digitalsafety.tips safe, secure, private

Welcome to digitalsafety.tips, a guidebook aimed at simple solutions to keep people safe, secure, and private in the digital world.

You can scroll through the site or click here for a quick summary.

person reading

Browse safely

Chrome and Safari are two of the safest browsers.

Chrome Safari

Chrome Desktop Add-Ons

These add-ons for Chrome can be useful for a better desktop browsing experience. Chrome can be used across all platforms, whereas Safari is only available on Apple products.

Ublock Origin
Cookie Autodelete

Note that using any browser on iOS/iPadOS results in using the underlying WebKit browser engine from Apple that powers Safari. The only real advantage to using Chrome on those devices would be to sync bookmarks if you use Chrome elsewhere. If you are in the Apple ecosystem, it would make more sense to just stick with Safari.

Browser setup

Switch the search engine to duckduckgo in the browser settings (both Chrome and Safari).

duckduckgo

If you’re not on a Chromebook, or don’t want data to be synced with Google, you may want to uncheck ‘allow Chrome sign-in.’



Block most ads and trackers

AdguardDNS is a service that keeps you safer and reduces intrusive ads.

Android

On Android, you’ll want to go to settings and search for: Private DNS. Add dns.adguard.com to the “Private DNS provider hostname” field. Switch airplane mode on and then back off in order to reset the DNS. That’s it! You’re successfully blocking ads everywhere you go.

iOS/iPadOS

You’ll want to install the AdguardDNS app, following their instructions for setup.

All other systems (Mac, Windows, ChromeOS, etc.)

Most other systems should be using the Ublock Origin extension in Chrome as discussed above (it can also be used in Microsoft’s Edge browser).

Another option is to use the AdguardDNS app if using a browser like Safari or other desktop browsers that don’t support Ublock Origin.



Keep conversations yours

Signal Messenger for Mobile and Desktop

Signal

Signal is a fun and peer-reviewed messaging app that allows you to connect in a way that respects you. Signal is non-profit, supports video/audio calls, messaging, Giphy, and group chats (and group video). It’s available on iOS, Android, MacOS desktop, Windows desktop, and Linux desktop. Make your conversations with people just between you and them, not between you and a company that sees you as a product.



Use passwords wisely

Every account should have its own unique password because it is dangerous to reuse the same password or a variant of the same password across sites. It’s unlikely that most people will remember a unique string of characters for every login, so it’s recommended to use a password manager to store passwords securely.

A password manager generates new passwords for you, and stores them until you need them. All you need to remember is one passphrase that protects all the other ones. As long as the password manager has a strong passphrase and a second-factor code to unlock it, the passwords will stay safe.


Create passphrases

dice

A passphrase is usually longer and more memorable than the shorter but harder to remember password. You’ll need a master passphrase for your password manager which is best accomplished with the Diceware method. This method involves rolling physical die to randomly select 6 to 7 words from a word list. One simply strings these words together, all as one word and creates a mnemonic to remember it.

Despite what you may have heard from other sources, the math behind this method is sound since “a six-word passphrase would take 3,505 years, on average, at a trillion guesses a second.”1

For now, we’ll create two passphrases this way: one for your password manager and one for your home computer. Passphrases are mainly good at securing top level information like your computer login, password managers, or keys. For all your accounts (email, bank, social media, etc.), you’ll want to use passwords generated with a password manager.

  1. Go to EFF’s diceware list
  2. Roll a die 5 times (or you can roll 5 dice once) and write down the numbers in groups of five on a piece of paper.
  3. Do this 6 times. Believe it or not, this is the basis for your first passphrase which will protect your password manager.
  4. Once you have done this, find the corresponding words in the word list and write them next to the numbers
  5. Create a mnemonic story with the words
  6. Write down the 6 generated words on a piece of paper that will fit in your wallet.
  7. This is your master password for your password generator
  8. Do not use it anywhere else.
  9. Repeat this process to create the second passphrase for your computer login (or if using a passcode on an iPad or phone, use a ten sided die for a ten character passcode).
  10. Shred the paper that you’ve carried with you after you’ve sufficiently memorized both passphrases. With a good mnemonic story, it shouldn’t take longer than a week.

Bitwarden password manager

bitwarden

Bitwarden is a password manager that has undergone security audits, encrypts your passwords without being able to access them, is open source, free, and multi-platform. You can even securely share passwords with others. If you’re technically apt, you can even host your own server. I recommend using the app on mobile and the browser plugin on desktop.



Passwords aren’t enough. Use 2FA.

