I’ve been putting off writing this guide for a while (you can find the Italian version right here)… the objective is to give some basic instructions about things you can do to improve your security online and avoid getting your data stolen, or your password lost. And all for free (as much as possible)!
I won’t suggest you remove Windows from your computer enterly (though it would be a neat idea), but only easy stuff that can save your life.
This is the “State of the art” as of the end of 2023, but the future will bring new stuff, for sure.
But I don’t need it!
There’s unfortunately very little perception of how important it is to protect oneself online, and let’s just say that many websites take a lot of effort to teach you that your passwords are worthless.
Nobody cares about your email? True, probably. But whoever has control of your email account can then easily change your passwords on institutions websites, subscribe to stuff you’ll then have to pay (sometimes even canceling a subscription isn’t easy, or free) or even just DELETE everything, just for fun.
And believe me, it does happen. Because the online “ne’erdowells” often do it using automated programs that break stuff “at scale”: they are not necessarily targeting YOUR password… but maybe they stole the passwords of 10 thousand users at the same time, and barely noticed.
Are you really ready to lose your children/nephews photos forever?
The Basics: the Web Browser
The web browser is the main instrument you use to go online, so it makes sense to take some basic precautions.
At the moment, in 2023, Firefox. There are other options, yes, but they are either for specialits, or they’re ugly and broken (Internet Explorer, EDGE), or… it’s Chrome (and bear in mind, Brave, Vivaldi, and many others… are just Chrome in a trenchcoat with a fake nose. They MIGHT still support adBlockers, but… we’ll see). And well, Google’s browser in recent years has become very heavy… and very nosy.
This guide used to consider Chrome “a good second choice”, but Google is planning to completely break adBlockers starting June 2024 and… going online without an adBlocker is basically like unprotected sex. Big no-no.
And for the smartphone? Same, Firefox. On Android, Firefox even supports some extensions now, including uBlock Origin and Privacy Badger.
Basic browser settings
After installing the broswer, create a Firefox account like it suggests, for a number of good reasons: your data will be encrypted at the source (locally) with your password, and kept safe remotely. Bookmarks, saved passwords (we’ll get back to this), extensions, even the list of open tabs (if you use more than one computer/cellphone it can be very handy). Not only that, but Firefox and the Mozilla Foundation recenty seem to have upped their privacy and personal user security initiatives, including working to block the most invasive tracking cookies (for example, in Firefox each website has its own “cookie jar”, and they can’t go snooping around).
But, for now, some basic configuration (don’t worry, if you created your account as suggested above, you’ll need to do this only once).
Inside the browser, install (clicking the links below, or searching them in the dedicated settings page) the following extensions:
- uBlock Origin: it blocks annoying ads, speeds up navigation (sometimes a lot), makes many news sites actually readable. If you have never used an AdBlocker before, you’ll soon wonder how you could do without it before. Not just that: in recent years, the vast majority of the worst malware (viruses, and other nasty stuff) way to reach you, the users, via malicious ads. Plus, the removed ads’ wasted space is often collapsed, making the actual site content easier to read.
- Privacy Badger: some of the tricks employed by Facebook, Amazon and other, even less savory types to keep track of your habits can escape uBlock… and be caught by Privacy Badger. Can’t hurt (you aren’t getting paid enough for the data they steal about you. Trust me).
- Facebook Container and Google Container: I won’t tell you “don’t use Facebook”, but at least you can force it to stay within its bounds (similar reasoning with Google). These (very unobtrusive) plugins enable you to only be logged-in into Facebook in the actual facebook tabs, and not eveywhere else. Yep, maybe you didn’t know, but if you are logged into fb in one tab, they are able to track you on many, many other sites and know what you look at… again, Zuck isn’t paying you enough for this, by far. And not only that, but in OTHER tabs you get a tiny purple “fence” icon when part of a page (for example, an innocent looking button) is actually a facebook tracker: it happens a lot.
- For the enterprising ones, there’s the Firefox Multi-Account Containers, which is basically the “generalized” version of these two plugins, allowing you to keep any site you prefer in its own “box” (like, for example.. Twitter, or WhatsApp Web, or AliExpress).
