Note: Please, be aware that this post may contain affiliate links.
Although this page is part of the “Off-the-grid” series, the lessons it contains can be applied to any web service, whether private, public or governmental.
So you take my privacy seriously?
I imagine that every single cloud-based service out there will have on its website somewhere that it respects its users’ privacy/security.
Well, there are a number of things you can do to research services to try & get some indicators as to how serious they actually take your security/privacy.
Are there any previous data breaches
There are several sites that you can use to see if a prospective service has had a data breach before:
What’s the password policy
You can tell a lot from a company by the password policy they have. For instance, if a company only requires a minimum of 6 characters for their passwords, there’s a good chance they don’t take security seriously.
For example, Hulu only requires 6 characters for a password (at the time of writing). That doesn’t give me confidence that their back-end code & database security is all it could be.
Companies should require at least 8 characters, with a mixture of:
- uppercase letters
- lowercase letters
- special characters
It would be even better if a system would run the [potential] password through HaveIBeenPwned to see if the password has been compromised as part of a security breach.
Take this example from Basecamp.com – After a security breach, they changed their password policy1. They no longer allow previously breached passwords to protect accounts. As they also use a sensible minimum password length, this is a good example of something all companies should be looking at.
Is the service free?
This one may be a bit generic & unfair, but I think it’s a good indicator. With commercial bodies, it should be clear how it can afford to offer this service to you for free? Otherwise, you need to be asking yourself how they are making money off of you.
A good example: ProtonMail
If you’re wondering why my focus is on ProtonMail, why not read my off-the-grid article on email providers.
A bad example: free VPNs
Instead of giving you a single bad example, I’m going to give you a link to a page about free VPNs. It’s a really good article including several examples of how free services sell (or have sold) data and tracking information.
2 Factor Authentication (2FA)
Whenever possible you should enable 2-factor authentication on your accounts. As it happens, I’ve already done a video on 2/multi factor authentication. Although it’s aimed at Home Assistant users, it doesn’t matter if you use Home Assistant or not, as the lessons are universal.
My 2FA Youtube video[embedyt] https://www.youtube.com/watch?v=9-RQTtKhIbM[/embedyt]
What does 2FA/MFA do?
When you (or somebody else) logs into your account, they will need the correct username/email & password as usual. Assuming these are the correct credentials, you will then need to enter the second item of information.
The information is often a 4-8 digit code, sent via SMS, or provided by an app such as:
- Authy (offers backup & multi-device options)
- Lastpass authenticator
- Google Authenticator
- Microsoft Authenticator
andOTP(open source, but maintenance is sketchy)
Try to choose wisely though. If you set up many sites in one app, it can mean that you have to:
- go into each site/app/whateverTheCodeIsFor
- disable 2FA
- set it up in a new authenticator app
- re-enable it on the site again.
When you set up an account in your authenticator app, print the screen off, or take manual note of, the manual setup code (not the QR code). This can then be used to set up the account in the new app, and you shouldn’t need to disable/enable 2FA again.
This workaround comes with a few caveats, however:
- make sure you store these codes in a secure place, & not on any medium that you are protecting with 2FA
- try to test the manual code on a second authenticator app and try authenticating with that before you delete the code from the original app
- try to get into the habit of printing these codes off anyway, at least until you have set several backup/recovery options in the app or site.
For me, password managers are a big one, and something I would recommend Everybody utilise.
They allow you to use a different password for each site you register with. Personally, I use Lastpass (affiliate link), and it has the following benefits (for me):
- complex passwords for each site
- unique passwords for each site
- It also works on Android apps…
- …as well as on my iPad mini
- private notes can be stored
- Wifi passwords
- GPG keys
- Bank accounts
- Look, it can store all sorts, & if the template you want isn’t available, you can create it yourself!
- Lastpass can check to see if I’m re-using any passwords etc
If you’re not going to use LastPass, that’s fine – but please use A password manager.
Further on down the line, I’ll be able to take a deep look at the various password managers and recommend what I think is the best solution.
The only reason I’m not recommending Keepass at this point is the lack of fingerprint support. I will install it later though and see if the rest of the features entice me to change from LastPass. Obviously, with the “off-the-grid” series, I’m trying to see if it’s worth switching to a local-only solution. So I’m looking forward to doing this one.
A small list of password managers
Can you think of any?
What about you? Can you think of any other basic privacy & security measures? Let me know in the comments and I’ll update the post.
- Protecting Basecamp from breached passwords