Best Practices for Improved Security and Privacy

From Jeremy Bryan Smith
Jump to navigation Jump to search

Use Multi-Factor Authentication

Whenever possible, use multi-factor authentication. Most banks and high-profile web service providers (e.g. Google) provide multi-factor authentication mechanisms. Hardware-based multi-factor authentication is the best (See Yubikey). For services that do not support multi-factor authentication natively, you can still use a hardware device with a static key as part of your password.

  • DO NOT use text messages for sending authentication tokens. texting is not, never was, and likely will never be a secure communication channel.


Changing Default Passwords

Never leave any default passwords unchanged. This includes, but is not limited to:

  • Routers
  • Modems
  • PIN numbers for phone systems
  • E-mail accounts
  • Any other web-based accounts

Never Use Your Social Security Number

Never use your real social security number as a password or security answer. It is illegal for any company to require you to give your social security number (with a few exceptions, such as credit and background checks). Any company requesting that information can ask for a PIN instead, but you'll have to contact them to set that up.

Never use ANI / Caller ID for Authentication

As of January 2020, I encountered a very prominent bank that would authenticate you based on the telephone number their system thinks you called from. This is NOT reliable and NOT secure. You'll have to test this out and hopefully you'll have a better experience explaining to the offending company why this is a problem and getting them to remove it.

Never Use Your Fingerprint(s) for Authentication

Under current US law, you can be forced to give up your fingerprints (and any other physical means of authentication, such as keys) to be used as evidence against you. If you use your fingerprints for authentication, this has security implications.
Under current US law, you can not be compelled to give up passwords, pass phrases, or any other knowledge-based portions of authentication, that are in your head.

Using Browser Profiles

To segregate your personal data from the wild west of the World Wide Web, you can use separate browser profiles.

Using Browser Extensions

There are many web browser extensions that can enhance your security and privacy when browsing the web. See my list of recommended Firefox Extensions for Security

Browser Settings

Firefox

  • Show Full URL (including HTTP/HTTPS)
    Set the following:
    browser.urlbar.trimURLs = false

Identifying Online Fraud/Scam Websites

Price too good to be true? Probably is. Web-based tools:

Browser plug-ins:

  • Trustpilot
  • Scamdoc
  • Web of Trust
Retrieved from "https://wiki.jeremybryansmith.com/index.php?title=Best_Practices_for_Improved_Security_and_Privacy&oldid=164"