“I have nothing to hide” is not a valid excuse to allow you to be reckless.
If you are neither a millionaire, nor a public character, nor an international criminal, it is indeed possible that no hacker does target you personally, but it does not protect you for as much.
Hackers target mass: data breach, ransomwares, and phishing campaigns targets millions of people at a time. The likelihood that you will be a victim a day is thus very high [1].
No one is safe from being the target of a rejected lover, a jealous competitor or a curious friend, it happens every day, to tens of thousands of people.
My goal is to give you a few simple rules to avoid you for example that:
These recommendations do not constitute in any case a means to escape from the NSA or any other governmental or para-governmental organization [2].
I am neither a hacker or computer engineer, but like you, I spend my life on the Internet. The recommendations I am making are not very complex to apply, it is framed especially of good sense and good practices. I have tried to be neither paranoid nor conspiratorial as much as possible.
This guide is necessarily imperfect. Some find it too light, and many will find it too complex. In my opinion, this is the minimum subsistence level.
[1]: It is also very likely that one of your accounts has already been hacked. By entering your email on this site, you may as well discover that your data has already been corrupted. ↩
[2]: If you want to seriously escape from NSA-type organizations, you should at least: banish the use of all social networks, use no cloud storage services, connect to the Internet via the Tor network, create proxy chains, base your interest on cryptography, etc. ↩
Any Internet Service Provider (ISP) can spy on you and save your activity.
You can, a priori, rather trust your connection at home, at the office, or to your mobile operator, but the public WIFI connections are really very risky. And even if the cyber, the airport, or the hotel does not spy on you directly, it is often possible for a hacker to monitor your activity on these open networks, and therefore retrieve your confidential information.
If you must use public connections (cyber, airports, hotels, etc.), you must use a VPN on your computer, but also on all your mobile devices.
A VPN is a system that encrypts and hides your activity on the Internet. Thus, neither a hacker, neither the provider of your Internet connection may not know what you are doing.
Ideally, you would have to use a VPN all the time, even at home.
Be however careful, the VPN could even save your personal information. It is therefore essential to make sure to use a trusted and paid VPN [3].
Here is a selection of a few VPN:
[3]: because “If it is free, you're the product.” ↩
Generate complex passwords of 9 characters minimum
One of the common techniques to find a password is to test all the possible combinations [4].
Below 9 characters, it takes only a few hours to test all the possible combinations of a password [5].
From 9 characters, It is theoretically several months to break your password.
Attention however, it is only valid if your password contains both lowercase and uppercase letters, numbers, and symbols. Because just a few-minutes is enough to break a 9 character password consisting of letters.
Here are some online password generators:
Use unique passwords for each service
Another common way to recover passwords for hackers is the purchase of stolen passwords on other sites.
Domino's Pizza, Playstation, Uber, eBay, UPS, Yahoo, Evernote, Nintendo, Linkedin, for example [6] have all known of massive data theft. If you had for example the same password on Linkedin and on Gmail someone could enter your inbox.
We have to imagine that this is done on a large scale. The hackers buy huge packs of stolen passwords, and test them systematically on all sites that interest them: Amazon, Google, Skype, Paypal, etc.
So it is not just a recommendation. It is absolutely necessary that you have unique passwords on each site. Otherwise, all your personal data could end up being compromised.
[4]: Brute-force attack or Dictionary attack ↩
[5]: You can test the theoretical time it would take to crack your passwords on this site ↩
Mails, social networks, loyalty programs, finance, mobile applications, etc. We all have at least several dozens of passwords, and it is not humanly possible to remember them (especially when your passwords looks like this: 2=4Dq7h!N9).
The solution we usually use by default is to let our Internet browser remember our passwords. It's a pretty bad habit.
Even if most browsers encrypt your passwords, they are displayed in clear text once the computer and browser are open.
Anyone who would be introduced to your machine could be connected to all your online services.
Then, browsers only store passwords used on Internet pages. Over time, you have passwords everywhere: in your Internet browsers at home, office and on your phone, in your operating system for WiFi access, in a “notes” file for Smartphone applications, on a paper notebook for some professional access, etc.
This chaotic management system is too complex to be reliable and durable. How will you do in 5 years? And when you change a computer? You let it drag sensitive information to very many places, and to make your life easier, you most likely use the same passwords on many services.
Use a password manager to secure in one place all your passwords, addresses, phone numbers, IBANS, loyalty cards, etc.
Password managers encrypt all of these sensitive data. Then you can simply enter your master password to unlock everything.
It is of course the flaw in this system. If someone gets into your machine (physically or virtually) and that your main password is compromised, it is all your digital life that can be stolen.
This is not a perfect solution, but it is pragmatic, simple and relatively secure.
Choose a password very complex to encrypt the access to your password manager (about fifteen characters) don't write it down, hold it.
Then delete all your passwords on Chrome, Firefox, Safari, or Edge, disable the automatic password logging, and use only your password manager.
