Six security suggestions for regular people

crasch (53)in #security • 8 years ago (edited)

Who should read this?

Computer security is not something most people want to think about. It's boring, and complicated, and not really their thing. However, they see news reports of thieves stealing Yahoo's account database, and they think that they should do something to beef up their security. Maybe they have a Yahoo address, maybe their Mom does.

But when they try to look into it, they're overwhelmed by the complexity, and they give up.

This article was written for that person.

It consists of my recommendations that I think every average person should follow. They're not perfect, nor complete, and certainly not foolproof. But they will improve things quite a bit.

(My recommendations are not suited for someone with greater than average security or anonymity needs. If you're a political dissident, an online drug buyer, or a whistleblower, you need to do more work!)

Threats

The average person doesn't face threats from state level actors. IMO, the average person's biggest threats are:

phishing scams
malware / ransomware
identity theft and credit fraud

Given these threats--and the limited amount of time that the average person is willing to spend on computer security--what steps can non-experts take to improve their security the most?

Suggestions

Here are my top six recommendations. Note that I place heavy emphasis on ease of use, at the cost of reduced anonymity and security. I discuss some of those tradeoffs afterward.

Install and use Lastpass password manager on all your devices (computer, phone, tablet). (Edit: I now recommend Bitwarden: https://bitwarden.com/ )
Create and use a different password for each important website (Google, Facebook, bank, phone company).
Install and use the Signal app.
Tell the credit reporting agencies to put a freeze on your credit.
Instruct your phone providers to require a passcode to make changes to your account.
Never click a link in an unsolicited email. If you get such a request go to the website directly, and login from there.

Note that these are basic steps that will, at least at this writing, go a long way to improving your security.

However, computer security is not something that you can set and forget. Security threats and defenses evolve and change over time, and so should your approach. You should think of it like a garden, something that requires at least a little ongoing watchfulness and care.

If you don't have a security nerd friend to do the watching for you, Bruce Schneier's blog is a good blog to stay abreast of new developments.

Comments, questions, and suggestions are welcome. Please send them to [email protected].

A discussion of tradeoffs

Ideally, security software is open source. This allows neutral parties to vet the software for bugs or security vulnerabilities. Also, in an ideal world, software is peer-to-peer (p2p) and decentralized, which eliminates the security company as a single point of failure.

Lastpass is not open source at all. Most of Signal's code is open source, but relies on code that is closed source in order to function. It also requires having a phone number, which is difficult to acquire and use, if you wish to remain anonymous.

Both Lastpass and Signal's servers are wholly controlled by their respective developers. Neither company encourages competitors to interoperate with them.

However, to my knowledge, there are no programs with the same features that work as smoothly across so many platforms as Lastpass or Signal.

If you're committed to using only open source software, these would be my recommendations:

For instant messaging, Ricochet.im.

For VOIP, Linphone + Ostel.

For password management, Keeppass and its variants (See below).

However, note that all of the projects above are separate projects. The user interface will vary, as will the quality of code, and you will need to spend more effort syncing and backup.