A checklist for your digital health. Need more details? Check out the Reading List. We’ve marked the things you can do with a checkbox:
- Security practices change often. Read the history of this document.
- The longer the better. “Special” characters are not as important as length.
- Use a phrase of four or more unrelated words.
- If you start to enter your four words into Google.com and it autocompletes for you, those are not sufficiently random/unrelated. Use a phrase generator.
- Use a different password for every account. Yes, it’s painful, so…
- Use a password manager, like 1Password or LastPass.
- Don’t use real answers for “security questions” (e.g. your brother’s name). Knowledge-based verification can be hacked. Instead, use your password manager to create and remember random phrases.
- Don’t share social media account passwords. Use your own account and delegate authorization (e.g. Tweetdeck or Hootsuite).
- Sometimes referred to as two-factor authentication. Abbreviated as MFA or 2FA.
- Not the same thing as two-step authentication. Prefer true multi-factor if you have the choice.
- Something you know, something you have, something you are. Example: ATM card (have) + PIN (know).
- Biometric = something you are. Be wary of this (fingerprints, facial recognition).
- “Something you have” can vary. In order of good, better, best:
- Set it up everywhere it is offered: Facebook, Google, Twitter, Slack, NGP/VAN (ActionID), your bank - see comprehensive list.
- Print out a sheet of backup recovery codes and keep that paper in a safe place. Treat it like your birth certificate or your car title.
- If your email account does not offer 2FA, change your email provider. Really.
- Run all software updates.
- Use a PIN of at least 6 characters to secure your phone. If your phone offers biometric (fingerprint) unlock, consider using a longer complex passcode (8+ characters) and the biometric for convenience.
- Autolock the screen in 2 minutes (or less) of inactivity.
- Install a 2FA TOTP app: Duo, Google Authenticator, or Authy
- Set up a customer account passcode with your mobile phone company. This helps them verify you when you speak with them or log in to your account online.
- Run all software updates.
- Turn on full-disk encryption.
- For Macs, this is System Preferences » Security & Privacy » FileVault.
- For Windows, it’s more complicated, but here is an article describing options.
- Make sure your screen locks when it sleeps or after two minutes (or less) of inactivity.
- Use an account password at least 10 characters long. Best is four or more unrelated words.
- Do not send sensitive information via unencrypted email.
- Always use HTTPS.
- Use an end-to-end encrypted service to send sensitive information. Examples include Keybase, WhatsApp and Signal.
- Treat constituent data as if it were your own. Shred VAN paper printouts after data entry. Store paper in a safe place.
- Getting a fraudelent email does not mean an account has been hacked.
- MFA/2FA and password manager are really important preventions.
- Be alert. If an email looks a little “off” pick up the phone and verify the sender. Do not reply to the email or click on any links. Verify it out of band (verbally or text message) to trust the sender.
- Follow your incident response plan. Don’t have any? Time to write one.
- If you use Gmail, you can report an email as Phishing using the same menu you use to Reply or Forward.