Basic Privacy & Security

Note: Please, be aware that this post may contain affiliate links.

Although this page is part of the “Off-the-grid” series, the lessons it contains can be applied to any web service, whether private, public or governmental.

So you take my privacy seriously?

I imagine that every single cloud-based service out there will have on its website somewhere that it respects its users’ privacy/security.

Here’s the rub:
How do we sort out the liars?

Prof. A. Moody, Harry Potter & the Goblet of Fire

Well, there are a number of things you can do to research services to try & get some indicators as to how serious they actually take your security/privacy.

Are there any previous data breaches

There are several sites that you can use to see if a prospective service has had a data breach before:

Screenshot of a list of data breaches taken from the Wikipedia website
The beginning of Wikipedia’s list

What’s the password policy

You can tell a lot from a company by the password policy they have. For instance, if a company only requires a minimum of 6 characters for their passwords, there’s a good chance they don’t take security seriously.

For example, Hulu only requires 6 characters for a password (at the time of writing). That doesn’t give me confidence that their back-end code & database security is all it could be.

Screenshot showing Hulu registration form, requiring only 6 characters for their passwords

Companies should require at least 8 characters, with a mixture of:

  • uppercase letters
  • lowercase letters
  • numbers
  • special characters

It would be even better if a system would run the [potential] password through HaveIBeenPwned to see if the password has been compromised as part of a security breach.

Take this example from Basecamp.com – After a security breach, they changed their password policy1. They no longer allow previously breached passwords to protect accounts. As they also use a sensible minimum password length, this is a good example of something all companies should be looking at.

This image has an empty alt attribute; its file name is Screenshot_20191227_004957_basecamp.png

Is the service free?

This one may be a bit generic & unfair, but I think it’s a good indicator. With commercial bodies, it should be clear how it can afford to offer this service to you for free? Otherwise, you need to be asking yourself how they are making money off of you.

A good example: ProtonMail

If you’re wondering why my focus is on ProtonMail, why not read my off-the-grid article on email providers.

ProtonMail is community software, funded by the community, and open source. We do not show ads or make money by abusing your privacy. Instead, we depend on your support to keep the service running. Revenue from paid accounts is used to further develop ProtonMail and support free users such as democracy activists and dissidents who need privacy but can’t necessarily afford it.

https://protonmail.com/pricing

A bad example: free VPNs

Instead of giving you a single bad example, I’m going to give you a link to a page about free VPNs. It’s a really good article including several examples of how free services sell (or have sold) data and tracking information.

Remember to come back if you leave

2 Factor Authentication (2FA)

Whenever possible you should enable 2-factor authentication on your accounts. As it happens, I’ve already done a video on 2/multi factor authentication. Although it’s aimed at Home Assistant users, it doesn’t matter if you use Home Assistant or not, as the lessons are universal.

My 2FA Youtube video

[embedyt] https://www.youtube.com/watch?v=9-RQTtKhIbM[/embedyt]

What does 2FA/MFA do?

When you (or somebody else) logs into your account, they will need the correct username/email & password as usual. Assuming these are the correct credentials, you will then need to enter the second item of information.

The information is often a 4-8 digit code, sent via SMS, or provided by an app such as:

Try to choose wisely though. If you set up many sites in one app, it can mean that you have to:

  1. go into each site/app/whateverTheCodeIsFor
  2. disable 2FA
  3. set it up in a new authenticator app
  4. re-enable it on the site again.

Multi-device workaround

When you set up an account in your authenticator app, print the screen off, or take manual note of, the manual setup code (not the QR code). This can then be used to set up the account in the new app, and you shouldn’t need to disable/enable 2FA again.

This workaround comes with a few caveats, however:

  1. make sure you store these codes in a secure place, & not on any medium that you are protecting with 2FA
  2. try to test the manual code on a second authenticator app and try authenticating with that before you delete the code from the original app
  3. try to get into the habit of printing these codes off anyway, at least until you have set several backup/recovery options in the app or site.

Password Managers

For me, password managers are a big one, and something I would recommend Everybody utilise.

They allow you to use a different password for each site you register with. Personally, I use Lastpass (affiliate link), and it has the following benefits (for me):

  • complex passwords for each site
  • unique passwords for each site
  • It also works on Android apps…
  • …as well as on my iPad mini
  • private notes can be stored
    • Wifi passwords
    • GPG keys
    • Bank accounts
    • Look, it can store all sorts, & if the template you want isn’t available, you can create it yourself!
  • Lastpass can check to see if I’m re-using any passwords etc

If you’re not going to use LastPass, that’s fine – but please use A password manager.

Further on down the line, I’ll be able to take a deep look at the various password managers and recommend what I think is the best solution.

The only reason I’m not recommending Keepass at this point is the lack of fingerprint support. I will install it later though and see if the rest of the features entice me to change from LastPass. Obviously, with the “off-the-grid” series, I’m trying to see if it’s worth switching to a local-only solution. So I’m looking forward to doing this one.

A small list of password managers

Can you think of any?

What about you? Can you think of any other basic privacy & security measures? Let me know in the comments and I’ll update the post.

References

  1. Protecting Basecamp from breached passwords
    https://m.signalvnoise.com/protecting-basecamp-from-breached-passwords/

Credits

Grandadevans

I am a disabled veteran of 3 tours of Iraq and a tour of Afghanistan as part of the British Army. No longer able to work as I have to lay down on a sofa-bed in my living room 20-ish hours a day. I'm hoping to be able to make a living blogging about my Home Automation /Smart Home journey and maybe regain some dignity in life.

Leave a Reply