Merge pull request #280 from raycadle/master

Fix typos and grammar; update software links
This commit is contained in:
Alicia Sykes 2025-06-28 22:55:41 +01:00 committed by GitHub
commit cddd4046cf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -4,180 +4,180 @@
icon: password
color: yellow
intro: >-
Most reported data breaches are caused by the use of weak, default or stolen passwords
Most reported data breaches are caused by the use of weak, default, or stolen passwords
(according to [this Verizon report](http://www.verizonenterprise.com/resources/reports/rp_dbir-2016-executive-summary_xg_en.pdf)).
Use long, strong and unique passwords, manage them in a secure password manager, enable
2-factor authentication, keep on top of breaches and take care while logging into your accounts.
Use long, strong, and unique passwords, manage them in a secure password manager, enable
2-factor authentication, keep on top of breaches, and take care while logging into your accounts.
checklist:
- point: Use a Strong Password
priority: Essential
details: >-
If your password is too short, or contains dictionary words, places or names- then it can be easily
cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by
making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively,
If your password is too short, or contains dictionary words, places, or names, then it can be easily
cracked through brute force or guessed by someone. The easiest way to make a strong password is by
making it long (12+ characters) — consider using a 'passphrase' made up of many words. Alternatively,
use a password generator to create a long, strong random password. Have a play with
[Security.org's How Secure Is My Password?](https://security.org/how-secure-is-my-password/), to get an idea of how quickly common
passwords can be cracked. Read more about creating strong passwords:
[securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/)
[securityinabox.org](https://securityinabox.org/en/passwords/passwords-and-2fa/).
- point: Don't reuse Passwords
- point: Don't Reuse Passwords
priority: Essential
details: >-
If someone was to reuse a password, and one site they had an account with suffered a leak, then a
If someone were to reuse a password and one site they had an account with suffered a leak, then a
criminal could easily gain unauthorized access to their other accounts. This is usually done through
large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all
too common, but it's simple to protect against- use a different password for each of your online accounts
large-scale automated login requests, and it is called Credential Stuffing. Unfortunately, this is all
too common, but it's simple to protect against use a different password for each of your online accounts.
- point: Use a Secure Password Manager
priority: Essential
details: >-
For most people it is going to be near-impossible to remember hundreds of strong and unique passwords.
A password manager is an application that generates, stores and auto-fills your login credentials for you.
All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be
For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords.
A password manager is an application that generates, stores, and auto-fills your login credentials for you.
All your passwords will be encrypted against 1 master password (which you must remember, and it should be
very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on,
your passwords can be auto-filled. A good all-rounder is
[Bitwarden](https://awesome-privacy.xyz/essentials/password-managers/bitwarden), or see
[Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers)
[Recommended Password Managers](https://awesome-privacy.xyz/essentials/password-managers).
- point: Avoid sharing passwords
- point: Avoid Sharing Passwords
priority: Essential
details: >-
While there may be times that you need to share access to an account with another person, you should
generally avoid doing this because it makes it easier for the account to become compromised. If you
absolutely do need to share a password for example when working on a team with a shared account this
absolutely do need to share a password for example, when working on a team with a shared account this
should be done via features built into a password manager.
- point: Enable 2-Factor Authentication
priority: Essential
details: >-
2FA is where you must provide both something you know (a password) and something you have (such as a
code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing,
malware or a data breach), they will not be able to log into your account. It's easy to get started,
code on your phone) to log in. This means that if anyone has your password (e.g., through phishing,
malware, or a data breach), they will not be able to log into your account. It's easy to get started,
download [an authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication)
onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next
time you log in on a new device, you will be prompted for the code that displays in the app on your phone
(it works without internet, and the code usually changes every 30-seconds)
time you log in on a new device, you will be prompted for the code that is displayed in the app on your phone
(it works without internet, and the code usually changes every 30 seconds).
- point: Keep Backup Codes Safe
priority: Essential
details: >-
When you enable multi-factor authentication, you will usually be given several codes that you can use if
your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or
unauthorized access. You should store these on paper or in a safe place on disk (e.g. in offline storage
or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords
and should be kept separately.
your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or
unauthorized access. You should store these on paper or in a safe place on disk (e.g., in offline storage
or an encrypted file/drive). Don't store these in your password manager as 2FA sources and passwords
should be kept separately.
- point: Sign up for Breach Alerts
- point: Sign Up for Breach Alerts
priority: Optional
details: >-
After a website suffers a significant data breach, the leaked data often ends up on the internet. There
are several websites that collect these leaked records, and allow you to search your email address to check
if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have I been pwned](https://haveibeenpwned.com)
After a website suffers a significant data breach, the leaked data often ends up on the internet. Several websites collect
these leaked records and allow you to search your email address to check if you are in any of their lists.
[Firefox Monitor](https://monitor.firefox.com), [Have I Been Pwned](https://haveibeenpwned.com),
and [DeHashed](https://dehashed.com) allow you to sign up for monitoring, where they will notify you if your
email address appears in any new data sets. It is useful to know as soon as possible when this happens, so
email address appears in any new data sets. It is useful to know as soon as possible when this happens so
that you can change your passwords for the affected accounts. [Have i been pwned](https://awesome-privacy.xyz/security-tools/online-tools/have-i-been-pwned) also has domain-wide
notification, where you can receive alerts if any email addresses under your entire domain appear (useful if
you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding))
you use aliases for [anonymous forwarding](https://github.com/Lissy93/awesome-privacy#anonymous-mail-forwarding)).
- point: Shield your Password/ PIN
- point: Shield your Password/PIN
priority: Optional
details: >-
When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and
that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not
reveal any plain text passwords on screen
When typing your password in public places, ensure you are not in direct line of sight of a CCTV camera and
that no one can see over your shoulder. Cover your password or pin code while you type, and do not
reveal any plain text passwords on your screen.
