General Password Hygiene
- Never give your password, passphrase, or passcode to anyone else, no matter how nicely they ask or their familial or romantic status.
- No two passwords should ever be the same – even if they are “throw away” passwords.
- To manage most passwords, you should use a password manager. 1Password and LastPass are two we recommend. Lastpass has some cool features, but 1Password has infinitely better design.
- For the few passwords that you need to remember (OS X, your password manager, etc), use long passphrases: at least four words (chosen randomly), with a few special characters, spaces, uppercase, etc. A good example is
copy, indicate 48 Trap bright. If you want to be extra safe, you can increase the number of symbols, numbers and capital letters, like:
Copy indicate 48 Trap (#) bright. Just don’t make it so inconvenient that you’ll later get frustrated and change it to something that’s too simple.
- For passwords stored in a password manager, generate them with the maximum length, and include numbers/symbols. For example,
=pXFR>9qEzP%7PaQR6r9Z)R76LcWKztAa3;pD9BRpmB6sXu8,pWT=sy%b&pbV]xe. Since the password manager fills them in for you, it’s just as convenient as a shorter, less-random password, but exponentially stronger.
- Passwords and passphrases should not be constructed from known phrases. For example,
Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1.is a bad password even though it has varying capitalization, punctuation, spaces, and excellent length. That password was cracked in minutes because it was a known fictional phrase from the H.P. Lovecraft short story The Call of Cthulhu. Avoid all known phrases as it is likely a given phrase is on or will be on password cracker word list.
- Do not store the 1Password file in Dropbox or any other online service unless you have enabled 2-step authentication for that service and your 1Password file has a very strong master password. The safest thing to do is to just make a local backup in case your computer is damaged or lost, but we understand that syncing to multiple devices is very handy.
- Do not store any passwords in a Google Doc or other online service, even if you have enabled 2-step authentication. Again, use a password manager to secure your passwords.
- Enable 2-factor authentication (2FA) every place that supports it.
- Never use SMS-based 2FA, unless it’s the only option. Whenever possible, use an app to generate the one-time passwords.
- Here are some setup guides for a few sites: Apple, Facebook, Twitter, Dropbox, GitHub, LastPass, Box, Gmail, Yahoo, GoDaddy, LinkedIn, Dreamhost, Namecheap, PayPal, and Microsoft/Live.com.
- For a more comprehensive list of sites supporting 2-factor authentication, see Two Factor Auth List, and enable 2-factor authentication on every single one that you use.
- For a self-hosted WordPress site you can use the Google Authenticator or Duo Security plugin.
- Do not store your 2-factor recovery codes online or in your password manager. Print them and put them in a safe place in your house instead.
- Ensure you are using strong passwords everywhere, even on accounts not directly connected to your P2.
- Review your Gmail filters and application passwords for anything you don’t recognize. Now is a good time to remove any of these you aren’t actively using and configure suspicious login activity notifications to be sent to you via SMS.
- Set a system passphrase (at least four random words, and a few numbers/symbols) on your computer — even if it is a desktop and you live by yourself. Make sure the password is required to wake from sleep or from the screen saver.
- Never leave your laptop unlocked and unattended. Always lock the screen before you walk away. Have the screensaver turn on in 15 minutes or less. You can configure a shortcut to enable the screen saver, which you should do whenever you get up from your computer.
- Encrypt your hard drive. You can use FileVault on OS X, and BitLocker or VeraCrypt on Windows. VeraCrypt could show an error – Windows not installed on the drive from which it boots, in which case you could follow this tutorial – How to Remove the Windows “System Reserved” Partition. The easier route would be to buy Windows 10 Pro, if you do not have it already, and use Bitlocker. Microsoft Surface devices and some other brands are also encrypted by default. On Linux systems, encryption is usually offered when you install your system, but if you’ve already installed then you will probably need to re-install.
- Make sure your backups are encrypted. Here’s how on OS X Time Machine.
- Install and run anti-virus software with the latest virus definitions. Microsoft Security Essentials is good for Windows 7 (it’s built into Windows 8 and up under the name Windows Defender) and for OS X we recommend Avira, ClamXAV, or Sophos (in that order). All are free! (If you have trouble with proxy connections after installing Sophos, try this workaround.)
- Turn on your firewall.
- Consider running a “reverse firewall” like Little Snitch, it’s noisy at first but then gets quieter as you set up your rules.
- After you have set up two-factor for your Apple account you should turn on Find My Mac to allow your device to be remotely locked and wiped if the need ever arises.
- Make sure your home router firmware is current and you aren’t using the default password. Also review any port forwarding settings to make sure they are all needed and expected. Remove anything you aren’t currently using. Upgrading your router firmware may delete your connection setting, so have those settings ready to avoid the downtime. (We have seen hacked routers, which means they can capture your traffic.)
- Be careful when using wireless keyboards and mice, because they have a history of being vulnerable to various attacks. Check to make sure your devices are using strong encryption (like Bluetooth or AES), and don’t have any known vulnerabilities. To be extra safe, it’s probably best to avoid using them in any environment where an attacker could potentially intercept the wireless signals discretely, like a coffee shop, co-working space, or conference
- If you plan to co-work, or work in public spaces, we recommend a privacy screen as a best practice to prevent others from seeing sensitive information on your screen.
Phones and Tablets
- For unlocking your device, either use fingerprint login, an 8-digit PIN, or a strong password. Don’t use a pattern.
- If on Android, encrypt your device. iOS turns on “Data Protection” automatically when you set a passcode which isn’t great but better than nothing.
- You can use Google Authenticator, Duo Security, Authy or FreeOTP (which is FOSS) to scan your two-factor codes.
- SMS is very insecure, so use a messaging app with end-to-end encryption instead, and encourage your contacts to as well.
- Add a PIN to your cell carrier account to protect against SIM swapping.
- Use iCloud’s Find My Phone on iOS. On Android use the Google’s Android Device Manager and it’s app, Cerberus anti theft or Lookout.
- Consider scanning your two-factor codes into two devices, like a phone and a tablet.
- iOS: Having it erase your device after 10 passcode fails is up to you, but we generally don’t recommend it as sometimes pockets or kids can set this off.
- iOS: Encrypt your to-computer backups.