselves, or no 2FA at all. I've been told that no attacker would find one person's password list since they disguised it as an email draft, who'd think to look there? Putting backup codes in one's primay 1Password vault doesn't fare that badly against those.
> I do recommend a password manager, but not to keep would-be-two factors in one vault.
A separate vault means another password, where do you keep that? It'll be needed very infrequently, so it's easy to forget, especially under stress. Also, you'll want to make sure you have it when you're seven timezones away and just lost your phone, since vacation is prime phone-losing time and also a time when you might have to get at your emails really urgently, e.g. for travel documents; that's also a situation where printing out backup codes on paper might bite you if they stay behind at home. I'm not even sure how I'd set this up, afaik 1Password (Cloud) and LastPass don't support vault-level passwords.
This is a surprisingly little-discussed problem outside of corporate. And when it is discussed, many knowledgeable people view personal security through a corporate security lens, which isn't very practical, making this an IMO pretty underserved niche. I've discussed this with lots of people and I'm still not aware of any silver bullet solution, but the recommendation from TFA seems like a decent compromise for a sizable cohort, especially younger people who aren't comfortable with paper documents and/or are highly mobile.
We are, by definition down to single factor if you store the codes in the password vault. The argument wasn't that therefore the system is weak, it is just that the point of having a second/third factor is to add something that isn't already present in an attack against a system.
One example would be that you leave your desk momentarily with your password vault unlocked and someone decides to quickly use your account to login to some system. Single point of failure. If you had the codes on a cellphone instead, firstly there is more of a chance that you would have taken your phone with you but even if you didn't, that "attack" now needs to access your phone as well.
Not all attacks are strangers and not all are malicious, just somebody elevating their privileges via your status is an attack in the broadest sense, even if they did it for respectable reasons.
> We are, by definition down to single factor if you store the codes in the password vault.
Agreed, I should have worded that differently, that was just asking for someone to nitpick. But I don't think that detracts from my wider point.
> One example would be that you leave your desk momentarily with your password vault unlocked and someone decides to quickly use your account to login to some system.
TFA is talking about personal security, which I read as "private life security", not "workplace security for a software engineer on their work laptop in a semi-public space". That would be a much more high-value target with a very different threat landscape that warrants more effort to be spent on security (supported by security teams, on paid time, and having above-average security expertise).
I keep multiple password manager "vaults" (with Keepass) for multiple services. All of them have long passwords. Every morning, I will recall the passwords in my head to make sure I remember them, and on a schedule I'll log into the rarely used vaults just to ensure that access is working properly. The same goes for the passwords that I keep in memory as well (for email etc. where I may need to use a public computer in a emergency without my password manager or personal device available), bank PIN, important phone numbers, and so on.
The idea is to recall the passwords so often (many times daily to start, then daily when it's stuck in your mind) so that you can do it in any circumstance while under stress. Of course this doesn't excuse the need for a secure backup of those crucial passwords somewhere, but at least the chance of forgetting them is next to none.
> but not to keep would-be-two factors in one vault.
So where? Having them physically spread around my house? in my PO BOX? Each have been cracked before, or are lost all the time (even by a simple fire).
What can an average person do better than remember one strong password?
Yes, stored at your house is fine for most people. There's a big security jump between "needing your password" and "needing your password plus having to steal something from your house."
There's also a big jump between "stealing something from your house" and "stealing something from your house plus figuring out your password."
My recommendation for keeping second factor key material would be on a supported smartphone and make backups of that device (I use termux and restic but anything goes here, so long as your desktop can't get at the data). The app isolation makes it a lot harder to get at data compared to when malware makes it onto your desktop. Most people also don't have full control of their phone from their desktop and vice versa, making it independent devices where the compromise of one doesn't compromise the other - even if you have photo sync and remote wipe, you usually can't simply get app data.
I looked into different apps for a family member (I don't have a secure phone myself because I use the hardware longer than there are updates, so I don't use this personally) and the winner at the time, this was 2017 or so, was Keepass2Android. This is considering both usability and security, but mainly security - I'd probably not be able to teach my grandparents how to use this.
