Updated: 11 January 2021 - Changelog at bottom
Disclosure: No affiliate links below
If you know me at all, you'll know that I'm an advocate of strong security and online privacy, so I wanted to list a few things here that anyone could do to immediately improve their personal habits. They're presented in order of importance.
1). Improve Your Passwords
There is no question that everyone should use strong passwords. Every password you use should be non-dictionary based, include random numbers, letters, and symbols, be at least 12 characters long, and never duplicated across sites. To check all those boxes, I highly recommend a good password manager.
LastPass is an online password manager that stores all your passwords and generates difficult to crack, unique passwords for every site. LastPass is free, but they offer a premium version at $3/mo.
Included with the LastPass service is a security audit. They will notify you if there were any breaches with your accounts and give you an overall security rating that you can fix from their dashboard.
Bitwarden is an open source and free alternative to LastPass, but it requires a lot more micromanagement and responsibility than its competitors. 1Password is yet another option available for iDevice users, but their 2FA security (more on that later) wasn't as secure as I'd prefer.
I also recommend checking HaveIBeenPwned to see if your email addresses were involved in a recent security breach. They also include a service that notifies you when your email login has been compromised, so you don't need to be a regular visitor.
2). Two-Factor (2FA) Authentication
2FA is a term that gets thrown around quite a bit. It generally refers to having two of the following security layers defined by "something you know" (password or PIN), "something you have" (a physical key or phone), and "something you are" (fingerprint or face scan). LastPass wrote an article explaining this in further detail here.
Strong passwords alone will help prevent successful brute force attacks, but in a situation where your password leaks, you'll want to have 2FA set up. Two-factor adds a critical step when logging into accounts like Gmail, Twitter, and LastPass, but it will greatly decrease your chances of having your accounts "hacked."
Yubikeys are the industry's most popular second factor solution and I highly recommend you pick up a few for daily use and backup. Another popular alternative is the Google "TitanKey," but I don't recommend them due to their many security issues.
Additionally, 2FA can be used via an app on your phone - which satisfies "something you have." This isn't as secure as a physical YubiKey, but is considerably better than a password alone. Authy (rated top 2FA app by Wirecutter) and Google Authenticator are the two most popular options. Although Authy is my personal recommendation since they allow recovery in case your phone dies.
3). Encrypt Your Chat Messages
SMS is the worst messaging backend available. It's unencrypted, spoofable, and managed by your ISP. Do not use this as 2FA if there are other options available.
The highly popular Signal App is a perfect alternative to SMS. They provide end-to-end encryption, support disappearing messages, don't track user info, and keep encryption keys with the user (unlike iMessage). There are desktop and mobile apps available for Android and iOS.
Here's a great comparison of current messaging services and the data they collect:
4). Use a Search Engine that Doesn't Track You
Everything you do online is tracked, and it's usually from the free apps you "can't live without."
My first suggestion for anyone looking for online privacy is of course, to stop using Facebook and Instragram. Their Terms of Service are real heavy on the "you or your friends do it, we know about it and sell it." They are by far the number one concern among privacy experts and should be the first thing you stop doing.
Google also comes up in conversations about user privacy - usually from those defending their use of Facebook. Don't get me wrong though. Google collects a massive amount of user data to "make it universally accessible and useful"; but if you don't want to be part of their big data efforts, there are plenty of great alternatives to find things online.
DuckDuckGo is a privacy-based search engine that is a great place to start your migration away from Google. They don't collect or share any personal information as you use their service, but they do use Apple Maps as their default option. I've been using them for a few years now and strongly prefer their functionality over Google's - especially with image search.
5). Change Your Browser
Most users stick with whatever default crap comes on their new device. This is why Internet Explorer became the #1 most popular browser in the world despite being covered with security and privacy issues.
My current recommendation, for both mobile and desktop, is Firefox. It's incredibly fast, lightweight, and doesn't track your personal info. They also allow great extensions like uBlock Origin, LastPass, and EFF's Privacy Badger to keep you safe.
6). Start Using a Paper Shredder
Any mail that has personally identifiable information should never be thrown away in the trash. Once it leaves your home, anyone that digs through garbage could easily find and apply to unused credit card applications or even collect enough info to get into your personal accounts.
Short of setting your trash on fire or dousing it in acid, a paper shredder is your best bet. The AmazonBasics "15-Sheet" shredder can sit right next to your trash can and will make short work of any document you don't want getting in the wrong hands.
WARNING: Minor Technical Requirement
7). Install a PiHole
A PiHole sits between your device and the internet and blocks many trackers and ads automatically. All you need is a Raspberry Pi and a little technical know-how, and you could keep every device in your home free from trackers and advertisements.
The PiHole software is incredibly easy to install, free and open-source, is essentially "set it and forget it", only costs ~$35 for the hardware (~$60 for full kits), and includes a detailed dashboard for monitoring your network activity. The only reason this isn't my #3 recommendation is because of the minor technical requirement to get running.
⇨ Changelog - Click to Expand
- 11 January 2021: Changed url to https://mcwain.net/privacy. Typo fixes. Added "Change Your Browser." Added "Install a PiHole."
- 23 November 2019: Added recommendation for paper shredder
- 14 October 2019: Added Authy as a better alternative to Google Authenticator