Security

Privacy vs Security

The two aspects are related... but there is a difference. An example of this is your Google data: 

The chances of hackers breaching Googles servers (computers) to access your data is very small. Google also has some top security engineers, and some anti-hacking features, such as your phone pinging you whenever you try to log in.

The chances of Google sharing your data to 3rd parties, the US government or an employee even reading your emails is very high (there are documented cases of this happening...).

So we could say that Google is secure, but not private.

This guide deals with Security only.


Securing your accounts

The best way to secure your accounts (Google, Amazon, eBay, Facebook etc.) is with a strong password, and Two Factor Autentication (2FA). 

Passwords

The best way to achieve a strong password is to use a password manager, if you don't use one already I can recommend Bitwarden - it's one of the few that are Open Source. This will allow you to have a unique password for every account, this is essential, because if Facebook ever get hacked - then the hackers will also get access to your Google, Amazon and eBay accounts

You can let your password manager generate these unique passwords for you, which is fine. But you need to 1) ensure you will remember the password to your password manager and 2) ensure you back up the data from your password manager somewhere else, in case you DO forget your password OR the password manager somehow fails you. 

When it comes to backing up the data in your password manager, you should export it, unecrypted, to an encrypted storage of your choice (more on this later).

Bonus for the obsessive: Another way to generate unique passwords is to use some kind of algorithm to do so. For this, I recommend masterpassword, an offline 'calculator' that generates strong passwords. This way, you will still be able to find your passwords if you ever lose access to your password manager. Some aruge this introduces an insecurity, but I argue that the risk of you losing access to your password manager is greater than the risk of a hacker reverse engineering the algorithm of masterpassword.

Bonus for the most zealous: Use KeePassX to store all your passwords securely offline. Some would argue this is the most secure, as it doesn't touch the internet. Just don't come to me if you lose them!

2FA

Your password is only 1 factor of authentication. That means 1 piece of information to get into your account - your password. It is better to add a second factor of authentication, hence 2FA. This means that even if a hacker gets your passwords, your accounts are still secure.

That second factor can be, in increasing preference:

1) A text message with a code sent to your phone (annoying and proven to be hackable, but better than nothing by far). Remove this option if you can use one of the others below.

2) A code generated on an app on your phone (such as Authy)

3) A hardware key (like YubiKey)

The best option, is to have multiple - in case you lose your 2) phone or 3) your hardware key

For option 2 - I strongly recommend an application called Authy. It allows you to use multiple devices as your 2FA, and backs itself up. You can set it up on all of your phones, laptops, and tablets - and I recommend that you do. This makes it very unlikely you would lose access, and makes it more convenient. 

Some argue that this is not secure, again I argue that you are more likely to screw yourself over by losing your phone, than a hacker breaking into AND cracking Authy servers. However even IF authy was breached... the hacker would only have 1 factor of authentication (i.e. they still need your passwords!).

However, I also recommend getting a hardware key - the most common of which is Yubikey. This is like a USB stick with a unique code inside that acts as your 2FA. Basically you go to each website, and put in your Yubikey, then that website recognises the unique code in the Yubikey as you and accepts it as a 2FA method. Your Yubikey is useless to anyone else, as they still need your passwords. If you lose your Yubikey it is very unlikely anyone finding it would know it is yours anyhow.. no personal information is stored on Yubikeys (unless you program it to).

You can use, and I recommend you do, more than 1 Yubikey (as a backup), or other hardware key. 

You can also, and I recommend you do, use BOTH the Yubikey AND Authy.

To add 2FA, look inside 'accounts' or 'security' section of the website - you can usually add several 2FA methods.

This way, you can use either one of your Yubikeys OR Authy on one of your devices to login.


Securing your data

The way to secure your data is to use encryption.

Offline data: phone/tablet

Almost all phones (Android and iPhone) use full disk encryption by default. This means that anyone with physical access to your phone shouldn't be able to access your data, without your password. If you have sensitive data on your phone, don't use face or fingerprint to unlock. You can easily be forced to unlock with these.

Offline data: laptop

Macbooks have FileVault (full disk encryption) enabled by default. Easy. Choose a strong password and you are done.

Linux users can easily set their computer to use full disk encryption, but it is option (opt-in).