An alternative specifically for codes that you should never need is indeed something like a bank vault, or using Shamir's Secret Sharing Scheme to split it up and give one part to a friend in addition to your own share.
But then, once a phone get lost, how do you recover those second factor keys? Or do you mean to have encrypted backup but the "active usage" is on another device? If so I agree and do the same.
I love this comment and this thread. It is literally what happens in my head every time I need to sign up to a new site (having an existential security crisis). Good to see I'm not the only one!
Yeah it's definitely a valid concern, though the considerations for different solutions are a bit too elaborate for me to type out on mobile atm. Some ideas
- regularly testing backups also ensures you still have the key material
- Shamir's Secret Sharing Scheme, in combination with putting it on paper or multiple devices or...
- bank/company vault
- hardware security token
- give the master keys to the company's master (some tech director) and make it someone else's problem, if you want to be evil :)
I thought we were discussing personal (i.e. non-work) security? At least that's what TFA appears to be about. Besides, Shamir's Secret Sharing can be outright dangerous even for companies, I really wouldn't recommend that to any private person.
> What can an average person do better than remember one strong password?
Use as 2FA a physical U2F device which is itself protect by an HSM and a PIN and erases itself after 3 failed attempts (which, granted, comes with its own problem if you lose it / forget your PIN / have it stolen).
It's kinda a big fraud that Yubikeys have been "sold" as the be-all / end-all of 2FA when they are, themselves, not protected by a PIN (for costs reasons and costs reasons alone: there's no way on earth a pinless Yubikey is better than a U2F device protected by a HSM+PIN, but that costs way more to build). And here you'll get the ultimate argument: "you have to understand the threat model" / "this is not the threat model a Yubikey defends you again" etc. Oh really? Then why then do we have now Yubikey protected by fingerprints? The threat model changed or what?
Threat is not the only factor.
The control (entering a PIN) has a cost (it's tiresome) and only a certain risk reduction value (if they can steal my key, they can probably steal my PIN).
Despite its shortcomings, I value the attempt to generate this list and thank the author for it. Moreover, it's on Github so issues and pull-requests can be created, and the list can be improved.
Even though a ot of the advice will be sound for pretty much all-time, unless this kind of list is maintained in this way it would grow very stale very quickly.
Yeah, I would expect a smug, persnickety dismissal from HN folks. But it's largely GOOD advice and we need more of this kind of thing going around.
When trying to find advice for personal cyber security by googling around, you get a wild range of material ranging from simplistic listicles, to paranoiac rantings, to BS marketing slick from entities trying to sell stuff. It's hard to find solid advice with actual reasoning behind it.
Would a normal person (who is not a target for nation-state actors) be in very good shape, cyber-security-wise, if they followed the "recommended" advice in that checklist? I say yes-- even if they put their 2FA backup codes in their password manager!
By that logic the password itself is two-factor, because you need the database password as well as the database file to obtain the target password. I definitely see where you're coming from, but I'm not sure why you'd still bother setting up 2FA with backup codes then if you already consider the password itself 2FA?
A higher security level, which isn't needed for everyone indeed, would be to have these two things (where you have your password database unlocked, usually multiple times a day, and the second factor secret codes) in independent locations. This can also be two VMs if you keep the host encrypted and very secure for example. I assumed people with 2FA wanted to achieve a bit higher security level than all eggs in one basket. (None of these things beat a wrench attack of course.)
Precisely because of that I use a different solution: Dropbox + KeePassXC. If someone wants to access my passwords, they first have to get into my Dropbox account, then get the password to the KeePass file. At this point that level of security is good enough for me.
If cloud-based password managers are set up without using a keyfile or something similar, then I agree, they're single factor. I suggest refraining from using such password managers for this reason.
> statement about dictionary words being really crackable
Every time I see this statement I immediately think: which dictionary?
There are more languages than usual suspects (eg English, Spanish, French, Italian, German, Mandarin) and L1/L2 speakers of those make up sizable portion of internet users. Are Welsh/Hungarian/Slovak dictionary words really as easily crackable than English ones? If you have dictionary for those, yes, otherwise I suspect no.