- point: Update Critical Passwords Periodically
priority: Optional
details: >-
Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere
Database leaks and breaches are common, and, likely, several of your passwords are already somewhere
online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing
that all your passwords are long, strong and unique, there is no need to do this too often- annually should be
that all your passwords are long, strong, and unique, there is no need to do this too often annually should be
sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes),
as it encourages colleagues to select weaker passwords
as it encourages colleagues to select weaker passwords.
- point: Dont save your password in browsers
- point: Dont Save your Password in Browsers
priority: Optional
details: >-
Most modern browsers offer to save your credentials when you log into a site. Dont allow this, as they are
not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated
password manager to store (and auto-fill) your passwords
not always encrypted and could allow someone to gain access to your accounts. Instead, use a dedicated
password manager to store (and auto-fill) your passwords.
- point: Avoid logging in on someone elses device
- point: Avoid Logging In on Someone Elses Device
priority: Optional
details: >-
Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious
of public machines, as malware and tracking is more common here. Using someone else's device is especially
Avoid logging in on other people's computers since you can't be sure their system is clean. Be especially cautious
of public machines, as malware and tracking arr more common here. Using someone else's device is especially
dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a
private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials,
cookies and browsing history.
private/incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request the browser to not save your credentials,
cookies, and browsing history.
- point: Avoid password hints
- point: Avoid Password Hints
priority: Optional
details: >-
Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints
are mandatory use random answers and record them in password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`)
Some sites allow you to set password hints. Often, it is very easy to guess answers. In cases where password hints
are mandatory, use random answers and record them in your password manager (`Name of the first school: 6D-02-8B-!a-E8-8F-81`).
- point: Never answer online security questions truthfully
- point: Never Answer Online Security Questions Truthfully
priority: Optional
details: >-
If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide
If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide
real answers. It is a trivial task for hackers to find out this information online or through social engineering.
Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than
random characters, [explained here](https://news.ycombinator.com/item?id=29244870)
Instead, create a fictitious answer, and store it inside your password manager. Using real words is better than
random characters, as [explained here](https://news.ycombinator.com/item?id=29244870).
- point: Dont use a 4-digit PIN
- point: Dont Use a 4-digit PIN
priority: Optional
details: >-
Dont use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin.
Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
4-character alpha-numeric code)
Dont use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer PIN.
Numeric passphrases are easy to crack (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a
4-character alpha-numeric code).
- point: Avoid using SMS for 2FA
- point: Avoid Using SMS for 2FA
priority: Optional
details: >-
When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is
susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
When enabling multi-factor authentication, opt for app-based codes or a hardware token if supported. SMS is
susceptible to several common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking)
and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone
number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when
you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider
number will be stored or what else it will be used for. From a practical point of view, SMS will only work when
you have a signal and can be slow. If a website or service requires the usage of an SMS number for recovery, consider
purchasing a second pre-paid phone number only used for account recovery for these instances.
- point: Avoid using your PM to Generate OTPs
- point: Avoid Using your PM to Generate OTPs
priority: Advanced
details: >-
Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop
as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead, use a
dedicated [authenticator app](https://github.com/Lissy93/awesome-privacy#2-factor-authentication) on your phone or laptop.
- point: Avoid Face Unlock
priority: Advanced
details: >-
Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot
of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/)
and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password-
there are likely photos of your face on the internet, and videos recorded by surveillance cameras
and gain access to the device through digital photos and reconstructions from CCTV footage. Unlike your password,
there are likely photos of your face on the internet and videos recorded by surveillance cameras.
- point: Watch out for Keyloggers
- point: Watch Out for Keyloggers
priority: Advanced
details: >-
A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between
your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server.
It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by
your keyboard and the USB port, which intercepts all keystrokes and sometimes relays data to a remote server.
It gives a hacker access to everything typed, including passwords. The best way to stay protected is just by
checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted
inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password
own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard, or auto-filled by a password
manager can not be intercepted by a hardware keylogger.
- point: Consider a Hardware Token
priority: Advanced
details: >-
A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to
verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits,
since the browser communicates directly with the device and cannot be fooled as to which host is requesting
authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key
somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
A U2F/FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service to
verify your identity instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and
[NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits.
Since the browser communicates directly with the device, it cannot be fooled as to which host is requesting
authentication because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is
a good explanation of the security of using FIDO U2F tokens. Of course, it is important to store the physical key
somewhere safe or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled.
- point: Consider Offline Password Manager
priority: Advanced
@ -186,24 +186,24 @@
[KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass) is a popular choice, with lots of [plugins](https://[KeePass](https://awesome-privacy.xyz/essentials/password-managers/keepass).info/plugins.html) and
community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org)
(desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731)
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up,
and store it securely
(iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up
and store it securely.
- point: Consider Unique Usernames
priority: Advanced
details: >-
Having different passwords for each account is a good first step, but if you also use a unique username, email or
Having different passwords for each account is a good first step, but if you also use a unique username, email, or
phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest
method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where
[anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier,
since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated
through your VOIP provider
[Mail Alias Providers](https://github.com/Lissy93/awesome-privacy#mail-forwarding)). Usernames are easier
since you can use your password manager to generate, store, and auto-fill these. Virtual phone numbers can be generated
through your VOIP provider.
softwareLinks:
- title: Password Managers
url: https://github.com/Lissy93/awesome-privacy#password-managers
url: https://awesome-privacy.xyz/essentials/password-managers
- title: 2-Factor Authentication
url: https://github.com/Lissy93/awesome-privacy#2-factor-authentication
url: https://awesome-privacy.xyz/essentials/2-factor-authentication
- title: Web Browsing
slug: web-browsing