Welcome to the world of cybersecurity!
This guide was written for completely cybersecurity and privacy novices in mind. It is designed to get anyone started on improving their personal cybersecurity, which is becoming increasingly important as more of society’s lives intertwine with a digital landscape.
These are basic personal cybersecurity steps anyone can take regardless of any kind of established or developed “threat model.” For the uninitiated, threat modeling is a continuous process in cybersecurity wherein you identify assets, analyze threats, manage risk, and identify fixes.
(Threat modelling extends to the topic of digital privacy as well, albeit it takes on a slightly different meaning in a privacy context.)
Much good and popular popular advice out there encourages users to threat model. However, my argument is to taking first steps in to good personal cybersecurity (and by extension, privacy) is not to threat model, but to do the bare minimum for security.
It makes little sense to threat model but continue to use weak and/or compromised passwords, use outdated software/firmware, or not to use strong(er) MFA methods when available. Threat modelling is important after the basics are in play. After the basics are completed, users should move into threat modeling and deploying/using tools that help them accomplish their goals.
Threat modelling in both the cybersecurity and privacy sense helps users to direct their resources to better accomplish their desired goals and wants.
Good password management overall greatly improves your security posture as a user.
Passwords are by far the most common means for securing your accounts – if a malicious actor has your password, then they could log into your accounts. This spells trouble for crucial accounts such as email accounts and bank accounts.
Ramification for failing to implement basic password best practices for various online accounts includes, but is not limited to:
- Compromised accounts or full account takeovers
- Compromised personal identifiable information (PII) (ex: tax returns)
- Compromise of sensitive information (ex: social security numbers)
- Theft/selling of personal information
- Doxxing (publicly posting private information without consent)
Stop reusing passwords.
Stop reusing passwords.
Stop reusing passwords.
Reusing passwords (even those considered “strong”) does you zero security favors; in fact, by reusing passwords, users place an increased trust in the security of the website, web app, or web service’s servers and place a higher risk for unauthorized account access on themselves.
While this may not seem like a big deal to most users, it creates compounding issues when/if credentials are exposed/leaked, which is very common given the prevalence of data breaches and data leaks in the modern landscape.
With data breaches continuously on the rise, credentials – such as passwords – are increasingly falling into the hands of malicious actors.
Reusing passwords makes these malicious actors’ lives easier; they frequently take leaked credentials and try them in credential stuffing campaigns, where the malicious actors attempt to break into user accounts across different websites and web services using the leaked credentials.
Reusing passwords leaves you open to these credential stuffing attacks. because credential stuffing campaigns rely on the assumption users reuse passwords across different accounts and services. Unfortunately, they are often correct.
What exactly does this mean? In short, a breach where credentials are compromised at Company A can result in your accounts at Company B and C also getting breached if you reuse the same password. So, if a user actively uses a password that is compromised, the attackers bet users will reuse these passwords (or weak variations) across different accounts.
Keep in mind the security of most web apps and web services struggle to detect these types of attacks as most of the time they are distributed and use sophisticated methods of automation. Very rarely, if at all, are these attacked carried out by hand. Attackers are constantly evolving methods to successfully carry out credential stuffing campaigns.
Stop reusing passwords. Use unique passwords. Each of your accounts should have its own password not used by any other account.
Your passwords are the keys to your digital kingdom.
Therefore, it is important to have strong (and unique) passwords. Weak passwords leave your digital kingdom open to invaders and raiders and other unpleasant entities you might not want inside your kingdom.
Chances are if you are reading this, you may employ weak passwords. Even passwords you think are strong, may in fact be considered “weak.”
As a baseline, if any of your passwords are found on Nord’s annual Top 200 most common passwords, then they are weak and at far higher risk of being cracked/guessed by malicious actors. Even if you use a derivative of passwords found on this list, such as l33t 5p3ak, your passwords are also weak.
By extension, you’d also want to ensure your password isn’t on widely circulated wordlists, such as the infamous
rockyou.txt which includes more 14+ million unique passwords.
Admittedly, these are harder to check because many wordlists exist – it’s impossible to link/capture them all as malicious actors frequently use custom wordlists. In many cases though, these custom wordlists include passwords found on wordlists that are widely available – including common derivatives.
The bottom line is: the stronger your password, the better. Strong(er) passwords aren’t necessarily complex – but rather a combination of length and complexity. General guidance for strong passwords includes, but is not limited to:
- Minimum of 20 characters
- Randomization if dictionary words are used
- Combination of upper and lowercase letters, numbers, and non-common symbols (!@#$ are typically considered common symbols)
Whether you consider yourself an advanced user or a beginner, it’s highly recommended to use a password manager to handle creating strong, unique passwords to both create strong passwords and securely store them. With proper and frequent use, password managers help users ensure their passwords are both strong and unique.
Ideally, users would use passphrases over passwords. Passphrases are longer and when sufficiently randomized, substantially hard(er) to crack or guess.