If you pick from a dictionary of 250,000 words, that is around 18 bits. So three randomly chosen words strung together give you around 54 bits. On the other hand, an alphanumeric character is around 6 bits, so 9 of them strung together is about 54 bits.
Assuming your dictionary was 250,000 words, both of the passwords you posted were about the same quality (until you posted them - now they're again about the same quality, but much less).
> Or are there also dictionaries that contain combos of words?!
Your software just concatenates words and other well known sequences (123, zxcvbn).
Check out the great password entropy checker called zxcvbn:
3 words is not enough usually, but it technically depends on the dictionary size. Since the formula is dictsize^numwords, adding a word to your phrases is a lot better than adding a thousand words to your dictionary (also because of diminishing returns above ~5 thousand words).
Iirc 6 words is a good size for most dictionaries or 7 words for diceware, but might be off by one so please look around. I remember posting it on the security stackexchange site (I'm currently on mobile, not logged in or I'd look it up in my user) and I'm not the only one who's done this calculation. It also depends on what security level you need (e.g. should it prevent from offline brute force or only online brute force)
Because there are only so many words in the world and an English person isn't going to use a Dutch dictionary. At that point it's going to be harder to remember than just random characters of the same entropy.
Exactly. I don't have to speak any of the languages on wikipedia to use wikipedia as dictionary for cracking. You can have every quote from every book, every place name, every wikipedia article, every song lyric, and a cheap GPU can buzz through it all ... fast.
Kind of breathtaking that we have that power now, and kind of terrifying.
This is exactly what I did for a research project in school: download Wikipedia, extract all combinations of iirc 2-5 words, do a few transformations like adding a lowercase variant and space-less variant, and run that set against the LinkedIn sha1 password dump. Quite effective for cracking passphrases that weren't randomly chosen words but an existing phrase.
> Aaand we're down to single-factor authentication
Not necessarily: if your password manager requires more than one factor to access, then there's still no way to access the service with only one factor.
This might be standard MFA to login to your password vault, or in the case of 1Password, the vault's encryption key _basically_ serves as a second factor, so long as you never save it digitally (and print it instead).
> Aaand we're down to single-factor authentication: your password from your password manager plus your backup codes from your password manager.
Couldn't you store your 2FA codes and passwords and backups (theoretically everything) in a password manager (ex. bitwarden), encrypted, salted, hashed and all of that with a strong and complicated password AND hardware 2FA (ex. yubikey) and be better off than separating it out? All of your data is extremely secure, can be managed in one place, and you aren't gonna lose your 2FA codes if your phone randomly breaks. I think for the average user this strategy is the best middle ground for security and simplicity
I'm glad I saw this, it looks like an excellent resource.
However, I can't help but feel a bit of despair while looking at it. There is so much stuff to do / know about, that it's incredibly far beyond what the average person could understand, let alone follow. Most people won't get close.
I'm capable of doing everything described (and I follow a good chunk of it), but I have hundreds of accounts. The shear effort required to thoroughly roll out these protections for just myself (let alone my less-technical-than-myself-technical-family) across a such a large digital surface area make it seem an insurmountable task.
Maybe I need is a service that can automatically audit my networks / devices / accounts and give me security health scores, give me 1-click paths to enable protections, or even auto-fix security gaps. But that sounds like dropping an enterprise security blanket on my digital life, and any system capable of taking care of this for me is another single point of failure whose compromise would be catastrophic. Convenience and security must be inversely correlated.
It's better to start late than never. You probably have only a handful of high-value accounts. Emails, hosting, domain names, utility providers, social media.
Then you can focus on anyone who has your private data. E-shops and such that store your address. Realistically those can be pretty damaging if they get breached - even if your password doesn't leak in plain text, your name and address would be up for grabs.
But think about adopting the habit of gradually building up your discipline and addressing old issues as you revisit old accounts.
This doesn’t talk about real world adversaries, only hypothetical countermeasures. It would be more useful to know how I’m likely to be attacked, not how to protect against every threat the author could possibly think of.
For example, I want to know where the villains actually go when they want to dox someone. Then I can dox myself and do something about it. I have no idea where to start and wouldn’t want to pay money to criminals to get it.
