Updated: 23 November 2019 - Changelog at bottom
Disclosure: No affiliate links below
If you know me at all, you'll know that I'm an advocate of strong security and online privacy, so I wanted to list a few things here that anyone could do to immediately improve general security practices.
Improve Your Passwords
There is no question that everyone should use strong passwords. Every password you use should be non-dictionary based, include random numbers, letters, and symbols, be at least 12 characters long, and never duplicated across sites. To check all those boxes, I highly recommend a good password manager.
LastPass is an online password manager that stores all your passwords and generates difficult to crack, unique passwords for every site. LastPass is free, but they offer a premium version at $3/mo.
Also included with their service is a security audit. They will notify you if there were any breaches with your accounts and give you an overall security rating. Included with LastPass service is an option to automatically change your passwords for many popular sites.
I also recommend checking HaveIBeenPwned to see if your email addresses were involved in a recent security breach. They also include a service that notifies you when your email login has been compromised, so you don't need to be a regular visitor.
Two Factor Authentication, or "2FA" for short, is a term that gets thrown around quite a bit. It generally refers to having two of the following security layers defined by "something you know" (password), "something you have" (keys), and "something you are" (fingerprint). LastPass recently wrote a post explaining this in further detail here.
Strong passwords alone will help prevent successful brute force attacks, but in a situation where your password leaks, you'll want to have 2FA setup. Two-factor adds an additional step when logging into accounts like Gmail, Twitter, and LastPass, but it will greatly decrease your chances of having your accounts "hacked."
Yubikeys are the industry's most popular second factor solution and I highly recommend you pick up a few for daily use and backup. Google also provides a 2FA solution called "TitanKey" that can be picked up at the Google Store.
Alternatively, 2FA can be had through an app on your phone (something you have). This isn't as secure as a physical YubiKey, but is considerably better than a password alone. Authy (rated top 2FA app by Wirecutter) and Google Authenticator are the two most popular options, but Authy is my personal recommendation. Authy allows recovery from backups in case your phone dies where Google Authenticator does not.
Encrypt Your Chat Messages
SMS is the worst messaging backend available. It's unencrypted, spoofable, and managed by your ISP.
The highly popular Signal App is a perfect alternative. They provide end to end encryption, support disappearing messages, and don't keep user info. There are desktop and mobile apps available for Android and iOS.
WhatsApp, Facebook Messenger's "Secret Conversations", and Skype also uses Signal's OpenWhisper protocol which provides proper end to end encryption. Most other communication apps do not.
Use a Search Engine that Doesn't Track You
Everything you do online is tracked and it's usually from the free apps you "can't live without."
My first suggestion for anyone looking for online privacy is of course, to stop using Facebook and Instragram. Their Terms of Service is real heavy on the "you or your friends do it, we know about it and sell it" clauses. They are by far the number one concern among privacy experts and should be the first thing you stop doing.
Google also comes up in conversations about user privacy - usually from those defending their use of Facebook. Don't get me wrong though. Google collects a massive amount of user data to "make it universally accessible and useful"; but if you don't want to be part of their big data efforts, there are plenty of great alternatives to find things online.
DuckDuckGo is a privacy-based search engine that is a great place to start your migration away from Google Search. They don't collect or share any personal information as you use their service, but they do use Apple Maps as their default option. I've been using them for a few months now and strongly prefer their functionality over Google's - especially with image search.
Start Using a Paper Shredder
Any mail that has personally identifiable information should never be thrown away in the trash. Once it leaves your home, anyone that digs through garbage could easily find and apply to unused credit card applications or even collect enough info to get into your personal accounts.
Short of setting your trash on fire or dousing it in acid, a paper shredder is your best bet. The AmazonBasics "15-Sheet" blah blah can sit right next to your trash can and will make short work of any document you don't getting in the wrong hands.
⇨ Changelog - Click to Expand
- 23 November 2019: Added recommendation for paper shredder
- 14 October 2019: Added Authy as a better alternative to Google Authenticator