However, many services and apps may impose character limits/requirements, which could make generating a viable passphrase difficult. Password managers typically have password generators that take user defined parameters, making it easier to accommodate logins where such restrictions are in place.
Users should avoid creating passwords that are easily guessable and/or too short. Storing passwords in password managers is preferable to writing them down – even if the password manager is cloud-based, assuming security and infrastructure transparency are apparent.
Default passwords are passwords that come as the “default” for administrator (privileged) access into a device or account. Default passwords should always be changed as soon as possible. When changing default passwords, users will want to make sure the new password is indeed strong.
For example, depending on a device manufacturer, a device’s default username may be
admin and the default password may be
admin. If this is an internet-facing device, then this could spell disaster as it could easily and swiftly compromised. The password
admin is a very common inclusion on a password wordlist – a list of passwords malicious actors use in commonly automated brute-force attempts.
Generally, when concerning default passwords, the main concern are the default credentials shipped out with consumer-grade (home) routers. For most hardware, default credentials can be easily discovered; many router manufacturers have the default credentials for their routers models and sub-models posted online.
Retaining these default credentials (or weak variations of) astronomically increases the likelihood
It’s easy for regular users to assume their devices with default passwords won’t be compromised/attacked because they are “not a target.” In many cases, they are right about not being target – most brute-force attacks are indeed automated, often targeting ranges of devices and IP addresses using compromised, common, or default credentials (like
admin for username and password).
Many device, software, and firmware updates include security fixes for previously disclosed or discovered vulnerabilities. Therefore, it becomes highly important to keep devices and installed software updated with at least security patches.
As a general trend, the gap between public vulnerability disclosure and exploitation (“hacking”) in the wild is closing. As a general trend, publicly disclosed vulnerabilities have been getting exploited quicker by malicious actors year-over-year; therefore it is important to install security updates as soon as possible.
Failing to update your devices and/or software in a timely fashion leaves your devices vulnerable. These vulnerabilities could be exploited by malicious actors to take over your device or execute remote code – such as instructing it to download malware, which could further compromise your security.
Software updates frequently come with quality of life improvements for users, such as bug fixes and access to new features. In some cases, bugs can morph into vulnerabilities themselves or lead to more security concerns, especially if exploited.
Along this same vein, users should avoid using software that is end-of-life (EOL). EOL software generally does not receive security updates and often has unpatched vulnerabilities. Using EOL software is risky for most users, as the likely of sufficient mitigation measures being taken is simply far less.
Enable and use multifactor authentication
Multifactor authentication (MFA) is a multi-step approach to authenticating a user; in addition to providing a username and password, the user may be prompted to also provide something they are, have, or know. Sometimes MFA is also called two-factor authentication (2FA).
MFA can prevent malicious account takeovers where credentials are compromised.
In authentication without MFA, how a user gains access to their account – or specifically, the data stored on that account – they provide their credentials. The set password was something set by the user, so in theory, they should be the only who knows and could provide it.
However, passwords can be compromised numerous ways, even without the direct fault of the user. MFA methods are harder to impersonate/steal than credentials; the malicious user would need to know your credentials and have access to your MFA method.
Therefore, if a malicious user gains your login credentials (email/password), with MFA enabled they would not be able to login as you because they would not be able to prove they are, in fact, you.
For example, let’s say you’ve enabled time-based authentication (TOTP) on your Mastodon account. If a malicious user gained your Mastodon account credentials due to successfully guessing your password, after entering your credentials, they would be challenged to enter the code generated by your authenticator app. They wouldn’t know the code, so they fail this step, and are denied access to the account.
Generally, in this specific example, they would not have access to the second-step of authentication. In most cases, to gain access, this would involve gaining access to your phone where the authenticator app is installed – or somehow obtaining the shared secret known by your authenticator app and the Mastodon server. This is costly in terms of effort and time, and unless you are a truly high-value target, the malicious actor will not find this a worthwhile venture.
Continuing with the specific example, the unauthorized access attempt on your Mastodon is effectively stopped. Though, to completely close the loop, in this case you should change your password and ensure to not use the compromised password again.
Ultimately, What MFA options available depends on the platform/service. Some methods of MFA are more secure than others. FIDO2 (hardware keys such as the YubiKey) and TOTP are frequently regarded as the strongest forms of MFA available, with FIDO2 the most secure authentication protocol available.
Unfortunately, most US financial institutions and government organizations primarily rely on text-message (SMS) or email MFA methods, despite these being weaker when compared with stronger MFA methods like FIDO2 and TOTP.
SMS is an insecure protocol because it does not use encryption. SMS-based authentication is also vulnerable to sim-swapping attacks. Email is arguably more secure than SMS-based MFA, but security is dependent on how secure the user’s email account is; email accounts are vulnerable to malicious takeovers.