Assuming you are a US citizen, you likely have no need to worry about FVEY [1] targeting you unless a judge has been convinced you are a very bad person and issues a warrant.
You do have to protect against cyber-criminals and potentially other nation state actors like Russia, China, Iran and North Korea. These groups do not control infrastructure (like FVEY) and have a harder time targeting you. BTW, this is why FVEY are so determined to keep China out of 5G networks (they don't want to share).
To gain access to your things, these attackers typically rely on phishing emails and social engineering attacks. They try to convince your bank or cellular provider, etc. that they are you and then do bad things with, or to, your accounts.
The best protection against this is 2FA (Yubikeys and TOTP) and process isolation. Run a reasonably secure operating system (such as Qubes) to isolate your digital life. Be sure to do your online banking in a qube of its own separate from your email qube and your random web browsing qube. And avoid phone or email based 2FA when you can.
That's about it. If you do that, you'll probably be fine.
> Assuming you are a US citizen, you likely have no need to worry about FVEY [1] targeting you unless a judge has been convinced you are a very bad person and issues a warrant.
IIRC part of the snowden leaks was that US intelligence agencies used data gathered about US citizens by GCHQ (and the other five eyes members) and occasionally asked for more targeted gathering. I don't think it's as easy or straightforward as you make it out to be.
This. Browser based password saving is only a threat of device theft is a concern. The GitHub repo clearly doesn’t understand threat models or convencience-to-risk ratios.
This is a great instinct and I recommend everyone do this.
There’s a ton of resources on this, unfortunately subject to this predictable effect where spam proliferation easily overwhelms your ability to discover useful resources in reasonable time period.
Michael Bazzell has a book on OSINT (and a blog/podcast) which I can recommend for an initial dive. Good starting point for action would be his data broker checklist.
The real villains will have access via gov agencies to make emergency data requests to tech companies.
Maltego can also be used to pivot on any info you already have to collect more. I'd say the best you can reasonably do is to use this to find your trails and remove them or worst case obfuscate it with noise.
... Years ago, I helped develop a checklist app for a hospital (in Python and JS at the time).
TIL checklists usually are justified, and may be the only process for collaboratively improving process controls that a healthy organization handling feedback has established; who gets to send PRs to the checklist, and what criteria should be applied such that evidence-based variations of process are objectively tested?
The flaw with this list is that it treats all risks as equally likely and does not distinguish between various threat landscapes.
Few people are high value enough to merit the effort required to capture a face from CCTV, generate a mask from the image, get physical access to their device, and use the mask to unlock. So for almost everyone, faceid is fine.
More common associated risk: Police detain you and point your phone at your face to unlock it (or unlock your access to some other resource).
That is not a very high-tech or high-effort attack and could be relevant if you're concerned about the police.
Someone might say that this concern is useless because the police can also coerce you to unlock your phone via a different method, but that depends on the law and culture in your particular environment (I guess ranging from "extremely unlikely" to "almost certain" depending on where you are).
Edit: I don't mean to disagree with your overall point that understanding the threat landscape and threat model is very important, just to say that there is a very simple and plausible threat to which the precaution you used as an example can be relevant.
If you press and hold both the lock button + the volume up button long enough to open the power-off screen, it will disable faceID (on iPhone) until you enter your passcode again.
Handy to know and easy enough to do discreetly in a pinch.
I know I've posted this a lot of times, so I'm sounding like a broken record, but you won't get a chance to do it. When the government came for me they pointed a loaded gun at my head. There was no way I could have moved my hands to start fannying around with my phone. I refused to cooperate when they threatened me, but they soon realized a new tactic and threatened my wife. You're probably tougher than you think. You might be able to take a spanner to your knee caps, but if the government puts a gun to your spouse or children (or even your dog), what are you going to do then? Certainly in the USA at least, I don't think the police are committing any misconduct by telling you they are going to take your wife outside and shoot her in the face if you don't give up your fifth amendment privilege.
On my phone pressing the power button five times quickly starts a 10 second timer and then it auto-calls emergency services and I'm pretty sure this is the default.
