mirror of
https://github.com/Lissy93/personal-security-checklist.git
synced 2026-03-11 08:55:32 +00:00
Fix: typos and grammar
This commit is contained in:
parent
19b3348472
commit
2f0d20be42
1 changed files with 84 additions and 84 deletions
|
|
@ -4,180 +4,180 @@
|
|||
icon: password
|
||||
color: yellow
|
||||
intro: >-
|
||||
Most reported data breaches are caused by the use of weak, default or stolen passwords
|
||||
Most reported data breaches are caused by the use of weak, default, or stolen passwords
|
||||
(according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)).
|
||||
Use long, strong and unique passwords, manage them in a secure password manager, enable
|
||||
2-factor authentication, keep on top of breaches and take care while logging into your accounts.
|
||||
Use long, strong, and unique passwords, manage them in a secure password manager, enable
|
||||
2-factor authentication, keep on top of breaches, and take care while logging into your accounts.
|
||||
checklist:
|
||||
- point: Use a Strong Password
|
||||
priority: Essential
|
||||
details: >-
|
||||
If your password is too short, or contains dictionary words, places or names- then it can be easily
|
||||
cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by
|
||||
making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively,
|
||||
If your password is too short, or contains dictionary words, places, or names, then it can be easily
|
||||
cracked through brute force or guessed by someone. The easiest way to make a strong password is by
|
||||
making it long (12+ characters) — consider using a 'passphrase' made up of many words. Alternatively,
|
||||
use a password generator to create a long, strong random password. Have a play with
|
||||
[Security.org's How Secure Is My Password?](https://security.org/how-secure-is-my-password/), to get an idea of how quickly common
|
||||
passwords can be cracked. Read more about creating strong passwords:
|
||||
[securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/)
|
||||
[securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/).
|
||||
|
||||
- point: Don't reuse Passwords
|
||||
- point: Don't Reuse Passwords
|
||||
priority: Essential
|
||||
details: >-
|
||||
If someone was to reuse a password, and one site they had an account with suffered a leak, then a
|
||||
If someone were to reuse a password and one site they had an account with suffered a leak, then a
|
||||
criminal could easily gain unauthorized access to their other accounts. This is usually done through
|
||||
large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all
|
||||
too common, but it's simple to protect against- use a different password for each of your online accounts
|
||||
large-scale automated login requests, and it is called Credential Stuffing. Unfortunately, this is all
|
||||
too common, but it's simple to protect against — use a different password for each of your online accounts.
|
||||
|
||||
- point: Use a Secure Password Manager
|
||||
priority: Essential
|
||||
details: >-
|
||||
For most people it is going to be near-impossible to remember hundreds of strong and unique passwords.
|
||||
A password manager is an application that generates, stores and auto-fills your login credentials for you.
|
||||
All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be
|
||||
For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords.
|
||||
A password manager is an application that generates, stores, and auto-fills your login credentials for you.
|
||||
All your passwords will be encrypted against 1 master password (which you must remember, and it should be
|
||||
very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on,
|
||||
your passwords can be auto-filled. A good all-rounder is
|
||||
[Bitwarden](https://awesome-privacy.xyz/essentials/password-managers/bitwarden), or see
|
||||
[Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers)
|
||||
[Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers).
|
||||
|
||||
- point: Avoid sharing passwords
|
||||
- point: Avoid Sharing Passwords
|
||||
priority: Essential
|
||||
details: >-
|
||||
While there may be times that you need to share access to an account with another person, you should
|
||||
generally avoid doing this because it makes it easier for the account to become compromised. If you
|
||||
absolutely do need to share a password for example when working on a team with a shared account this
|
||||
absolutely do need to share a password — for example, when working on a team with a shared account — this
|
||||
should be done via features built into a password manager.
|
||||
|
||||
- point: Enable 2-Factor Authentication
|
||||
priority: Essential
|
||||
details: >-
|
||||
2FA is where you must provide both something you know (a password) and something you have (such as a
|
||||
code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing,
|
||||
malware or a data breach), they will not be able to log into your account. It's easy to get started,
|
||||
code on your phone) to log in. This means that if anyone has your password (e.g., through phishing,
|
||||
malware, or a data breach), they will not be able to log into your account. It's easy to get started,
|
||||
download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication)
|
||||
onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next
|
||||
time you log in on a new device, you will be prompted for the code that displays in the app on your phone
|
||||
(it works without internet, and the code usually changes every 30-seconds)
|
||||
time you log in on a new device, you will be prompted for the code that is displayed in the app on your phone
|
||||
(it works without internet, and the code usually changes every 30 seconds).
