Security & Privacy Checklist

4 minute read
Warning: This page uses JavaScript to make questions interactive. As you don't have JavaScript currently enabled, we're showing you simpler version with reduced functionality. Enjoy!

Here’s a list of 9 steps that everyone can take to ensure a basic level of security and privacy online. Following these suggestions will reduce the risk of online accounts and data being compromised.

1. Do you use a password manager to store your passwords?

Password reuse is a serious problem, but it's not your fault. It's difficult to remember distinct passwords for every site you sign up to. Humans also have a hard time creating passwords that machines will struggle to crack. Password managers like 1Password or LastPass solve these problems.

2. Do you use two-factor authentication (2FA) for all important accounts?

Without 2FA, your password is your single form of authentication. If stolen or cracked, attackers have access to your account and can impersonate you. All important (i.e. email, banking and social media) accounts should be protected with a second form of authentication, like a physical Yubikey or authenticator app. If possible, avoid using SMS. Don't forget to store backup codes though!

3. Do you keep your software updated?

Apple, Microsoft, Google, Facebook and other software makers all periodically release bug fixes and security updates. If updates fix security vulnerabilities, it is incredibly important to update your devices immediately as the update change logs often mention which publically known vulnerabilites where patched. Public knowledge of these vulnerabilties give attackers an advantage when targetting users with outdated software.

4. Do you use the HTTPS Everywhere browser extension (or similar) to ensure all traffic is HTTPS-only?

Websites served over the internet use either HTTP or HTTPS protocols. The latter ensures all web requests sent and received are encrypted. This prevents attackers from viewing or changing the contents of your page. Unfortuantely, many websites that offer HTTPS make it difficult to use (e.g. making the default HTTP). Extensions like HTTPS Everywhere ensure HTTPS is used where possible and also have a feature to prevent all HTTP requests (though this may prevent access to some websites).

5. Do you only use chat apps that have end-to-end encryption (E2EE)?

Most online chat apps (e.g. Facebook Messenger) do not use E2EE by default. Message sent are stored with your service provider and even if they are encrypted, they have the key. Your service provider can read and edit your messages, and if they suffer a particularly nasty attack or receive a warrant, your messages could be leaked. Use Signal or WhatsApp to protect yourself against this.

6. Do you use a secure VPN?

If it's legal to do so, you should be using a secure VPN. Without one, your ISP (e.g. Comcast or BT) knows what websites you visit and if the websites are not served over HTTPS, they know of what you do on those websites. In the U.S., lawmakers have recently relaxed rules, allowing ISPs to sell your browsing history. Imagine your health insurer getting hold of your medical search history!

7. Do you use a browser extension to block ads or user tracking scripts?

Advertisers and other third-party trackers are secretly tracking where you go and what pages you look at on the web. This helps them better sell products but could result in you paying more for a product than others. You can stop this by using a browser extension like Privacy Badger.

8. What search engine do you use?

Search engines like Google or Bing store tons of personal information and search requests (by default). Search engines use this information to (very accurately) determine your interests and show ads that you are likely to click on. They also might be required to hand this information over to authorities. If you're not comfortable with this, consider changing your default search engine to one that doesn't track you - like DuckDuckGo or startpage!

9. Can you unlock your devices using your fingerprint?

The U.S. (and other countries) are forcing people to unlock their devices more frequently (and typically at the border where they do not need a warrant). Although, I suggest not crossing the border with devices containing sensitive information, this might not always be possible. Locking your device with a passcode instead of your fingerprint increases it's security, as you cannot be made to unlock it. Additionally, if your fingerprint is ever compromised (e.g. in a hack), you cannot change it like you can change your password.

Disclaimer: I do not guarantee these steps will protect you from attackers, especially sophisticated or determined ones.

background Layer 1