Keep your files safe
We’ll get to passwords soon, don’t worry, but first let’s keep your most important files safe (and while we’re at it, we can simplify your life… a lot). You can use one of these services (or similar ones… but these ones I know):
- Dropbox. You probably already know it, it’s the oldest file cloud/sync service and works well. The free account has many limitations, and lately it has become pretty annoying, but it’s still a good option on the side of 3rd party support (they don’t have the best reputation regarding actually keeping your files private, though).
- pCloud. Very similar to Dropbox, with maybe fewer bells and whistles, but a lot more free space in the base account (10 Gigabytes are a lot, if you only keep documents, bills and such there), and the paid subscriptions are very reasonable (they even have “lifetime” options, if the idea of a monthly subscription irks you like it does me). Bonus: the company is Swiss based (its legal base is in the Zug canton) and so follows privacy laws that are markedly better than the US ones. And at account creation you can opt for your files to actually reside in the US servers or not.
Now that you have a system that saves your files in the Cloud… remember to use it! In pCloud’s case, I suggest you to create a “synced folder” so that the files remain available even if your network fails (like Dropbox does). Remember, this is NOT a backup (backups need to be made on different devices, and stay offline), but it’s better than nothing. And you can access those same files on your cellphone, or another computer.
Oh, sidenote: enable the backup of cell photos (on Dropbox, pCloud and/or Google Photos). Seriously. I lot track of how many times I’ve heard “eh, I had some nice photos but I switched phone/it broke down/it was stolen and now they’re lost forever”.
Same for phone/email Contacts: there is absoutely no reason in 2023 (or 2010, for that matter) for your contacts not to be synced! If we’re talking Android, on your PC go to Google Contacts and check that you can see them. If the answer is “no”, historically the culprit is Samsung (or whoever makes your cellphone) setting things wrong by default. Check how to enable sync, and check again. Another thing you’ll never have to worry about again.
Ok, here’s the juicy part. You know that reusing the same password, maybe even a simple one, on more than one website is a terrible idea, right? I know you do that. Oh, yes you do, don’t lie!
How to solve this? With a bit of initial work (I know, it’s a recurring theme) and a bit of self-discipline afterwards. First things first: do you save your passowrds in Firefox, when it asks? Eh, not the best option, but you can do it, especially for less critical websites (and only if your pc and phone actually have a lock screen and decent password, otherwise if it gets stolen or you lose it, some lucky guy is now logged into a lot of your personal accounts). But, if you enabled the sync in Firefox, again, you’ll never lose them again. For more risky sites (like your email, online banking, the very Firefox account you use for sync!) I personally advise you not to let the browser save them (and to check the “never ask me again for this website” box). They should be encrypted and secure even on Mozilla’s servers, but… eeeh.
What you really need, is a Password Manager. A program that archives and remembers (and generates!) passwords on your behalf.
KeepassXC (on PC)
There are several commercial password managers (Lastpass, 1Password) but I won’t suggest them for a couple of reasons: first, they’re not free (I promised free systems) and second… you have to put your trust in a company (a company that can and will screw up: LastPass had more than one data leak in one year. MAYBE no client data was stolen. This time. Buuut). Instead, you can download KeepassXC (or its ancestor Keepass) which is free, open source, and multi-platform (I’ve been using it for years on Linux).
I’ll tell you how I use it… if you are REALLY paranoid you’ll find my setup a bit too permissive (but if you’re really that paranoid, what are you doing here reading a guide for beginners?). Once installed, open the program, and let it create a new password archive.
When it asks where to save it, create a “keepassdb” folder in Dropbox or in a pCloud synced folder.
IMPORTANT: choose a good password. Better if a passphrase with more than one word in it. Better yet if with some parts are not words in any dictionary. The “correct horse battery staple” method from XKCD isn’t perfect but it’s better than the “BritneyRules1977” password you’re using now.
Now that your passwords archive is synced on the cloud, you’re really cooking with gas! Every time you need to register or login on a new website, remember to open KeepassXC, create a new entry, be sure to write the correct username and use an automatically generated password. A super long password is perfect: I don’t even really read them. Go in the “new account” or the “reset password” page, paste this new password, and remember to save your archive (KeepassXC does it automatically when you click “OK” after creating or editing an entry. Handy).
From now on, when your browser asks for a username/password again, you can simply get it back from Keepass (and you need to remember only ONE password. The one to unlock Keepass).
Yes, my dear reader, I don’t actually know my password on 99% of the websites, and I don’t care. Keepass knows.