Definitely a good threat I hadn't considered. I imagine from someone who is less educated about technology in general, having a list of "example threats" that those items might protect against would be beneficial to help offer some more incentive to follow this list other than just "Good Security".
I agree, it very much depends on who is targeting you. If it's the police on the street or at your home, say in russia or another third world country, then they can just lock you up or go as far as torture to get access. If they want to access your phone they will. But someone random on the internet trying to get your google photos? Completely different.
Definitely agree with you, there's no need to waste resources on protecting against threats that would never target you - like attempting to capture your face from CCTV and spending real money and resources to get a mask and then stealing your device... etc like you noted.
The author does have face unlock listed as "Advanced" priority. The wording is a bit weird but I take it to mean, only someone who has "very advanced" security concerns would need to follow that recommendation.
If I were going to recommend this to a friend/family member I would just tell them to stick to the basic priority items and not worry about the higher pieces.
>Few people are high value enough to merit the effort required to capture a face from CCTV, generate a mask from the image, get physical access to their device, and use the mask to unlock. So for almost everyone, faceid is fine.
I feel like this point misses the first point you made, about things being a lot more circumstantial and nuanced. It all depends on what you have to hide and on what device. Someone may need to go to the level of effort you mentioned to access someone's iPhone, while someone else may need to just print out a mugshot and hold it in front of a laptop webcam to unlock their computer.
Edit: I'll also second schoen's point about someone forcefully holding your own face up to the device.
I don't see the flaw as there is obvious "recommended", "optional", "advanced".
List is "personal security checklist" so it also gives some context that you can infer "threat landscape", which I understand would be average Joe, not journalist, not a CEO, not a drug dealer, just normal employee having one bank account buying stuff online and going on vacations in his own country.
If you want to implement everything that is "optional" in your life it will be security larping.
There's an obvious tradeoff having an authenticator (2FA/OTP) separate from your secure password manager. If you lose the device with credentials, you're screwed. It's really easy to lose access to a device (and usually without advance notice).
Or you can override the 2FA, and then you're back to hoping the verification procedure of overriding 2FA is stronger than a dedicated attacker. A password manager managing 10 OTP accounts means 10 attempts at social engineering to bypass the OTP.
I realize having everything on the password manager goes against the "a thing you know plus a thing you have" security policy, but I imagine you'd have much more grief linking every account to a device (a smartphone, usually) you expect can (more likely: will) fail in the next 0 to 6 years.
On the flip side, if you decide to make the thing you have a biometric feature, there's the downside that this thing can never be changed but could possibly be spoofed. In twenty years, you'll still have the same fingerprints, and you even have the same fingerprints, iris, face, etc. when you're unconscious.
Maybe the best strategy is a hardware key with printed backup code? Then you really need to hide the printout somewhere only you know, where it won't get destroyed, where it can be accessed relatively quickly without a complicated lockout, where it won't get accidentally discovered by the HVAC repairman, and where you won't forget after 0 to 6 years. Solving this location riddle seems the most impossible of all...
Who are you, and why should hackers care about hacking you? Who is doing the hacking? Is it a 3-letter organization or other nation-state adversary? Is it a corporate actor trying to commit corporate espionage? Someone trying to steal your identity?
I am less valuable to hack than Vitalik Buterin, who in turn is less valuable to hack than President Biden.
I don't have a threat model. I just have typical data (financial, family, hobbies, etc) and want a reasonable level of protection against all threats (snoops, thieves, scammers, police, govt, etc). So I just use standard best practices: encryption, backups, password manager, 2FA, software updating, blockers in the browser, firewalls, VPN, etc. No need to identify specific threats, I don't have any. No need to list out all my data.
I don't understand why anyone recommends disabling javascript. If you're making that much of a sacrifice in user experience, you might as well uninstall your web browser.
For most sites I use, JS detracts from the "user experience". I just want to read an article, not deal with accept-cookie popups or ads or menus etc.
Even on interactive sites such as my bank accounts, I'd rather have a plainer page that just worked in all browsers and worked in a simple way, than have some UI-designer's work of art with fancy coding and unique effects etc.
