The Normal Person's Guide to Internet Security
This is a quick and dirty guide to basic internet security for the normal internet user. If you're engaging in nefarious activities online (i.e. torrenting content) this guide is insufficient. What follows are the seven things everyone can do to protect themselves on the internet.
TO BE COMPLETELY CLEAR: I am not an internet security expert. Follow this guide at your own risk. It's your own damn fault if you get pw3ned. Take this quiz to see if you can outsmart internet scammers.
tl;dr true internet security requires behavior change. This free guide will provide a “good enough” starting point for regular people using the internet in regular ways.
That said, here’s how to protect yourself on the internet in 20-minutes or less – or your money back.
1/ Enable Two-Factor Authentication
You know when you login to your bank, but then they send you a text message with a six-digit code? That’s two-factor authentication. It's annoying, but it’s the most important thing you can do to protect yourself on the internet.
Use two-factor authentication on the following services you use: Amazon, Apple, Dropbox, Facebook, Google, Instagram, Microsoft, Paypal, Slack, Twitter, Venmo, and WhatsApp. Don’t forget your bank and email accounts, too!
Check twofactorauth.org for a complete list of apps and services that support 2FA. Enable this for everything you use.
Use an authenticator app like Authy or Google Authenticator (both are free!) to make 2FA life easier. Now, instead of waiting for a text message, you use the app and punch in the six-digit code listed for your service.
2/ Use Strong Passwords
You already know what to do. Just do it. And, just because you're using two-factor authentication for everything doesn't mean you can skimp on your passwords.
Did I say password with an S? Yes. Use a unique password for every service you use – do not repeat your same password over and over. And, never use the password you’ve picked for your email account for any site.
Strong passwords are 12-14 characters in length and a mix of capital and lowercase letters, numbers, and punctuation. Don’t use the same password for every site or service. Change your passwords twice year (I change mine when I go to the dentist). Don't keep a text file or email to yourself with all your passwords listed.
An easy way to create and remember a strong password is to combine a memorable sentence with some unique capitalization and punctuation to modify the sentence into a password.
For example, "I love to eat pizza in my pajamas in the morning!" Could easily turn into the password: I<32epimpithm!.
Get it? I <3 2 e(at) p(izza) i(n) m(y) p(ajamas) i(n) t(he) m(orning) !
On your phone. Turn on your phone’s password protection and set it to always require a passcode. Use the fingerprint reader. Set notifications to not show on lock screen.
On your computer. Set a login password. Require a password immediately after waking from sleep and the screen saver. Lock your screen when you walk away from your computer. (One easy way to do this is to create a hot corner on your screen that immediately starts your screensaver.)
Use a Password Manager. Both 1Password and LastPass are good, multi-device options. Pick a very strong master password, but one that you can remember! If you forget your master password, then you're pretty much fucked.
For more on passwords, read Password Do’s and Don’ts from Krebs on Security.
3/ Install uBlock Origin
uBlock Origin is free and takes two seconds to install on your browser. Get it for Chrome and Firefox. The Safari installation is a little trickier – you'll have to do it manually. Follow the instructions here to download and install (it takes five total clicks).
uBlock Origin is an ad blocker that does exactly what you think it does: prevents ads from loading on web pages. This is great for several reasons: faster web browsing, less stuff to download, and it prettifies web sites. But the best reason is that they also block those sneaky trackers used to retarget the same ad over and over again.
4/ Install HTTPS Everywhere
HTTPS works by encrypting traffic between the websites you visit and the device you're using. Think of it as a way to protect yourself against inappropriate eavesdropping on your browsing habits.
HTTPS Everywhere from the Electronic Frontier Foundation is a free browser extension that will encrypt your communication with most major websites by loading the content over an HTTPS connection rather than a standard HTTP connection when possible. Get it here: EFF.org/https-everywhere
5/ Install Privacy Badger
Privacy Badger is similar to an ad blocker, but for preventing third-party cookies from recording your browsing habits. It's a free browser extension that blocks certain cookies and third-party content.
Install it for Chrome and Firefox here. Sorry Safari.
6/ Secure Your Messaging
Use a secure messaging service for your text messages or emails.
Prevent carriers or service providers from snooping on or exposing your text messages by using a mobile app that encrypts your messages. Some examples are Signal and WhatsApp, which both encrypt messages with other users by default. Both Signal and WhatsApp work on iOS, Android, and various desktop operating systems.
Secure email providers like ProtonMail and Tutanota encrypt their messages so that even the people running the service can't read them if they tried. Both are secure by default to other users of each service and both offer options to secure email messages to other providers with a password so that only the intended recipient can read them. In addition to their websites, both ProtonMail and Tutanota offer mobile clients for iOS and Android.
7/ VPN (optional)
NOTE: This is seriously overkill for most normal users. If you're going to inquire about a VPN, you'll need to do a fair amount of personal research. Free VPNs will likely cause more harm than good!
A VPN stands for Virtual Private Network and is a way of using the internet in a much more secure way. It works by encrypting your data (Private) and then routing your traffic through servers elsewhere in the world (Virtual Network) so no one can see what you are up to. If you use public wifi at a cafe, hotel, or airport, a VPN is essential.
Choose a VPN. A VPN you can trust costs money. Period. Most options will cost you $10 or less per month. I personally use Private Internet Access. It's barebones, but it's also $3.33/mo. Nord is another good choice, which looks to be more user friendly and costs $5.75/mo. You can also check out TorrentFreak's 2017 VPN Q&A to learn more about the different VPN services available.
Using your VPN. Some people leave their VPN on 24/7. Others only use it when they're doing something extra private (i.e. porn). If you're a normal person using the internet, I'd suggest this rule of thumb: if you're using the internet outside of your home, turn on your VPN. Note: if you're going to login to your bank or a financial institution, turn off your VPN – you'll likely get flagged and locked out of your account since you'll appear to be somewhere else in the world.
Check it's working. With your VPN connected, head over to ipleak.net and see where in the world you're connected.
- Have I Been Pwned?. Check if you have an account that has been compromised in a data breach and sign up for notifications for future data beaches your accounts have been involved in.
- How Secure Is My Password?. Test your current passwords to make sure they are strong and see how long it would take for a computer to crack your password.
- Surveillance Self-Defense. This site from the Electronic Frontier Foundation takes a much deeper dive into personal Internet privacy than this guide. It includes guides on choosing the right tools for your needs, choosing passwords, and developing good habits online.
The above isn't a comprehensive list – there's a lot more you could do – and there's no silver bullet when it comes to internet security. Nerds will point out that this guide falls woefully short in a lot of ways. They're right. It does.
Help me improve this. This guide lives on GitHub, which means anybody can request to edit the content. Do you know something smart that was left out? Make a pull request. github.com/mkiser/WTFJHT/
The point of this guide isn't to ensure absolute internet security and anonymity online – it's to help normal people using the internet a little more safely. If you want to take a few more actions to ensure you're more secure, check out Get Safe.
Let me know what you think @matt_kiser.