Personal Digital Security

A world of vulnerabilities

With news headlines frequently reporting the latest 0-day, data breach, or critical security vulnerability, it’s easy to feel overwhelmed and discouraged. While it is impossible to eliminate 100% of risk, there are a few (relatively) simple things you can do to reduce your risk in a meaningful way and help limit the blast radius if your password is compromised.

Starting with your personal threat model

Before you can decide what steps you should take to help secure your digital life, it can be helpful to think through what you consider to be your personal digital threat model. For context, here are just a few of the many ways you can be compromised in our modern digital world:

I want to emphasize that there are many other ways you can be compromised and this is not at all an exhaustive list. It is, however, the basis of what I’ll be attempting to address in this article for practicality.

Covering a few basics

✅ Use strong passwords (or passphrases!) and avoid reuse across systems.

Using a password manager makes this a lot easier. Personally, I use 1Password for most things these days, but there are other products on the market as well. Keep in mind that each solution has its own security tradeoffs and consider what best suits your risk tolerance and threat model.

✅ Enable Multi-Factor Authentication (MFA).

The first factor of authentication is usually a password (i.e., “something you know”). By adding a second factor of “something you have”, you can help reduce the risk of your account being breached in the event your password is compromised. Historically, this was often implemented by adding your phone number to your account and then sending you a one-time verification code via SMS that you enter in addition to your password when you log in. However, due to security concerns it is generally preferred to use an authenticator app or hardware key instead when supported. Personally, I use Google Authenticator for an app and prefer to use a YubiKey whenever a service supports it.

✅ Keep your software up-to-date.

After a 0-day is released, it will hopefully be patched quickly by the relevant vendors, but that doesn’t matter if you never install the security patch. Consider enabling automatic updates for anything that supports it. If you use Windows, consider checking the option to update other Microsoft software when Windows updates are installed.

👀 Review third-party apps & recent account access.

Your username and password may be the front door to your account, but don’t forget about the back and side entrances. Over the years, you’ve probably installed or authorized numerous third-party applications to access your accounts. Some of these types of applications are legit and useful, but others aren’t. Take a few minutes to review what services have access to your accounts. For most services, you can find this somewhere on the Account/Settings/Security pages.

While you’re reviewing applications authorized for each service, consider reviewing recent account access for suspicious activity if supported. Even if you don’t have reason to believe you’ve been compromised, it’s a good idea to review your account access to ensure things look legit. If supported, consider logging out of any devices you no longer use.

👀 Review browser extensions.

Browser extensions frequently have a high level of access to every site you visit so consider disabling or removing any you don’t need and ensure the ones you keep are legit.

Instead of clicking links in emails or articles that prompt you to log into your account, consider navigating to the site directly. (Another advantage of using a password manager is that some will autofill your credentials based on the site’s URL, helping to avoid entering credentials into fake/spoofed login forms.)

Additional Resources