How to Protect Your Digital Assets
This is a practical guide on how to protect yourself and your digital assets, including (but not limited to):
- secure communication (such as voice calls and messaging)
- protecting online accounts (Google, Facebook, Twitter)
- protecting personal data (documents, financial accounts)
- protecting mobile phones
- protecting personal computers
This guide is intentionally prescriptive and action. There may be endorsement certain products, but it is not necessarily comprehensive. In certain cases, there may be alternative methods or products which are more suitable for your needs. This is not a panacea for all your personal security problems, but rather a good starting point for anyone concerned about their personal digital privacy and security.
If you’d like to make a contribution, have questions, or want to leave feedback, please do so through GitHub
How to Read This Guide
It’s recommended you begin by familiarizing yourself with the core concepts, and then moving on to the relevant actionable topics. You should focus on the following priorities:
- Secure access to your mobile phones
- Secure access to your PCs
- Secure online account access
- Safe browsing
- Secure cloud storage
Passwords should be managed using a password manager. A password manager is a tool that stores passwords securely, and usually provides other useful features such as syncing across devices, backups, mobile apps, and more. Rather than remembering a password for each individual website or service you use, you should create very strong password to unlock your password manager, and then generate a new random password for each individual website or service that you use. You never need to memorize these passwords.
This has some important advantages over memorizing passwords, such as:
- if your password for a particular website or service becomes compromised, it will not affect other websites or services (since each password is unique)
- by not knowing your passwords, you are less likely to accidentally share your password
- password managers includes tools for notifying you when a password may have been compromised, so you can change it
Open Source Password Managers:
Commercial Source Password Managers:
2-factor Authentication (2FA)
2-factor authentication (referred to as 2FA) is a method of securely identifying yourself, whereby you use 2 pieces of secure information to prove you are who you are. In practice, you combine something you know with something you have. For example, you could combine a password with a special code (or one-time password) which is generated using a mathematical formula. This code may be provided by receiving an SMS message, a phone call, an email, or using a OTP app like Google Authenticator.
2FA is widely supported, but not yet implemented by all online services. If a service you use doesn’t support it, you should petition them to add 2FA support. Furthermore, you may want to consider whether or not a service properly supports 2FA before using their products. For example, you may want to choose a bank based on whether or not they support 2FA.
In this guide, it’s recommended that you use a hardware authentication device for 2FA. Specifically, you should consider using the YubiKey 4 or a similar device. The YubiKey will be referenced elsewhere in this document. Telephony based 2FA, including SMS and voice calls, is considered insecure and should be avoided. In order of preference, it’s recommended that you use:
- Hardware U2F or OTP device, such as a YubiKey 4
- Software-based OTP tool, such as Authy or Google Authenticator
- Trusted email account to receive OTP (preferably one which requires 2FA)
- SMS or voice call to receive OTP
Many services will offer SMS or voice calls as an account recovery method in case you cannot login. Phone-based recovery methods (SMS & voice) should be disabled, if possible.
Encryption, when applied to your data, is a method of making it difficult for unauthorized parties to intercept data and know what you’ve written, said, where you’ve been, or what you’ve done. It does not guarantee that others can’t intercept or read your data, but it can make it extremely difficult, if applied correctly. For example, you may want to encrypt your text messages or phone calls so nobody can snoop on them.
Many services advertise and include encryption, but very few of them are actually secure because they typically store the private keys as part of the service. This means that if that service itself becomes compromised, your data may not be safe. Most internet-based services operate this way.
This guide will discuss some options for safely encrypting data for certain applications, but there are far too many tools, services, and applications to discuss each one. There is a section on using GnuPG, a powerful encryption tool, and a kind of Swiss army knife for privacy.
- How to Secure Access to Your Mobile Devices
- How to Secure Access to Your PC
- How to Communicate Securely
- How to Secure Your Online Accounts
- How to Browse the Web Safely
- How to Store Data Securely Online
- How to Use Your YubiKey with GnuPG