Security is strongest in layers, with passwords being only the first layer in the system. Most people carry a phone which can easily be used as a second layer of security. 2FA (2 factor authentication) usually works by entering a code from your phone after using your password to login, ensuring you are the only person who can access the account.


There are three main types of authentication:

Type of authentication How it works
Text message or phone call Get an automated text or phone call and enter the code you read or hear.
App on your phone Copy the time based code from an app on your phone or get a push notification.
A security key such as a Yubikey Press a button on the device or tap the device to your phone.


Prefer security keys over apps, prefer apps over text message authentication. Text message based 2FA is better than not having any at all.

Note that security questions don't count as a second-factor. Security questions are very easy to guess or find out about a person, and are extremely risky to use in place of the above methods. If you must use a security question, I recommend using a random string of characters as the answer to the question. Then save it in your password manager.

Security Keys

“Even highly-targeted users like politicians and activists don’t fully appreciate the scourge of phishing, and many aren’t familiar with an emerging form of two-factor authentication known as “Security Keys” that we hope can stop it in its tracks … phishing is the silent killer, and relying on a password alone is a recipe for disaster. 🔐” -Mark Risher’s Phishing and Security Keys

Security keys are the future of authentication. App based or text-message based codes are now considered to be legacy authentication. We are moving to an era when security keys are the main path to both authentication and passwordless systems. A few larger services such as Google, Microsoft, Dropbox, Github, Facebook, and Twitter currently support security keys. Dongleauth is a site that shows what current services work with security keys.

yubikey

The security key I currently recommend is the Yubikey 5 NFC.

There are a variety of types to fit your needs. Most likely you’ll want the Yubikey 5 series which supports the newest standards. If you have a newer Macbook, Chromebook, or 2020 iPad Pro, you’ll want to make sure to get a USB-C compatible Yubikey.

You’ll want two of them (one is a backup).

2FA Apps

Aegis for Android

aegis

Important—Aegis has the ability to backup security keys to wherever you would like. It is highly recommended to keep consistent and encrypted backups of your 2FA keys.


Tofu for iOS

Tofu

Important—2FA keys are stored on your iPhone's secure keychain, so only iTunes/iCloud encrypted backups will include a backup to these keys. If you're restoring your device from an iTunes/iCloud backup, the app and all keys will be restored as well.

Go to https://twofactorauth.org/ to see some sites that support app based 2FA. Most banks, social media networks, and email providers have 2FA.




Sign up for haveibeenpwned

haveibeenpwned

Created by security expert Troy Hunt, “Have I been Pwned?” is a service that keeps track of data breaches. Pronounced “pone,” pwn is internet slang for “to own” or to conquer to gain ownership. Enter your email at the site to see if any of your accounts have been breached. If anything has been breached in the past, don’t panic. Go to the website that was breached and change your password there. Be sure to subscribe to get notified of further breaches right away. Do this for each email you use.



A Note on Email.

Email is fundamentally a non-private protocol, you should use Signal Messenger to keep your conversations private.

Encrypting email is asking for a calamity. Recommending email encryption to at-risk users is malpractice. Anyone who tells you it’s secure to communicate over PGP-encrypted email is putting their weird preferences ahead of your safety.

-Latacora

This is not to say that email is insecure. Security and privacy are facets of digital safety rather than a simple binary decision. This is why I advocate that most people should use Gmail and activate Google’s Advanced Protection Program. Email security is important. We sign up for most accounts with an email address which means that all reset-password-links are sent to that email address. If someone has access to your email or successfully phishes your email, it could be game over for the rest of your accounts. As far as mainstream email providers go, Google has by far the best security with its Advanced Protection Program.

If you object to using Google’s services, Tutanota supports using security keys and may be a reasonable alternative.

And what about phishing?

“Phishing is when a scammer uses fraudulent emails or texts, or copycat websites to get you to share valuable personal information – such as account numbers, Social Security numbers, or your login IDs and passwords. Scammers use your information to steal your money or your identity or both. Scammers also use phishing emails to get access to your computer or network then they install programs like ransomware that can lock you out of important files on your computer. Phishing scammers lure their targets into a false sense of security by spoofing the familiar, trusted logos of established, legitimate companies. Or they pretend to be a friend or family member.” -Federal Trade Commission

For more on phishing, check out this comic from The Intercept.



Security Mindset

In general:

Verifying who people are and what they are doing is essential when dealing with tech support, financial institutions, or businesses. This process helps you avoid social engineering. In general, don’t allow people to remote access your computer unless your business-place has this setup to begin with.