|
||||
|
||||
- point: Keep Backup Codes Safe
|
||||
priority: Essential
|
||||
details: >-
|
||||
When you enable multi-factor authentication, you will usually be given several codes that you can use if
|
||||
your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or
|
||||
unauthorized access. You should store these on paper or in a safe place on disk (e.g. in offline storage
|
||||
or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords
|
||||
and should be kept separately.
|
||||
your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or
|
||||
unauthorized access. You should store these on paper or in a safe place on disk (e.g., in offline storage
|
||||
or an encrypted file/drive). Don't store these in your password manager as 2FA sources and passwords
|
||||
should be kept separately.
|
||||
|
||||
- point: Sign up for Breach Alerts
|
||||
- point: Sign Up for Breach Alerts
|
||||
priority: Optional
|
||||
details: >-
|
||||
After a website suffers a significant data breach, the leaked data often ends up on the internet. There
|
||||
are several websites that collect these leaked records, and allow you to search your email address to check
|
||||
if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have I been pwned](https://haveibeenpwned.com)
|
||||
After a website suffers a significant data breach, the leaked data often ends up on the internet. Several websites collect
|
||||
these leaked records and allow you to search your email address to check if you are in any of their lists.
|
||||
[Firefox Monitor](https://monitor.firefox.com), [Have I Been Pwned](https://haveibeenpwned.com),
|
||||
and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your
|
||||
email address appears in any new data sets. It is useful to know as soon as possible when this happens, so
|
||||
email address appears in any new data sets. It is useful to know as soon as possible when this happens so
|
||||
that you can change your passwords for the affected accounts. [Have i been pwned](https://awesome-privacy.xyz/security-tools/online-tools/have-i-been-pwned) also has domain-wide
|
||||
notification, where you can receive alerts if any email addresses under your entire domain appear (useful if
|
||||
you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding))
|
||||
you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)).
|
||||
|
||||
- point: Shield your Password/ PIN
|
||||
- point: Shield your Password/PIN
|
||||
priority: Optional
|
||||
details: >-
|
||||
When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and
|
||||
that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not
|
||||
reveal any plain text passwords on screen
|
||||
When typing your password in public places, ensure you are not in direct line of sight of a CCTV camera and
|
||||
that no one can see over your shoulder. Cover your password or pin code while you type, and do not
|
||||
reveal any plain text passwords on your screen.
|
||||
|
||||
- point: Update Critical Passwords Periodically
|
||||
priority: Optional
|
||||
details: >-
|
||||
Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere
|
||||
Database leaks and breaches are common, and, likely, several of your passwords are already somewhere
|
||||
online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing
|
||||
that all your passwords are long, strong and unique, there is no need to do this too often- annually should be
|
||||
that all your passwords are long, strong, and unique, there is no need to do this too often — annually should be
|
||||
sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes),
|
||||
as it encourages colleagues to select weaker passwords
|
||||
as it encourages colleagues to select weaker passwords.
|
||||
|
||||
- point: Don’t save your password in browsers
|
||||
- point: Don’t Save your Password in Browsers
|
||||
priority: Optional
|
||||
details: >-
|
||||
Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are
|
||||
not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated
|
||||
password manager to store (and auto-fill) your passwords
|
||||
not always encrypted and could allow someone to gain access to your accounts. Instead, use a dedicated
|
||||
password manager to store (and auto-fill) your passwords.
|
||||
|
||||
- point: Avoid logging in on someone else’s device
|
||||
- point: Avoid Logging In on Someone Else’s Device
|
||||
priority: Optional
|
||||
details: >-
|
||||
Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious
|
||||
of public machines, as malware and tracking is more common here. Using someone else's device is especially
|
||||
Avoid logging in on other people's computers since you can't be sure their system is clean. Be especially cautious
|
||||
of public machines, as malware and tracking arr more common here. Using someone else's device is especially
|
||||
dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a
|
||||
private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials,
|
||||
cookies and browsing history.
|
||||
private/incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request the browser to not save your credentials,
|
||||
cookies, and browsing history.
|
||||
|
||||
- point: Avoid password hints
|
||||
- point: Avoid Password Hints
|
||||
priority: Optional
|
||||
details: >-
|
||||
Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints
|
||||
are mandatory use random answers and record them in password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`)
|
||||
Some sites allow you to set password hints. Often, it is very easy to guess answers. In cases where password hints
|
||||
are mandatory, use random answers and record them in your password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`).
|
||||
|
||||
- point: Never answer online security questions truthfully
|
||||
- point: Never Answer Online Security Questions Truthfully
|
||||
priority: Optional
|
||||
details: >-
|
||||
If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide
|
||||
If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide
|
||||
real answers. It is a trivial task for hackers to find out this information online or through social engineering.