This list is specific and parochial of course. Rudimentary thematic
analysis of the list reveals common patterns fairly well known to
security people:
- Less is more.
- Convenience works for you, and adversaries.
- If it's old, maintain it.
- Never tell the truth.
- Keep moving.
- Don't underestimate the enemy.
- Have a plan B.
In the literature these have fancy names like Dolev-Yeo, Minimal
attack surface etc. Interestingly they also correspond to the five-S
principles {shape, shine, speed, spacing, silhouette) of stealth and
camouflage and many foundations of guerilla craft - maximal mobility,
carrying minimal gear, least contact and taciturn communication,
knowing the environment, maintaining you equipment.
> Great list! Could you expand on the items a bit?
That would be funny, as the list is an attempt to reduce things.
Perhaps you mean - can we elaborate on the principles of reduction
somewhat?
Maybe. I am wondering. The problem with pithy lists is that, in the
limit, they end up as a collection of mutually-contradictory idioms,
like; "Many hands make light work" but "Too many cooks spoil the
broth".
Security is already a mess of theories in tension - "If in doubt
don't." versus "Fortune favours the brave"
Perhaps we could make a more focused list for our readers, for
innovative developers, with items like:
"Secure yourself before attempting to secure others."
Apple released their iCloud Passwords extension [1] for Chrome last November.
I actually moved away from Chrome to Safari when I migrated over to my new m1. It's actually pretty good. The one caveat is Google's Advanced Protection Program only works with Chrome. The article doesn't cover that as well.
Good question: CEOs, executives, members of parliaments, journalists, researchers at industrial labs, those working in defense/military/aerospace, etc are at elevated risk of being hacked by governments and hacking companies such as NSO.
Are there guidelines how should these individuals protect themselves against such powerful adversaries?
Like if you work for the German or Chinese government in an important capacity, or lead a major company there, it’s a question whether you should use an iPhone (given that it’s a black box made by a US company), cloud services, etc.
How about if both sides are within the same country? For example, is a Google executive using an iPhone at risk of being spied on by Apple?
If you haven't seen it, Brian Lovin also has a fantastic, in-depth security checklist on his website that links to many more valuable resources: https://brianlovin.com/security
It's aimed more at "the minimum any person should do", so isn't as wide-ranging as the OP and a bit more practical to share with family & friends who might not be as technical.
> This guide is an overview of digital security considerations specific to journalists covering protests. For EFF’s comprehensive guide to digital security, including advice for activists and protesters, visit ssd.eff.org. Legal advice in this post is specific to the United States.
I would love a list like this which is geared towards more advanced users (and software developers who deal with a lot of sensitive data) and describes threat models more comprehensively.
For software developers working for a corporate: Use your corp laptop and phone only for corp work. Don't do any personal stuff on it, including browsing the general web.
Add to that "don't be smarter than your IT department", even if you know how to do something on your own.
Remember that if you get compromised because you did something your IT dept should do or at least sign-off it will be your fault and one may face real consequences.
