Security Checkup

Updating security and rotating passwords is always somewhere on my list of to-dos, but the recent repeal of internet privacy laws has added some extra motivation.

There are plenty of lists of security tools and blogs on best practices already, so this is just my journey to enhance security.  Like religious redemption, it’s a journey and not a one-time fix….

First up, get educated. Security is a huge topic, and involves so many risks and solutions. For this round of security, I just want to do quick and free changes to everyday life to boost my online privacy.  There’s a great article from Teen Vogue that sums it up perfectly:

To decide which app you need, assess your “threat model.” That’s security industry jargon for taking the time to consider who might be after you and what to do about it.

My priorities for this little checkup are to be generally more secure when online and limit the free data I give companies like Google and Facebook. Next up, I plan to do more to lock down security for myself and my devices but it will take a bit more effort to set up VPNs and research security tools. I’m starting my next checklist from this article for security pros.

Second, quick wins with built in security. Update iOS, MacOS, apps, and any other tools that might have a security patch. If there’s a new update available, you can always see what the update does in the “What’s new” dropdown in the Apple App Store.  I particularly enjoy reading the update notes from Slack.

Third, change a few settings in things you use every day.  My favorite browser is Google Chrome. It’s probably not the most secure browser out there, but it’s decent. There are a few steps to better protect privacy in Chrome. A few highlights of recommended settings:

  • never “remember” passwords and personal data
  • do not allow Chrome to predict URLs and page loading settings
  • block popups
  • do not allow location tracking
  • never send usage stats to Google
  • no automatic downloads
  • do not allow sites to use the microphone or camera
  • Bonus – I turn off Javascript for all sites and allow it manually for individual websites – this is annoying so might not be best for everyone.

What’s next? Switch to Firefox or go all-in with a Tor browser. It’ll take work, so I’m saving that decision for next time.

Related: Add Chrome Extension IBA Opt-Out from Google

Related: Switch default search engines to DuckDuckGo.

Fourth, add a website tracker blocker. I recommend Privacy Badger from the EFF. I like PB because it’s free, has a browser extension, and I trust the source. I waited a bit to do this probably because the risks aren’t as apparent as account breaches, but it’s so dang easy to use.

Fifth, UPDATE AND MANAGE ALL PASSWORDS. Sorry for yelling but it’s super important. Plus, it’s something so obvious and yet I wasn’t doing a great job at it.

Before, I grouped my accounts into “levels” of importance or privacy and each level had an increasingly strong password. Simple email-based signups, newsletters, EveryBlock, and so on were Level 1. Level 1 had very little data about me and weren’t linked to payment info about me so I used an easy password like Myname81. If Level 1 got hacked, it would be inconvenient. Level 2-3 was for social media, PayPal and anything annoying and potentially damaging to lose Level 4 and 4+ were banks and my core email. Again, this is not ideal password policy!

Rather than remember only 4 passwords, I now only remember 1! I use 1Password (paid version) for password management and backup info. I can upload info that shouldn’t be hanging around in email attachments, like passport numbers and backup codes, but are impossible to remember. Plus, 1Pass generates complex passwords and reminds me of any old or overlapping passwords.

Warning, setting up and migrating to a password manager is tedious and a long process. I’m still finding sites and passwords I haven’t updated and I’ve been using it for 4 months now!

Related: use 2FA (2 factor authentication) or MFA (multi-factor authentication) everywhere allowed. I prefer device-based backups, like Google Auth, but some sites only offer SMS-based 2FA. While I was using my silly password layer philosophy I’m convinced 2FA kept me safe!

Six, get off of platforms that sell data. Venturing into the personal – political here. I don’t like the concept of how companies like Facebook and Uber are using my data, and what they plan to do with it. For me Facebook was a waste of time and it led me to look at the firehose of updates from acquaintance rather than actually connecting with my friends in person on for a long catch-up call.

I deleted Uber. Not just my app, but my full account. Here how. There are so, so many accounts of how terrible is to women employees, drivers, and journalists since 2014. Enough.

I requested my user data and deactivated Facebook.

I’m still considering what I will tolerate online. I do use Chrome, even though Google makes a majority of their money from online ads, which they sell to companies that use tracking data and demographics. Part of that security journey I mentioned…

Again, these are just my recommendations. Each “threat model” will vary based on what you do online and what your priorities are. Mine are listed in order from the easy security patch downloads to the serious full-on project of updating and managing all your passwords.

Good luck out there.