Windows users are the most at risk. There is some Microsoft encryption on SOME versions of Windows called BitLocker. It's better to use more proven, Open Source, software.

Even with full disk encryption, it is better to store all your personal data in an encrypted volume(s). If you are not sure if some data is personal, encrypt it. As a minimum I would encrypt stuff like scans of passports, or other documents, backups from your password manager, backups of notes, etc. 

For offline data, the best choice is VeraCrypt or Cryptomator. If you use Macs, and use them exclusively, look into making SparseBundles - as you don't need any additional tools - however Sparsebundles can ONLY be opened on Macs.

VeraCrypt makes an 'encrypted volume', basically its like a virtual USB stick where you can add your files. You need to choose a good password for this, better is a passphrase. The reason for this is that VeraCrypt is totally offline, so if someone got hold of it they could try to get inside as many times as they want - or run a script that tries 1000 passwords a minute until it works.

Veracrypt has some advanced features. You can make hidden volumes, or set it to need a password PLUS a 'passfile' to get inside. 

Offline data: USB sticks and USB hardrives

Same principle. Put encrypted volumes on here with VeraCrypt or Cryptomator. Mac users have option to format drives and add encryption.

Online data

Online data refers to data that you either store exclusively online, or data that you store locally and 'sync' to the cloud.

This data is VERY vulnerable. Essentially your data is sitting on someone elses computer. Even if the online service of you choice promise to look after your data, you probably have to trust them.

The best way to protect this data is to encrypt it yourself first - for this, use Cryptomator.

This way, you encrypt the data yourself, and sync/send the data online. To anyone else, the data is completely unusable. Of course, choose a strong password - or better yet a passphrase.

The difference between VeraCrypt and Cryptomator? Cryptomator is better at working with online storage, because the way it splits the 'encrypted volume' into chunks means that if you add a few files to a volume, it is only a small change. With VeraCrypt - if you add one document to a 5GB volume - ALL of that 5GB volume has changed... this will mean that if you sync with Google the whole thing has to reupload... Note: for Mac users, sparsebundles ALSO do the chunk thing same as Cryptomator.

Once encrypted, your data can sit online and you don't need to worry (until quantum computers is a thing...) - just please use a unique strong PASSPHRASE.

Why use Veracrypt at all then? As we said it has some unique features. I prefer it for storing data offline (such as USB sticks).

My recommendation? Use BOTH cryptomator AND Veracrypt. Keep Cryptomator volume on your computer, synced online (dropbox, Google backup and sync, sync.com etc) AND occassionally back up the data inside Cryptomator to a Veracrypt volume on as USB stick you keep safe somewhere. If you lose your computer, you have an ecrypted volume backed up online. If you also lose access to your online stuff, or somehow lose your password or otherwise screw up Cryptomator, you have a back up on a USB stick and can access from any computer with VeraCrypt installed. If it doesn't exist in two places - it doesn't exist at all.



Bonus section: alternatives and advanced tips



Many password managers also allow you to put individual files in their locker. Not a bad option.

If you deal with online storage a lot, check out CyberDuck. It has Cryptomator build into it! This way you can store data online directly and keep it encrypted.

Nord, of VPN fame, have recently release NordLocker. Its very similiar to Cryptomator - but is new, untested, and closed source. I would not trust/rely on this too much.

To encrypt individual files, you can just use 7zip. It uses AES-256 which is fine. This is a good option for sending files to people, but is not good for your own data as when it unzips it makes an unecrypted copy on your computer.

If you subscribe to pro version of Standard Notes (and I recommend you do!) you can add encrypted files to notes AND you can use it to for 2FA, similiar to Authy.

If you do get a Yubikey, you can program the button as a keyboard to enter a string of long text. Why is this useful? You can add it to passwords to unlock your laptop, or applications inside your laptop for super strong effect. E.g. you set the Yubikey to type 'fishcycletothemoon', then you set your latop password to 'password1fishcycletothemoon' and you set Firefox to 'password2fishcycletothemoon' etc.

If you are REALLY advanced, you can use PGP to encrypt data too... this basically secures your data with a KEY (not a password)... but if you know PGP you probably don't need my help ;)

---END---


You'll only receive email when they publish something new.

More from jamesdornan
All posts