This is a post written by Chris Torgalson, a former developer here at Raised Eyebrow. Editing it has been on my to-do list for ages and I've just finally gotten around to it. He can't post it now that he's gone but I wanted to make sure to give credit where it's due!
In the age of identify theft, phone hacking scandals and personal data being compromised, it’s no wonder that one of the more common questions we get from clients is how best to protect themselves (and their websites) online.
You can do a fair amount yourself in this area if you’re willing to get your hands dirty. The more of these suggestions you can implement, the safer you’ll be. We recognize that a lot of the following might be over the heads of those who don’t have dedicated IT support, but even doing one or two will go a long way towards improving your digital security .
1. Keep your OS, browser(s) and website software up to date
None of the other steps here will be effective if the software you use is vulnerable.
Unless there’s a compelling reason not to, allow your OS and browser software to auto-update regularly.
If your website is built on a content management system (CMS), make sure both the core software and any add-ons are up to date. Be sure to apply any security patches released in a timely manner.
2. Encrypt your hard drive(s)
This should protect your data if your computer / tablet / phone is lost or stolen.
Most operating systems (notably excluding iOS) include the option to turn on full-disk encryption. It is especially important to use this where possible on devices that use flash memory for storage (this includes phones and e.g. many new Apple laptops).
3. Use good passwords / passphrases
This makes your passwords harder to guess.
The most important factor in passwords is randomness. An insufficiently random password can be guessed (password crackers are currently able to test many millions of passwords per second). There are many online password generators, and most password managers (see #5) include password generation tools.
A good password is at least sixteen characters long and contains some mix of upper and lower case characters, numerals, punctuation and spaces. Longer is always better.
A good passphrase should probably contain four or more randomly chosen words (note: this means actually random according to a scheme such as e.g. diceware. Again, longer is better.
4. Never reuse any password for any reason
This means if a password is revealed, only one login/account is at risk.
If a login or account that uses a given password is compromised, every other account or login using the same password is at risk. Using only unique, high-quality passwords mitigates this risk.
5. Use a password manager
This facilitates using many unique, highly random passwords.
If you’re using good-quality, unique passwords and/or passphrases, then you will probably be unable to remember some or all of them. The solution to this is to use a password manager such as Lastpass, which we use here at Raised Eyebrow.
With the exception of Safari on Mac OS 10.9+, you should never use a web browser’s password manager as these typically incorporate no security or very weak security.
6. Do not share passwords (or other highly sensitive information) via unencrypted email
Email is an inherently insecure form of communication.
Instead, use the telephone or, for long and complex information (such as passwords) use a service such as Noteshred, another favourite tool of the Raised Eyebrow team.
7. Encrypt your email communications
This will prevent your email from being read by anyone but the intended recipient(s).
This is probably the most difficult of all of the suggestions in this document as it’s quite possible that none of your correspondents use encrypted email. Find out more about gpg email encryption.
8. Make it difficult for users not on the same network to eavesdrop on your data
These steps probably will not reliably protect you from malicious users on the same network, e.g. users sharing a coffee shop wireless connection (this depends to some extent on how the network is set up).
- never connect to (wireless) networks using WEP security (if your home network uses WEP security, change it to WPA2 as soon as possible)
- always prefer (wireless) networks that use WPA2 security
9. Use private networks / private connections
These steps can help to prevent anyone from eavesdropping on your connections.
- make sure your home wireless does not use WEP security
- make sure your home wireless password is long, and difficult to guess (if it's not, you're at risk of malicious users joining your network and eavesdropping on your network traffic)
- never, never, never connect to a webmail service via a non-SSL connection (your email account can likely be used to change many website logins including your own Drupal or Wordpress site)
- make certain your desktop email program uses a secure connection (contact your network administrator for help with this)
- when away from trusted networks (i.e. in hotels, coffee shops, or at conferences), consider setting up a private WPA2 network using your phone (use a good password!). You can connect to this network using your computer (note that this requires you to have a cellular data plan, and so may be expensive if you're transferring large amounts of data, or when roaming).
- alternatively (or in addition), consider connecting to the internet via a VPN service or through a VPN set up by your network administrators. Please note:
- a VPN should protect you from eavesdropping by users on the same network, but your communications are not protected outside the network, so use SSL connections whenever possible. Using a VPN alone, your communications may be anonymous; they are not private.
- alternatively (or in addition), consider using Tor. But note:
- Tor may slow down already-slow connections
- As with a VPN, Tor protects your communications until they reach the public internet, so SSL connections should still be used whenever possible. Using Tor alone, your communications may be anonymous; they are not private.
- Tor must be installed and correctly configured, and this is difficult on Android devices and impossible on iOS devices
10. Enable two-factor authentication on your Gmail, Yahoo email account (and everywhere else you can)
This prevents access to your account(s) if your password is compromised.
This will be difficult for many users--be sure to read and understand the directions and risks before attempting this. The benefit is that simply capturing your password will not be sufficient for a malicious user to gain access to your email account.
NOTE: Anyone who has reason to believe they are the specific target of any kind of hostile surveillance should not rely on these steps alone–especially if they may be at personal risk if their communications are compromised.