How to Protect Your Digital Assets

https://protect-yourself.io/

This is a practical guide on how to protect yourself and your digital assets, including (but not limited to):

This guide is intentionally prescriptive and action. There may be endorsement certain products, but it is not necessarily comprehensive. In certain cases, there may be alternative methods or products which are more suitable for your needs. This is not a panacea for all your personal security problems, but rather a good starting point for anyone concerned about their personal digital privacy and security.

If you’d like to make a contribution, have questions, or want to leave feedback, please do so through GitHub

How to Read This Guide

It’s recommended you begin by familiarizing yourself with the core concepts, and then moving on to the relevant actionable topics. You should focus on the following priorities:

  1. Secure access to your mobile phones
  2. Secure access to your PCs
  3. Secure online account access
  4. Safe browsing
  5. Secure cloud storage

Core Concepts

Password Management

Passwords should be managed using a password manager. A possword manager is a tool that stores passwords securely, and usually provides other useful features such as syncing across devices, backups, mobile apps, and more. Rather than remembering a password for each individual website or service you use, you should create very strong password to unlock your password manager, and then generate a new random password for each individual website or service that you use. You never need to memorize these passwords.

This has some important advantages over memorizing passwords, such as:

Open Source Password Managers:

Commercial Source Password Managers:

2-factor Authentication (2FA)

2-factor authentication (referred to as 2FA) is a method of securely identifying yourself, whereby you use 2 pieces of secure information to prove you are who you are. In practice, you combine something you know with something you have. For example, you could combine a password with a special code (or one-time password) which is generated using a mathematical formula. This code may be provided by receiving an SMS message, a phone call, an email, or using a OTP app like Google Authenticator.

2FA is widely supported, but not yet implemented by all online services. If a service you use doesn’t support it, you should petition them to add 2FA support. Furthermore, you may want to consider whether or not a service properly supports 2FA before using their products. For example, you may want to choose a bank based on whether or not they support 2FA.

In this guide, it’s recommended that you use a hardware authentication device for 2FA. Specifically, you should consider using the YubiKey 4 or a similar device. The YubiKey will be referenced elsewhere in this document. Telephony based 2FA, including SMS and voice calls, is considered insecure and should be avoided. In order of preference, it’s recommended that you use:

  1. Hardware U2F or OTP device, such as a YubiKey 4
  2. Software-based OTP tool, such as Authy or Google Authenticator
  3. Trusted email account to receive OTP (preferably one which requires 2FA)
  4. SMS or voice call to receive OTP

Many services will offer SMS or voice calls as an account recovery method in case you cannot login. Phone-based recovery methods (SMS & voice) should be disabled, if possible.

Encryption

Encryption, when applied to your data, is a method of making it difficult for unauthorized parties to intercept data and know what you’ve written, said, where you’ve been, or what you’ve done. It does not guarantee that others can’t intercept or read your data, but it can make it extremely difficult, if applied correctly. For example, you may want to encrypt your text messages or phone calls so nobody can snoop on them.

Many services advertise and include encryption, but very few of them are actually secure because they typically store the private keys as part of the service. This means that if that service itself becomes compromised, your data may not be safe. Most internet-based services operate this way.

This guide will discuss some options for safely encrypting data for certain applications, but there are far too many tools, services, and applications to discuss each one. There is a section on using GnuPG, a powerful encryption tool, and a kind of Swiss army knife for privacy.

Action