At minimum, users should enable the strongest possible MFA methods – TOTP or use hardware keys (FIDO2) for critical/important accounts where possible. Critical or important accounts are not necessarily just financial accounts, but can also include (not limited to):
- Email accounts
- Accounts used to sign into other services or devices (AppleID/iCloud, Google Accounts, Microsoft Accounts, etc)
- Government related accounts
- Work-related accounts
Remember: In most cases, you are far better of enabling MFA than not!
Prior to Windows 8/8.1, antivirus software was considered “essential” for most users primarily due to major shortfalls existing Windows Defender and Windows Firewall. In current versions of Windows, Windows Defender and the native Windows firewall have come a long way, and are arguably respectable antivirus/antimalware solutions for many users.
For Linux and macOS users, antivirus has never really been a strict necessity.
Despite popular opinion, for many users out there, a standalone antivirus solution is not necessary. Typically, antivirus is recommended for enterprise setups or large families – especially those with family members who are particularly susceptible to common malware transmission vectors, such as downloading infected applications or clicking on phishing links.
Antivirus and privacy
There are some privacy trade offs if you choose to use antivirus on compatible devices. Even if the antivirus “never” abuses/uses your data, antivirus programs require a high level of access to a system and thus can serve as the “ultimate backdoor” for anybody interested in conducting malicious activity on your devices.
Therefore, using an antivirus has privacy implications. Many antivirus programs, most commonly (but not only) the “free” versions, collect vast amounts of user data – including personal identifiable information (PII). Essentially, what the operating system has access to, it is highly likely the antivirus program will also have access to.
Data collected (such as search history or website clicks) can be sold to third parties, such as advertisers and data brokers. Sometimes this data, including PII or other sensitive data, is “phoned home” to remote servers. Some antivirus software can also upload suspicious files (whether a legitimate hit, or not) to a database for further analysis – which may contain PII.
Antivirus and “security”
In some cases, antivirus programs can introduce other security pain points, like being used for privilege escalation (typically gaining administrator rights) on a system.
There have been instances where anitvirus solutions engage in decrypting HTTPS traffic and essentially conducting man-in-the-middle (MITM) attacks to “protect” users from visiting malicious domains. However, this behavior can cause other issues for users – such as increasing the chances of falling for phishing attacks and leaving users open to “real” MITM situations.
Antivirus on smartphones is not as effective as it might sound; many exploits targeting smartphones are zero-days or not exactly something an antivirus can stop of it itself.
Whether on a desktop or a smartphone, simple but effective tips can help users avoid downloading and executing malware, such as:
- Avoid downloading non-official apps where possible or verify the download comes from the official source
- Keep devices and installed software updated
- Avoid clicking on unsolicited or suspicious links
For most cases, these tips will help prevent the download and execution of malware on your devices.
Congratulations on greatly improving your cybersecurity posture – especially if you weren’t doing one/two/all of these tips listed in this post prior to now.
As noted, the foundations outlined in this guide should be followed prior to beginning on one’s privacy journey at a minimum. However, users can pivot in a few different ways for improving their cybersecurity posture, such as (not at all limited to):
Improving Password Management
Password managers are a great solution for improving password management as was touched on in this guide. Users can read far more in-depth about password managers in the ultimate password manager guide by Avoid the Hack.
For users interested in improving their password management practices, then you should absolutely look into incorporating a password manager into your life. While it takes some adjusting at the beginning, Avoid the Hack walks through how to get started using a password manager to make the transition easier.
Understanding the importance of MFA
Everything you need to know about MFA and why you should enable strong(er) forms of MFA as an end user.
Using trusted adblockers
While the benefits of adblocking are typically viewed from a privacy stance, they have major wins for your security as well. Programmatic ads are a security concern as much as they are a privacy concern; they can carry malware or inject unwanted content/code into visited websites.
To further improve personal cybersecurity posture, users should look into different methods for deploying adblocking solutions.
Practicing these basic personal cybersecurity tips is essential for both improving your security and privacy posture, regardless of threat modeling. Threat modeling steps should happen after nailing down these basic steps for improving personal cybersecurity.
These steps are also important to master – or at bare minimum, be familiar with – prior to beginning on a privacy journey. Without taking these basic but effective steps, your privacy could be undermined. For example, it makes little sense to use an encrypted cloud storage provider if you use a weak password/reuse passwords from other services.
Likewise, it makes little sense to use a privacy-friendly operating system if you do not keep it and any other software installed on it (or firmware) up to date with the latest security patches and fixes; successful exploits affected outdated software/firmware easily undermine the privacy benefits of using privacy-friendly Linux distributions.
Making sure to develop solid password management skills (use a password manager), keep software/firmware updated, and enable strong(er) forms of MFA gives you a strong foundation to build upon when looking at other nuanced personal cybersecurity (and privacy) tools, techniques, and practices.
With that said, stay safe out there!