Password manager typically allow you to automatically generate complex passwords for each access. So it's a problem less to worry about.
Here is a selection of some password managers:
Many types of attack allow you to find your passwords. If you are personally targeted, social engineering is for example one of the most formidable methods.
Social engineering is the fact of using your ignorance or credulity to steal your personal information. This can be achieved for example (among hundreds of other possible techniques) by a fake mail sent from your IT manager to ask you to change your password [7]. It is through this kind of techniques for example that Hillary Clinton's emails would have been stolen.
One of the only ways to protect yourself against a password theft is the two-factor authentication.
You must enable this feature on all your sensitive accounts.
Specifically, once you have dual-factor authentication enabled, each time you connect from a new device, you receive a security code (by SMS, or displayed on your mobile) to validate your access.
Here's info to configure 2-Step verification on the main online services:
Do not forget your bank of course!
This is an additional constraint, but it is also absolutely necessary for such sensitive accounts.
I personally use Google Authenticator as soon as possible. I think it's more convenient, reliable and fast than SMS.
When you enable the dual-factor authentication, you usually have to generate backup keys for the case where you lose your mobile. If you have opted for a password manager, this is the right place to store these keys.
This is one of the most popular advice, so I will not dwell on it. But this is also very important.
Digital Security is a gigantic game of cat and mouse on a global scale between hackers, government agencies and online services.
Digital services therefore continually update their tools as the security vulnerabilities are discovered.
We do not like to always leave the hand to Microsoft, Apple, Google or antivirus to make changes directly on our devices, but it's one of the most effective ways to protect yourself.
Install an antivirus (even on MacOS and Android) and enable the automatic updates on all your devices.
Here are some guides to enable Automatic Updates:
I would not dwell on it either so it is obvious that it is imperative to regularly backup your data.
Look at the area of Time Machine on MacOS and File History on Windows.
The question of saving your data in the Cloud is very sensitive. It’s up to each individual to weigh the pros and cons.
Your data on Google Drive, Dropbox and iCloud, are as secure as your accounts on these services. If your password is unique and complex, and you have enabled Two-factor authentication, your data are relatively well protected against an isolated hacker.
On the other hand, it is a direct gateway to U.S. federal agencies [8].
Everything that is very sensitive should not be there: your passwords, your identity documents, your photos, etc.
Your Facebook and Google accounts are often required to access secondary services such as Netflix, Airbnb, Instagram or Uber.
If it is indeed very practical and fast, after a few years we end up having allowed access to our personal data to dozens of services more or less ethical and secure.
Is it really important to give our full identity and all our friends list to Tinder, Tripadvisor, Spotify or Pinterest?
You should only give access to your main Facebook and Google accounts when it is absolutely necessary. For all services where anonymity is possible, you should use secondary accounts.
In addition to securing your personal data, having 2 accounts for Facebook and Google also allows us to be able to express ourselves more freely and anonymously and to avoid spamming or flooding notifications on our main accounts.
Ideally every few years, we will replace our sub-accounts.
If you do not want to use secondary accounts:
[9]: Your friends are an excellent gateway to phishing, ransomware and social engineering ↩
As soon as it is possible, buy on Amazon rather than on a website directly or pay via Paypal, Apple Pay or Google Wallet.
Not only are these services recognized to be among the most secure, but they also offer very advantageous consumer protection policies. If a product or service is not delivered or is not compliant, it will be very easy to get you refunded, often even without having to justify yourself.
Of course, by going through these services, we are increasingly reinforcing their dominant position. But between two evils, you have to choose the lesser one. For me it is clear, the security of transactions goes beyond, economic protectionism and philosophical postures (let these subjects to our leaders).
Also avoid to save your bank cards on secondary services such as Netflix, Booking, Agoda, Airbnb, etc. At a minimum, this will be more easy to stop an automatic debit via Paypal or Apple pay for example, but your transactions will also probably be more secure.
Many services and apps now propose to natively encrypt your data and your messages. Still it is necessary to have it enabled.
Enable encryption wherever possible
For your computer, enable File Vault on macOS or BitLocker Drive Encryption on Windows.
For your mobile, simply use your Apple ID for your iOS devices to be encrypted. On Android it depends on the manufacturer, but it is usually possible
It is also possible for many messaging applications such as Gmail, Messenger, Skype, WhatsApp, Line, WeChat, etc. but you need to find out on a case by case basis, depending on your personal use.
If you need to protect more strongly private data such as a medical record, photos, Bitcoins, a double life, etc. You should consider building a digital safe.
There are software encryption fairly easy to use and recognized as a priori reliable. For example:
Educate yourself.
I assume that you do not spread your privacy in public. This is not the purpose of this guide, but I recommend that you do not publish your location or personal details and hide your friends list.
Regularly enter your name, email, mobile and address on Google to check what is publicly indexed.
From a different Facebook account, search for your publications, photos and video videos, and verify that what is public must be.