Additionally, avoid using "smart" appliances or home assistants (Amazon's Alexa, Google Home, etc.). These are set up to listen in constantly, using the information from your everyday life as a means for profit.



“Consider each piece of data you create and what would happen if you lost it, or if it leaked to the public at large. Make backups accordingly.” -Security Researcher Alec Muffett

The cloud is not a bad place to store some types of data. It depends on what you want to do and who you trust. Apple seems fairly reasonable and iCloud may be a good resource for storing family photos or other files. If you have the advanced protection program with Gmail, you also have the same protection if you decide to upload photos (this pertains to security only, not privacy). However, this is all about who you trust to keep your data private. New solutions are in development to keep data secure in a zero-knowledge way (where the cloud provider can’t see your data even if they wanted to). If you want to use tools like Google Drive or Dropbox: that’s fine, just remember that someone else may have access to that information.

Keep backups. If you’ve decided to keep everything in the cloud for backups, it’s still recommended to have an offline backup on an external drive to increase redundancy (in information integrity, redundancy is a good thing). Store this someplace safe, and make sure the backup is encrypted.

Safe ways to backup your data to external media:

Mainstream cloud storage providers:

Cloud backup providers that support zero-knowledge backups (where the provider can’t see your data) by default:



Update. Update now! Turn on auto-updates.

Updating is the digital hygiene equivalent to flossing your teeth. It can be annoying to take a few seconds or minutes to update and restart your devices, but just do it. Vulnerabilities in the code need to be flossed out. There are people actively looking for non-updated software in order to hack it.

XKCD update

Google Play and Android

To automatically update apps on your Android device:

Open the Google Play Store app Google Play. Tap Menu Menu and then Settings. Tap Auto-update apps. Select an option:
- Auto update apps at any time to update apps using either Wi-Fi or mobile data.
- Auto-update apps over Wi-Fi only to update apps only when connected to Wi-Fi.

For the Android System

You’ll get notifications when updates are available for you.

Apple iOS

For the iOS system:

With iOS 12, you can have your iOS device update automatically. To turn on automatic updates, go to Settings > General > Software Update > Automatic Updates. Your iOS device will automatically update to the latest version of iOS. Some updates might need to be installed manually.

For apps on your iPhone:

Tap Settings > [your name] > iTunes & App Store. Turn on the content that you want to automatically download.

Apple MacOS

To automatically download updates in the future, choose Apple menu > System Preferences, click App Store, then select ”Download newly available updates in the background.” Your Mac will notify you when updates are ready to install.

-Apple Support

Microsoft Windows

For Windows 10 app store

  1. Select the Start screen, then select Microsoft Store.
  2. In Microsoft Store at the upper right, select the account menu (the three dots) and then select Settings.
  3. Under App updates, set Update apps automatically to On.

For Windows 8.1 and Windows RT 8.1 app store

  1. On the Start screen, select Store to open the Store.
  2. Swipe in from the right edge of the screen, and then tap Settings. (If you’re using a mouse, point to the lower-right corner of the screen, move the mouse pointer up, and then click Settings.)
  3. Tap or click App updates.
  4. Make sure Automatically update my apps is set to Yes.

-Windows Support

For the Windows operating system

Windows Update automatically offers updates to eligible devices. To double check that your device is up to date, open Settings > Update & Security > Windows Update to see your update status.



“Stop using, even erase, delete or destroy, any software or devices which are past their end-of-life, end-of-support, or for which you can no longer obtain software updates. Make sure to save any data that you want or need.” -Security Researcher Alec Muffett

Every week there are dozens of new security vulnerabilities reported that need to be patched. Most devices are patched monthly. Devices are complicated and require constant adjustments to code for each specific device that is made. Sometimes there are even issues with the way the hardware is structured on the device. Eventually, devices aren’t supported anymore and need to be replaced. Devices without security updates are dangerous and should not be used.



Keep your devices on lock

Please keep a passcode on your phone! Today, most modern phones (both Android and iOS) automatically encrypt your data so you can be sure that if you lose your device or if someone steals it, no one else can have access to it.

You’ll want to keep your phone locked with a numbered passcode that is 10 digits or longer:

passcode tweet

On Windows, Bitlocker can be activated to encrypt your hard drive.

Apple computers also have FileVault, which protects the data on your Mac. Go into the settings and activate it.

ChromeOS is encrypted by default.

Android devices that were released with Android 10 and later require encryption by default. You can also verify this by searching for “encryption” in the settings.

iOS and iPadOS devices are encrypted as long as there is a passcode in place.



