Updated: 22 March 2022 - Changelog at bottom
Disclosure: No affiliate links below
If you know me at all, you'll know that I'm an advocate of strong security and online privacy, so I wanted to list a few things here that anyone could do to immediately improve their personal habits. They're presented in order of importance.
1). Improve Your Passwords
There is no question that everyone should use strong passwords. Every password you use should be non-dictionary based, include random numbers, letters, and symbols, be at least 12 characters long, and never duplicated across sites. To check all those boxes, I highly recommend a good password manager.
KeePass allows you to store all your passwords (encrypted), quickly auto-type them into desktop applications, and use a browser extension to log into websites. KeePass is open-source and allows you to have 100% control over your saved database file. There are also mobile apps, like KeePassDX, that you can use on the go.
I also recommend subscribing (free) to HaveIBeenPwned to see if your email addresses were involved in a recent security breach. They also include a service that notifies you when your email login has been compromised, so you don't need to be a regular visitor.
2). Two-Factor (2FA) Authentication
2FA is a term that gets thrown around quite a bit. It generally refers to having two of the following security layers defined by "something you know" (password or PIN), "something you have" (a physical key or phone), and "something you are" (fingerprint or face scan). LastPass wrote an article explaining this in further detail here.
Strong passwords alone will help prevent successful brute force attacks, but in a situation where your password leaks, you'll want to have 2FA set up. Two-factor adds a critical step when logging into accounts like Gmail, Twitter, and LastPass, but it will greatly decrease your chances of having your accounts "hacked."
Yubikeys are the industry's most popular second factor solution and I highly recommend you pick up a few for daily use and backup. Another popular alternative is the Google "TitanKey," but I don't recommend them due to their many security issues.
Additionally, 2FA can be used via an app on your phone - which satisfies "something you have." This isn't as secure as a physical YubiKey, but is considerably better than a password alone. Aegis is a time-based token that is stored on your phone, can be backed up, and is open-source. Your 2FA data is 100% in your control.
3). Encrypt Your Chat Messages
SMS is the worst messaging backend available. It's unencrypted, spoofable, and managed by your ISP. Do not use this as 2FA if there are other options available.
The highly popular Signal App is a perfect alternative to SMS. They provide end-to-end encryption, support disappearing messages, don't track user info, and keep encryption keys with the user (unlike iMessage). There are desktop and mobile apps available for Android and iOS.
Here's a great comparison of current messaging services and the data they collect:
4). Use a Search Engine that Doesn't Track You
Everything you do online is tracked, and it's usually from the free apps you "can't live without."
My first suggestion for anyone looking for online privacy is of course, to stop using Facebook and Instragram. Their Terms of Service are real heavy on the "you or your friends do it, we know about it and sell it." They are by far the number one concern among privacy experts and should be the first thing you stop doing.
Google also comes up in conversations about user privacy - usually from those defending their use of Facebook. Don't get me wrong though. Google collects a massive amount of user data to "make it universally accessible and useful"; but if you don't want to be part of their big data efforts, there are plenty of great alternatives to find things online.
DuckDuckGo is a privacy-based search engine that is a great place to start your migration away from Google. They don't collect or share any personal information as you use their service, but they do use Apple Maps as their default option. Note: They recently stated they filter results they have decided to be "misinformation." This was enough for me to stop using them, but perhaps you don't find this move as critical.
In any case, I recently started using DuckDuckGo and instead use my own search.mcwain.net solution. It pulls results from Google, strips all ads and trackers, has no logs, and replaces common sites with their alternative front-ends. I'm not suggesting you use it, but be aware there are options that don't monitor everything you do.
5). Change Your Browser
Most users stick with whatever default crap comes on their new device. This is why Internet Explorer became the #1 most popular browser in the world, despite being covered with security and privacy issues.
My current recommendation, for both mobile and desktop, is Firefox. It's incredibly fast, lightweight, and doesn't track your personal info. They also allow great extensions like uBlock Origin, LastPass, NoScript, and EFF's Privacy Badger to keep you safe(r). It's not perfect, but it's the best in the market at this time.
6). Start Using a Paper Shredder
Any mail that has personally identifiable information should never be thrown away in the trash. Once it leaves your home, anyone that digs through garbage could easily find and apply to unused credit card applications or even collect enough info to get into your personal accounts.
Short of setting your trash on fire or dousing it in acid, a paper shredder is your best bet. The AmazonBasics "15-Sheet" shredder can sit right next to your trash can and will make short work of any document you don't want getting in the wrong hands.
WARNING: Minor Technical Requirement
7). Install a PiHole
A PiHole sits between your device and the internet and blocks many trackers and ads automatically. All you need is a Raspberry Pi and a little technical know-how, and you could keep every device in your home free from trackers and advertisements.
The PiHole software is incredibly easy to install, free and open-source, is essentially "set it and forget it", only costs ~$35 for the hardware (~$60 for full kits), and includes a detailed dashboard for monitoring your network activity. The only reason this isn't my #3 recommendation is because of the minor technical requirement to get running.
Ideally, you'd set up a VPN tied with WireShark, so you can have control over your network requests no matter where you go. For that, there's a project called "WireHole" that'll get you set up fast.
⇨ Changelog - Click to Expand
- 22 March 2022: Replaced LastPass with KeePass, replaced Authy with Aegis, added Wirehole (VPN) to Pi-Hole, added NoScript to FF extensions, and updated Search Engine section.
- 11 January 2021: Changed url to https://mcwain.net/privacy. Typo fixes. Added "Change Your Browser." Added "Install a PiHole."
- 23 November 2019: Added recommendation for paper shredder
- 14 October 2019: Added Authy as a better alternative to Google Authenticator