While I always prize people how invest time and share results of their work to the community I found that list a bit of a collection of common things, some not really good beliefs etc, so my two cents little contribution:
- two factor auth depending on the secondary factor might be a vulnerability itself: suppose you use Google Authenticator on your Android "phone", what if a third party deliberate action DOS your phone (not functioning anymore, locked etc, no matter the reason): you are cut out of other available/working service because of the OTP SPOF, so at least chose recovery roads if the OTP can't be used in all cases, and test them regularly;
- a "secure password manager" is something you read in code and understand everything, also is as secure as the environment it live on, for instance on Android/iOS/other proprietary OS you can't trust any password manager not because themselves but because you can't trust the environment you are in, the only option is using only community born and community developed FLOSS [1] witch is limited by the hw+firmware layer on top on nearly all modern common hw;
- breach alerts are generally good BUT also a potential privacy issue, follow news on services you use is the good (and hard, not because of nature but because most services do not offer a simple very-low-traffic RSS feed/ML alerts with just critical infos) BUT remember you give personal infos, public, but still personal, to a third party witch maybe honest and/or maybe itself breached just to munge data from it;
- safe backups are backups you restore regularly and that are stored offline. The offsite backup is for physical safety (earthquake, thief at home, etc) BUT it's not really "safe" since is not really under your control (unless you are big enough to have geographically distributed personal infra);
- for emails, having many it's ok, as long as you give some to your contacts so they can know and trust that's still you who write from another address, but the main point are mails themselves: they are personal, you need to have them, witch means do sync/download your maildirs locally in an automated fashion and USE them locally with an MUA (or if you really need a personally hosted WebMUA, because emails does not matter only in terms of "current capacity to read and send" but also search through your maildirs, perhaps through all at once if they are many, having your MUA to work with not n-th different WebMails from different providers etc AND have mailbox portability witch means having personal domain names so to been able to switch from a hosting partner to another without changing address. Also a personal mail typically allow many aliases, witch are useful to give to services from retail to NL etc to been able to detach easily and to know where the spam came from (i.e. if a spam mail arrive to my ebay065 mail alias that means someone from ebay got mail mail), oh BTW there is no "secure email provider" (if you are yourself the provider) just different services you can choose to trust or not, without much data to decide;
- for chat, I laugh a bit because if the author talk about chat on smartphones they do not matter how open or safe they are, they are on surveillance capitalism platform so NONE can be trusted for privacy, even one you write yourself;
- "use a VPN", in the sense of commercial VPNs providers is a VERY BAD ADVISE, my ISP can spoof my connection but it's a company from my country subjects to laws I know, I can have a local litige with my local lawyer etc a third party VPN service based in British Virgin Island, Cayman or You-name-it remote -stan it's essentially protected by the impossibility in practice to sue it, so it's the opposite of safety: you voluntary give 100% of your network usage, perhaps with a unique account for multiple devices, to a third party renouncing to your local laws protection. VPNs have ONLY a safety purpose: connecting LANs across the internet, witch means if you have a homeserver and you want to route all your traffic through a VPN is safe, otherwise might just be a means to circumvent Geoblocking NOTHING for safety nor privacy. Oh, BTW forcing a LAN-wide VPN especially through a commercial router is again not a good idea but at minimum a SPOF.
- for a safe LAN avoid wireless at all, at least limiting it to not-easy-to-connect-via-wires devices (smartphones) AND for ephemeral connections (guests at home etc).
- for desktops: IMVHO do NOT USE any antivirus, simply use OSes that do not have "try-to-execute and fallback thereafter", antiviruses especially proprietary ones are extremely invasive and not trusted beasts. Backups MUST BE for all data, not "just for important ones" because restore MUST BE a full restore from the system/configs to data. Partials backups are good recipes to make disasters.
[1] witch means code that many third parties with different interests, scattered around the world have seen from the start, when the codebase was small enough to be really understood ad a whole.
You could spend 20 minutes reading the list, and come up with 2 or 3 things you want to do right away.
A lot of security things are one-and-done: install uBlock Origin browser extension, enable VPN, enable software auto-update. Then they just work in the background after that.
Given that my entire net worth is accessible through my internet-accessible bank accounts, yes, I'm willing to spend SOME effort managing my security.
Nice in theory, and perhaps in practice if one uses a password manager that's unified across devices.
In my opinion, password managers are a ticking time bomb. With maybe the exception of something like Firefox's built in password management, it's only a matter of time before these for-profit password managers are subject to significant exploits or data leaks.
With strong 2FA, the necessity of not reusing passwords is much less relevant and hardly warrants forcing users to reset their password while disallowing use of previous passwords. If a user enables strong 2FA, they should be allowed to keep the same password indefinitely.
KeePassXC is the exception to this. It is open source, and doesn't rely on another service (you can just put the file in Dropbox or something). Anybody who is seriously about security should be using it.
Aaand we're down to single-factor authentication: your password from your password manager plus your backup codes from your password manager.
I do recommend a password manager, but not to keep would-be-two factors in one vault.
Also the very first item in the guide makes a blanket statement about dictionary words being really crackable. I forgave that one for simplification reasons (reality: passphrases are equally secure if you use enough random words, just like using a password with enough random characters), but I've now read the recommendation for 3 points and 2 are bad and mediocre advice.