Stay informed

This Week in Security Newsletter

From the Security Editor at Tech Crunch Zack Whittaker, the This Week in Security Newsletter gives you a weekly overview of security stories from the week.

This week in security

EFF

“The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world. Founded in 1990, EFF champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development. We work to ensure that rights and freedoms are enhanced and protected as our use of technology grows.”

The EFF has stories out almost everyday about your rights online. Follow them and consider joining to support online freedom.

eff


Motherboard

Motherboard reports on all sorts of tech issues. They have robust security coverage.

motherboard



“The real protection comes when we recognize that privacy is a team sport” -EFF

Get close friends and family on Signal, tell them about being able to block ads, and show them how to make secure passphrases. This way we can help everyone be safe, secure, and private.



FAQ

What kind of phone should I get?

The best option you can have in your hand right now is an Apple iPhone or a current generation Google Pixel with the security features intact according to most security researchers, including security researcher Daniel Micay.

What kind of computer should I get?

Choices: iPad Pro, Pixelbook Go Chromebook, Macbook air, or a PC that can run Windows 10 S.

iPad Pro

Apple has gone great lengths to protect their users privacy and security. An iPad Pro paired with the Magic Keyboard is a great choice for the user who wants a solid, long-lasting, all around well-performing device. Additionally, Apple is currently in the process of switching all of their Mac lineup to the same or similar chips that are in the iPad pros. This means native app support for Microsoft Word and other mainstream desktop apps on iPad. The current generation iPad Pros are ahead of Macbooks in terms of security. The iPad Pro (2020) paired with the Magic Keyboard is the current front-runner for digital safety.

Pixel Book Go Chromebook

ChromeOS is developed first by the open-source team behind Chromium. Google then adds in their stuff to make ChromeOS. Modern Chromebooks like the Pixel Book Go are also able to run Android Apps natively. If you’re a developer, you can also run a linux shell and have access to SSH. For an in-depth view at how the Chromium team is approaching security, read this page.

Macbook Air

The Macbook Air is the jack-of-all-trades machine in this set of choices. It has a good balance of computing power, traditional desktop computing, and Apple’s signature dedication to privacy. It’s not as advanced on the security front as the 2020 iPad Pro, but the M1 Mac lineup (the newer ones with the M1 chipset) is the runner up. Additionally, if you think you want to get into programming or like to run shell commands this is most likely the right choice for you.

PC that runs Windows 10 S

Windows 10 in S mode is a version of Windows 10 that’s streamlined for security and performance, while providing a familiar Windows experience. To increase security, it allows only apps from the Microsoft Store, and requires Microsoft Edge for safe browsing. -Windows 10 S FAQ

For more, visit the Windows 10 S page.

If you are a non-techie, feel free to ignore this blurb. Before fellow privacy nerds freak out, I will just say: I agree with you on principle, it would be better for all things to have source code published and code developed in an open democratic way (and copyleft or creative commons). I get it. But, the Linux kernel and distro security management (I'm looking at you Debian), are light-years behind MacOS, AOSP, or Windows. I used to believe that Linux was more secure. That was what the community told me at least. It wasn't until I started digging that I found problems. This piece in the Washington Post details the issue pretty well. I don't believe you can have privacy (one of the three aspects of digital safety) without security. Voyeurs would have there way without locks on doors. Privacy can't be had without security. Secrets leak without proper security management.

In general, the assumption that open source software is any more secure or even private in practice is totally wrong and not based on reality.

-Daniel Micay

Why should I care about privacy? I don’t have anything to hide.

I found that these two quotes best sum up the issue:

Over the last 16 months, as I’ve debated this issue around the world, every single time somebody has said to me, “I don’t really worry about invasions of privacy because I don’t have anything to hide.” I always say the same thing to them. I get out a pen, I write down my email address. I say, “Here’s my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.” Not a single person has taken me up on that offer.
- Glenn Greenwald Why privacy matters - TED Talk

and

Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.
- Edward Snowden on Reddit

For more:

Should I use a VPN?

You can use a commercial VPN if you want, but remember: “A VPN is an ISP”

Privacy and anonymity researcher Sarah Jamie Lewis points out that using a virtual private network (VPN) doesn’t keep you anonymous. Rather, you’re taking the burden of potential surveillance and moving it from your current Internet service provider (ISP) and moving it to another by using a VPN. This doesn’t mean “don’t use a VPN”. It means treat your VPN just like an ISP. If you need anonymity, use the tor browser. VPNs are most useful when you need to securely connect to a network, not if you want privacy.

sarahjamielewis

More technical step: What kind of router should I get?

