Security

2025-01-26

A long time ago I wrote about using a Physical Security Key for to login to my computer. Since then I've learned a lot more about digital security and privacy, so I'll document those tips here.

A lot of people reuse a few memorized passwords for all their online accounts, which means if one of those websites gets hacked (and/or has poor security practices like not salting their password hashes) their other accounts could be compromised too. With so much of our lives, finances, and personal documents online this is a pretty big risk. The best way to avoid these situations is to do the following:

  1. Randomly generate a new long password for each account. Password managers have these built-in.
  2. Store those randomly generated passwords in a password manager such as Bitwarden or Proton Pass, Chrome / Firefox / Apple's built in password managers, or notecards in a fireproof box.
  3. Setup two-factor authentication (2FA / MFA) on all sites that support it. Authenticator apps that rotate 6 digit codes every minute, "passkeys" stored on your phone's hardware-security module (HSM), or physical security keys like a Yubikey are all good options. Unfortunately many sites only support phone text or call 2FA, which isn't particularly secure against targeted attacks, but is better than nothing.
  4. Keep software up to date. Security flaws are being found and fixed all the time, most of them before they are exploited by bad actors, so keep your software updated on all devices.

Now on to privacy. It's quite easy to find out people's personal information online if you have a few starting bits of info. To remove traces of yourself here are some tips I've found:

  1. Minimize social media use, and set as many privacy settings as possible to private or only people in your contacts. LinkedIn is especially bad because people put a good photo of themselves and lots of information about themselves publicly. Wedding registries and public Instagram posts are all also ways I've seen my generation give out lots of online info. Never post live photos from an outdoor location.
  2. Don't use the US Postal Service's Change Address or mail forwarding feature when you move. I've moved a lot, and I used to use this to ensure no important documents were sent to my previous addresses. Unfortunately the USPS isn't well funded so sells your address to spam mail companies, which makes its way online, increasing both physical and digital spam. Now when I move I just make sure to directly update my address on all important accounts like my work, bank, investment, and insurance accounts.
  3. Remove yourself from WhitePages, FastPeopleSearch, and similar sites. They have online forms you can fill out to remove yourself. The researchers who developed software which uses smart glasses to look up people's info in public wrote this doc with more links.
  4. Freeze your credit, from the 3 major credit institutions, with instructions from usa.gov/credit-freeze. This prevents Identity Theft if your Social Security Number (SSN) is leaked.