My Security Best Practices

Security is all about the amount of risk you want to take on. We all have a line that we don’t cross in our physical and digital lives. In a world where there seems to be a new social media scandal weekly with your personal information, I thought I’d lay out some of the services and security first focused things I do to protect my data and “digital life”.

Password Manager (LastPass): I only know one password. While this password is long and confusing, it allows me to focus my mental energy on that password. The rest of my passwords will be anywhere from 20 to 45 characters. Side Note: If you offer a login form for customers, please increase the allowed character limit. You’d be surprised how many services I run into that limits to 16 characters for the password field.

Why do you need a password manager? Well for starters it forces you to have multiple passwords. Most people only use one password for their online accounts, from banking to social media accounts.

Imagine this scenario — You use the same password for everything and a random account you created years ago for some service gets breached. I’m a bad guy that comes across this information. I now know your email and password for this old abandoned service and now I’m going to try this email + password combo EVERYWHERE. If it works once it’s all worth it. Especially if I get into your email account. I can then reset all services tied to that email and lock you out. This is called credential stuffing and automated attacks are happening as we speak trying to exploit this.

While on the subject of credentials, make sure you utilize https://haveibeenpwned.com this site aggregates credentials from all known breaches and will let you know if your email was involved and who leaked it.

When iOS 12 came out there was an amazing feature added to completely remove the friction of filling in passwords. See the below video created by LastPass.

Feel free to sign up for LastPass here. Full disclosure, if you use my link I get a free month (so do you)

2Factor Auth (LastPass Authenticator) If a service offers a 2nd factor to authenticate, definitely enable it. If your password becomes compromised, you’d need to approve the login attempt via accepting the push or declining.

I can explain how this works but once again LastPass has a great video demonstrating this. I could make my own video on this but I’m not willing to accept the risk in sharing my LastPass UI. <- See what I mean about risk acceptance?

VPN: There are a bunch of reasons you’d want to use a VPN. I use a VPN when I’m on any untrusted network aka everywhere not my house. This allows peace of mind knowing that anyone on the same network as me will be unable to see any of the traffic (due to encryption). I’m a huge privacy advocate so I’ll know that my IP, VPN IP, my location, sites I visit and any communications I conduct while on the network is private. You’ll also want to make sure your VPN provider holds little to no logs (again on risk acceptance, this is up to you)

Social Networking: This is a tough one, everyone has different thresholds they’re willing to put up with until they abandon or delete a service. Here’s what I’ve done and it’s worked out for me so far.

Facebook: I’ve deleted the app from my phone and have purged all the data except for photos I’m tagged in. I don’t align with the values of Facebook as it stands today and my family and groups I’m apart of only use FaceBook so I need to at least have an account.

Instagram: Private profile that I only allow people I know in real life to view. Like most people with kids, I love to share moments I have with my family and I want to make sure that only those I’ve approved can see it.

Twitter: Ugh, where do I start with you? I have an open account. I avoid discussing location-based things, anything involving the company I work for and I try but sometimes fail to avoid posting anything political. Twitter is probably my number one most used social network just for the news alone. One thing I do recommend with twitter is that you use a service to delete tweets after a certain amount of time.

Wrap up: Like stated at the beginning, this is all subjective to your own experiences and risk tolerance. If you want to sign up for that service, just educate yourself on their privacy policy and be aware of the data they’re asking for. Be safe out there fellow internet users…