Staying Safe Online: A Guide for Less-Technical People

Perhaps you’re worried about being doxxed, perhaps you’ve received some specific threats, maybe you just want to increase your security. No matter the reason, this article is for you! Below I will list a collection of good practices to keep you and your accounts safe online. I fully expect to update this post as things change in the future.

I have tried to put things in a logical order, with some later steps depending on earlier steps, and some things that may be considered “controversial” towards the end.

This post was last updated on Jan 2, 2020.


Image for post
Image for post
Anyone in a hoodie is NOT to be trusted.

I recommend using a password manager such as LastPass to keep track of your passwords. While having your passwords stored in an app that uploads them somewhere increases your risk slightly, I feel it is outweighed by using a different password for each service. For passwords themselves, you can use random characters or a system such as Diceware to create long passwords that are easier to remember. While the latter is slightly less secure, a password that can be remembered is one less password to store into a password manager.

Change Default Passwords

  • Cable modems
  • Routers
  • Wireless access points
  • Disk arrays
  • Security cameras
  • Doorbells
  • Appliances
  • …and anything else I didn’t mention here. If it ships with a password, change that password!

Password Protect Your Phone

In short, an iPhone with a password set has its data encrypted and protected against all but perhaps nation-state level attackers. You should absolutely positively set a password on your iPhone, and share it with no one.

Android users, I’m sorry but I don’t have any experience with your platform. I do recommend setting a password on your phones, however.

Turn on Two-Factor Auth (2FA)

Here is how to turn on 2FA for your Gmail account.

You should NOT use SMS as the second factor for reasons I will go into later in this article, instead consider a software app and/or a hardware key for that purpose. Here are some suggestions:

Anything that supports the TOTP spec will work just fine. And don’t stop with just Gmail — do you use Twitter and Facebook? Turn on 2FA there, too!

Remove Cellphone Numbers From Your Accounts

Such an attack sounds rather complicated, but in reality the going rate for SIM Swapping is about $100 per number. Seriously, if you have a cellphone number on an account that you control, remove it ASAP.

If you have an account where a cellphone number is required, my recommendation would be to get a Google Voice number, install the Google Voice app on your phone, and turn off SMS forwarding of messages. When a text comes in to the Google Voice number, you will get an alert on your phone with the contents of the text. (You did enable 2FA for your Google Account, right?)

A benefit of this approach is that it also protects against your cellphone being stolen and the SIM put into a new phone to receive 2FA texts.

Put a PIN on Your Cellphone Account

Turn Off Sharing On Your Computer

Image for post
Image for post
“Oh dear god”

Go into the “Sharing” control panel on your computer and turn off anything you’re not using. Even if you are using it, carefully consider whether it’s something you really need, and if you really really need it to be turned on 100% of the time. If it is something used infrequently, consider turning it on only as-needed and turning it off afterwards.

Set a Password in Telegram

Cover Your Laptop Cameras

Yes, I had a number of calls where I thought there was something wrong, and realized I had the camera covered — switching to tape reduced the number of those incidents to zero. :-)

Keep Your Software and Devices Up To Date

Run software updates regularly. 0-day attacks are a thing, and applying updates sooner rather than later limits your chances of getting hit with one.

Defense in Depth

The reason for that is Defense in Depth. That is an approach where you have multiple layers of security, so if one element of security is breached, an attacker still cannot get in to your computer or your accounts. For example, Google says that successful phishing attacks against their employees dropped to zero after switching to hardware keys for 2FA.

Avoiding Phishing Attacks

If you click a link and suddenly get a login screen, stop and close that tab. Then create a new tab and type the site into the address bar or use a pre-existing bookmark to log in.

If you’re using a YubiKey, there is an extra layer of defense called Origin Binding. That binds a user login to a specific site, which means that only the legitimate site can authenticate with that key. While you may be fooled, the YubiKey will not be. :-)

Freeze Your Credit Reports

The only time you will need to unfreeze your credit is for anything that requires a credit check, such as applying for a loan or getting a credit card. These events are so rare that the extra effort to (briefly) unfreeze your credit is worth the extra protection against identity theft that it provides.

Buy Google One, DropBox Plus, etc.

Same thing goes for your files in DropBox — their paid plans start at $9.99/mo which means that if something goes wrong, you are more likely to get a speedier resolution to your issue.

In a perfect world, neither of the above should be necessary. Sadly, we live in an imperfect world where leopards are confused with cheetahs daily.

Image for post
Image for post
Someone called him a cheetah and THEN hacked his Gmail account. Source

Tor and VPNs

  • A government is interested in what you may be doing, or
  • You are visiting a website that tracks visitors, or
  • Someone is trying to trick you into revealing your IP address and/or location (which isn’t that difficult to set up)

In addition to getting your IP address, an adversary might attempt browser fingerprinting, which would let them track you even if you are using different IP addresses. The way to deal with this is by one of two approaches.

The first approach would be to download the Tor Browser. This browser makes use of the Tor Network, so that your original IP hidden, and the browser itself is built so that all users look the same, making it difficult for browser fingerprinting to be affected. This option is free.

The second approach would be to use a VPN for your connection and then use a hardened version of FireFox for your browsing sessions. This option will cost money, because you absolutely positively should not use a “free” VPN. It will also be faster than Tor, but requires a little more setup and therefore is slightly more error prone.

Again, unless you have a specific reason to believe that someone is trying to track you, Tor or a VPN is probably overkill. I’d rather see you do everything else in this blog post, and leave Tor/VPN usage for the very last thing.

Increase Your Social Media Presence

Say what you will about social media, sites like LinkedIn and YouTube, photo sharing sites like Flickr, etc. but one thing that those sites all have in common is this: they have a very high PageRank in Google. This means that if you create accounts on those sites, and use them semi-regularly, those are the websites that will show up when people Google for your real name. This is a good thing, because it means if someone tries using a link farm to spread lies or misinformation about you, they will have to work that much harder in order to bump you down from the top 5 results on Google for your real name.

The above approach is actually a simple form of reputation management, as low-key as may be.

But I understand that social media is not for everyone.

Additional Reading

About the author

And a disclosure: the Diceware app mentioned above was written by me, but the Diceware approach has been around since 1995.

Final Thoughts

If you have any thoughts on the topic of security, feel free to reach out or leave a comment!

(The original post is on my blog.)

Engineer. Staff at Anthrocon, Anthro New England, Midwest FurFest, Furry Migration, Eurofurence. AWS, Splunk, Docker, DMARC, White Mage, he/him

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store