|
||||
Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than
|
||||
random characters, [explained here](https://news.ycombinator.com/item?id=29244870)
|
||||
Instead, create a fictitious answer, and store it inside your password manager. Using real words is better than
|
||||
random characters, as [explained here](https://news.ycombinator.com/item?id=29244870).
|
||||
|
||||
- point: Don’t use a 4-digit PIN
|
||||
- point: Don’t Use a 4-digit PIN
|
||||
priority: Optional
|
||||
details: >-
|
||||
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin.
|
||||
Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
|
||||
4-character alpha-numeric code)
|
||||
Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer PIN.
|
||||
Numeric passphrases are easy to crack (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
|
||||
4-character alpha-numeric code).
|
||||
|
||||
- point: Avoid using SMS for 2FA
|
||||
- point: Avoid Using SMS for 2FA
|
||||
priority: Optional
|
||||
details: >-
|
||||
When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is
|
||||
susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
|
||||
When enabling multi-factor authentication, opt for app-based codes or a hardware token if supported. SMS is
|
||||
susceptible to several common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
|
||||
and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone
|
||||
number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when
|
||||
you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider
|
||||
number will be stored or what else it will be used for. From a practical point of view, SMS will only work when
|
||||
you have a signal and can be slow. If a website or service requires the usage of an SMS number for recovery, consider
|
||||
purchasing a second pre-paid phone number only used for account recovery for these instances.
|
||||
|
||||
- point: Avoid using your PM to Generate OTPs
|
||||
- point: Avoid Using your PM to Generate OTPs
|
||||
priority: Advanced
|
||||
details: >-
|
||||
Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager
|
||||
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a
|
||||
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop
|
||||
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead, use a
|
||||
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop.
|
||||
|
||||
- point: Avoid Face Unlock
|
||||
priority: Advanced
|
||||
details: >-
|
||||
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot
|
||||
of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/)
|
||||
and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password-
|
||||
there are likely photos of your face on the internet, and videos recorded by surveillance cameras
|
||||
and gain access to the device through digital photos and reconstructions from CCTV footage. Unlike your password,
|
||||
there are likely photos of your face on the internet and videos recorded by surveillance cameras.
|
||||
|
||||
- point: Watch out for Keyloggers
|
||||
- point: Watch Out for Keyloggers
|
||||
priority: Advanced
|
||||
details: >-
|
||||
A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between
|
||||
your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server.
|
||||
It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by
|
||||
your keyboard and the USB port, which intercepts all keystrokes and sometimes relays data to a remote server.
|
||||
It gives a hacker access to everything typed, including passwords. The best way to stay protected is just by
|
||||
checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted
|
||||
inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your
|
||||
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password
|
||||
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard, or auto-filled by a password
|
||||
manager can not be intercepted by a hardware keylogger.
|
||||
|
||||
- point: Consider a Hardware Token
|
||||
priority: Advanced
|
||||
details: >-
|
||||
A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to
|
||||
verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
|
||||
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits,
|
||||
since the browser communicates directly with the device and cannot be fooled as to which host is requesting
|
||||
authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
|
||||
a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key
|
||||
somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
|
||||
A U2F/FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service to
|
||||
verify your identity instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
|
||||
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits.
|
||||
Since the browser communicates directly with the device, it cannot be fooled as to which host is requesting
|
||||
authentication because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
|
||||
a good explanation of the security of using FIDO U2F tokens. Of course, it is important to store the physical key
|
||||
somewhere safe or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled.
|
||||
|
||||
- point: Consider Offline Password Manager
|
||||
priority: Advanced
|
||||
|
|
@ -186,19 +186,19 @@
|
|||
[KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass) is a popular choice, with lots of [plugins](https://[KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass).info/plugins.html) and
|
||||
community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org)
|
||||
(desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731)
|
||||
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up,
|
||||
and store it securely
|
||||
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up
|
||||
and store it securely.
|
||||
|
||||
- point: Consider Unique Usernames
|
||||
priority: Advanced
|
||||
details: >-
|
||||
Having different passwords for each account is a good first step, but if you also use a unique username, email or
|
||||
Having different passwords for each account is a good first step, but if you also use a unique username, email, or
|
||||
phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest
|
||||
method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where
|
||||
[anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see
|
||||
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier,
|
||||
since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated
|
||||
through your VOIP provider
|
||||
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier
|
||||
since you can use your password manager to generate, store, and auto-fill these. Virtual phone numbers can be generated
|
||||
through your VOIP provider.
|
||||
softwareLinks:
|
||||
- title: Password Managers
|
||||
url: https://github.com/Lissy93/awesome-privacy#password-managers
|
||||
|
|
|
|||
Loading…
Reference in a new issue