Some consumer routers are outdated and insecure. In 2018, the U.S. government advised that U.S. citizens reset their routers since the Russian government attacked and successfully subverted hundreds-of-thousands of routers throughout the world. Most consumer routers never get updated. These are actually small computers that need regular updates to patch for security issues or bugs. Additionally, the power that the ISP retains over the device is significant. Obtaining your own network equipment means that you are in control of your network and increase your digital safety.

PFsense router and firewall with a wireless access point

PFsense is an open source operating system that specializes as a firewall, router, gateway, and more. Netgate makes PFsense appliances that I recommend.

netgate

In addition to the router, you’ll need a wireless access point for WiFi. Pick up a wireless access point, like one made by Ubiquiti and you should be set.

These two pieces of equipment ensure that your network is on the way to being more secure (look into making sure the firewall is turned on for your particular router). Securing a home network is out of the scope of this guide, but you may want to visit https://www.reddit.com/r/HomeNetworking/ and the r/pfsense subreddit to ask questions or get ideas for setups.

How do I securely attend a peaceful protest?

Disable biometrics temporarily

You’ll want to temporarily disable unlocking your mobile device with a fingerprint or face. This will instead require you to enter password the next time you need to unlock your device. Remember that you don’t need to unlock your device to use the camera. To do this:

On iOS

Press and hold the side button and either volume button for 2 seconds.

After the sliders appear, press the side button to immediately lock iPhone.

iPhone locks automatically if you don’t touch the screen for a minute or so.

The next time you unlock iPhone with your passcode, Face ID is enabled again.

On Android devices

Open the settings and search for “lockdown” and enable the toggle. The option for lockdown mode will then show up when you hold down the power button from the main menu of your phone or the lock screen.

Always film encounters with law enforcement

Smartphones have been instrumental in exposing police brutality and corruption. You have the right to film police in the United States.

10 Rules for Dealing with Police

Useful video presenting possibly life-saving and rights-preserving rules for peacefully interacting with law enforcement.

Black Lives Matter

Resources I’ve found helpful:



Summary

↑ Back to the top

Steps:

  1. Use Chrome or Safari for your browser
  2. Block most ads and trackers with nextdns or adguardDNS
  3. Communicate securely with Signal Messenger
  4. Use password manager like Bitwarden with a strong passphrase
  5. Get a Yubikey security key and turn on 2-factor-authentication for your accounts
  6. Get alerted to accounts that are compromised in a data breach by signing up for haveibeenpwned
  7. Email isn’t private, but it can be secure if you use gmail with the advanced protection program
  8. Maintain a security mindset and avoid common scams and phishing
  9. “Consider each piece of data you create and what would happen if you lost it, or if it leaked to the public at large. Make backups accordingly.” -Security Researcher Alec Muffett
  10. Turn on auto updates for your systems and apps
  11. “Stop using, even erase, delete or destroy, any software or devices which are past their end-of-life, end-of-support, or for which you can no longer obtain software updates. Make sure to save any data that you want or need.” -Security Researcher Alec Muffett
  12. Passcode lock your devices; turn on encryption
  13. Keep yourself informed
  14. There may be other tools that can keep yourself: here are a few

FAQ

  1. What kind of phone should I get?
  2. What kind of computer should I get?
  3. Why should I care about privacy? I don’t have anything to hide.
  4. Should I use a VPN?
  5. What kind of router should I get?
  6. How do I securely attend a peaceful protests?

About

This site was aimed at the layperson and was intended to get privacy-security preserving tech into the hands of as many people as possible. Therefore, it may not meet your needs if you require a higher level of anonymity or have a complex threat model or just are curious about nerdy security things. If your needs are greater than this project, please check out the following:

Contact

I’m Grant. For the past many years I’ve spent a large amount of hours learning more about technology, security, Linux, and network infrastructure.

@increasingawareness on Github.
Wire messenger - @increasingawareness

Contribute

If you feel that anything on this site needs to be changed, redacted, or added, please feel free to open an issue or submit a pull request on Github.

Credits


Original content of this site is published into the public domain under the creative commons zero. This creator is dedicated to the free exchange of ideas, art, and science.

Additionally, the end-user retains all liability of using the services listed here and will not hold liable digitalsafety.tips or its creators.

Logos and screenshots used under fair-use. This site will comply with DMCA notices or takedown messages. Please contact the site by emailing digitalsafety@tuta.io

  1. https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/ [return]