There’s a plugin for Firefox that will simplify your life even more, adding a small green Keepass icon in the username/password fields, to retrieve them “magically”. This is basically all the functionality from 1Password and LastPass, but for free. Just remember to add the website’s URL/address in the field in KeepassXC (and to enable this functionality: it’s all explained on the extention’s page).
Also useful, in general… keep your entries organized in little “folders” inside Keepass, and use the “download favicon” functionality, it updates the entry’s icon and makes it easier to browse your archive. And… explore the functionalities of KeepassXC: it’s a very handy program, with more useful stuff like “custom fields” that can be more secrets beside the password (for example, a credit card PIN), or stuff you often need to copy (like a credit card expiration year, say).
Keepass (on the smartphone)
And now we’re getting to the “why did we save our passwords to the cloud anyway??”. Isn’t it insecure? Eh, not really, because we chose a really kickass password for Keepass (…and we did, right? Right?) not even the Three Letter Agencies could open your .kdbx archive stolen from Dropbox. It’s that well encrypted.
On the other hand, your passwords archive is now always at your fingertips (including on-the-go updates!), and without paying for any subscripton.
So, install Keepass2Android (there are alternatives, but I don’t really know them) and let it open the password archive from Dropox. It will be cached locally (in its encrypted state) and then synced when you reopen the app, and after any modifications.
I’d show you my KeePass2Android all dolled up with custom icons for categories and entries… but Keepass inhibits screenshots for security reasons (exactly like bank apps). Bravo, KeePass2Android!
One fantastic functionality of Keepass2Android is the AutoFill: make sure it’s enabled in the app settings (Settings -> App -> AutoFill). When you need to insert some user/pass in an app or website, Android (or your keyboard software) should suggest “AutoFill with Keepass”, which opens the app and tries to understand which password you need.
Again, the first time it won’t, and you’ll have to select “Choose another entry” (or something like that), find the correct entry and tap it. Then tell the app to remember. The password db will be saved, and next time you’ll just need to tap “AutoFill” and it will pick the right one. For some apps it will even prefill it. Oh, and it also works from the phone’s web browser (you’ll need to long-press on the empty user/pass field for a couple of seconds, and sometimes tap the “three vertical dots” menu of the copy/paste popup: there’s the AutoFill option!).
Wait a minute, it doesn’t work with pCloud!
Yeah… the documentation is less than clear, but it does work, it’s just that you need to keep your password vault in a pretty specific path.
On the PC, directly inside the root of pCloudDrive, create an “Application” folder, and a “Keepass2Android” folder under that.
You’ll need to store your .kdbx file here. Now when you select pCloud from Keepass2Android you’ll be able to open it. Again, it’s best to set up a sync in pCloud for this folder, to somewhere on your PC, and point your PC’s KeepassXC there too. This way, any change will be propagated automagically.
Speaking of sync: in Keepass2Android I would advise you to turn on the “reload cached file every time you unlock” (or whatever it’s called), ensuring you also always have the updated file (if you modified it on the PC or another phone).
But what about iPhone/iPad?
You’ll be thrilled to learn that there are several Keepass compatible apps there, too. Keepassium seems a good option. The free version is featureful enough for basic use, and if you use it regularly I suppose buying it could make sense. iOS stuff just costs more (sometimes a lot more). I don’t have much experience on iOS, sorry.
Two Factor Authentication (2FA)
You thought I was done? Nah. But almost. And this is a very important topic.
Two factor authentication (from now on “2FA”) requires that to access an account you use something you know (the password) and something you have (a “token”, exactly like those doodahs the banks use, with a number that changes, or like SteamGuard for Steam).
This means that even if someone manages to steal your password, or to intercept it, or to guess it… they can’t enter anyway, because they don’t have your token! And, bear in mind, these are not hypothetical scenarios: personally from time to time I get emails telling me they tried to access my google or dropbox account from somewhere in the world… but I have 2FA enabled, so they really can’t without my token.
Now, using a physical token costs a pretty penny, and even banks are switching to software solutions: apps that perform the same function. One of the most common is the Google Authenticator, but it has many limitations… I suggest instead…
Install the andOTP app from the Play Store and enable 2FA on all websites that allow it… seriously, it’s one of the best ways to protect your accounts currently. Oh, and if possible never use SMS based 2FA: first of all, if you don’t have cell coverage you’re screwed (for example if you are abroad, or in the middle of nowhere, or in some strongly shielded building), and secondly… it’s not that hard to intercept or misdirect SMS. It’s a pretty remote possibility, but it does exist.
Procedure is always the same: the website shows you a QR-Code, you open andOTP, click Add (the little “+” icon in the bottom right), choose “Scan QR Code” and point your phone at the screen. Choose a name and an icon (to recognize it later)… and now insert the generated number, or sometimes 2 in a row, to confirm it really worked. And Bob’s your uncle.
Oh, I was almost forgetting… yes, you should set a PIN to unlock andOTP, and yes, you really have to do it. Just recently I was reading about a phone malware that reads the codes from the Google Authenticator… and it can do that because the app by google doesn’t have any lock! Same if your phone is stolen/misplaced.
But… what if I lock myself out?
Valid concern! It can happen, and it’s absoutely something you should plan for.
In case you lost one password, you can generally use the reset process, you already knew that… but to be able to reset your password you need to be able to access your email. That’s why your email password is as important, security wise, as your online banking credentials. And that’s why I think you should always enable 2FA on your email. If you don’t have access to your email you risk locking yourself out from many other places… and on the other hand, if someone gains access to your email, they can steal every one of those accounts without you even noticing. If your email provider doesn’t support 2FA… change email provider. Yesterday.
Your Emergency Box
Also consider the option of creating your informatics equivalent of the box with essential medical emergencies tools, to keep safe somewhere (maybe you have a small safe at home? Or even at the bottom of your socks drawer… better than nothing!). Generally speaking, one USB key is enough… the important thing is that you use it very sparingly, that you never leave it connected to a PC, and that its contents NEVER go online anywhere.
On it I suggest putting:
- A copy of your .kdbx database from Keepass. Won’t be super up-to-date (and you’ll need to copy it again from time to time) but better than nothing.
- A text file with those 3-4 passwords you don’t keep in KeePass, if any (like, say, the Keepass archive’s password itself!). Honestly, doing this and keeping it in the same place as the file irks me even in the “emergency kit” because if you lose it, or it gets stolen… no bueno. Think about it.
- A copy of the recovery codes for all 2FA accounts. Every time you set up a new 2FA, the service will show 10 numbers and tell you to save them. Those numbers are exactly as critical as your clear-text passwords. Save them in Keepass (did you notice, there’s a “File Attachments” button in the Advanced tab. There you go). But also store them in a file safely somewhere… or print a paper copy and keep it with your USB key. If your andOTP phone breaks, this is the only way to enter those services again. Or, almost.
- A backup from andOTP. This is one of the best features in andOTP: it can create a backup of all its settins and password protect it. Again, you don’t want to lose these.
- Some basic documents, like a scan of your ID and passport
I mean, not really, but as said this is a basic guide: each of the chapters could be done more extensively, or securely, or handily.
Generally speaking, in privacy and online security you need to decide how much you want to be paranoid. Beyond a certain point, if it becomes hard or a hassle, you risk then to forget to do this stuff.
- Email: gmail is handy, I know, and it’s free.. and it’s also relatively secure (Google’s 2FA policies are good), but it’s still a service paid by selling your aggregated data to advertisers. And of course Google can read all your emails, or even give them to authorities (with or without a court order) without telling you. A better alternative is ProtonMail, an email provider of end-to-end encrypted email (which means they literally can’t open your email archive, even if they wanted) based in Switzerland.
- VPN: when you connect to a wifi that’s not your home one, especially in public places (ESPECIALLY in airports) all your private communicantions go through systems you don’t know anything about, and there could be some jolly fellow trying to intercept them with various methods. If you use a VPN (an encrypted connection to a known server, basically) you reduce your risks a lot. Careful not to install random VPNs from shady providers, or we’re back to square one. Again, ProtonVPN is a good option, made by the same company as ProtonMail, and it does have a free option.
- GPG/PGP: these are well estabilished (and ironclad) encryption systems, and they’re relatively complex to use, but for example if you use ProtonMail then you also have a GPG keypair. With the public half you can for example encrypt your andOTP backup with a bombproof system by installing OpenKeyChain on Android.
- Tor and some special browser: there are many options in this area, generally speaking they’re made to make your browsing a lot harder to intercept. With projects like TorBrowser it’s also become pretty accessible even to non-techies.