From cd26f200222a718794afc2778d5bf6b4a3b8797d Mon Sep 17 00:00:00 2001 From: Alexandra Ulsh Date: Fri, 21 Oct 2016 22:14:28 -0400 Subject: [PATCH] Initial draft of personal security checklist --- checklist.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 checklist.md diff --git a/checklist.md b/checklist.md new file mode 100644 index 0000000..61a720c --- /dev/null +++ b/checklist.md @@ -0,0 +1,64 @@ +# Personal Security Checklist + +Take the following steps to secure your devices and accounts. + +## Laptop or computer security +- [ ] Use a strong complex password to login to your computer +- [ ] Configure your computer to require a password after 5 minutes of inactivity +- [ ] Configure your computer to require a password on wake +- [ ] Learn the keyboard shortcut to lock your computer +- [ ] Make a habit of locking your computer when you step away from it +- [ ] Encrypt your hard drive via [FileVault](https://support.apple.com/en-us/HT204837) (Mac), [BitLocker](http://www.windowscentral.com/how-use-bitlocker-encryption-windows-10) (Windows), or [LUKS](http://www.pavelkogan.com/2014/05/23/luks-full-disk-encryption/) +- [ ] Enable your operating system's firewall +- [ ] Mac: Enable [stealth mode](http://osxdaily.com/2015/11/18/enable-stealth-mode-mac-os-x-firewall/) +- [ ] Enable a device tracking and recovery program like [Find My Mac](https://support.apple.com/explore/find-my-iphone-ipad-mac-watch) or [Prey](https://preyproject.com/) +- [ ] Securely store and encrypt your physical backups +- [ ] Update your operating system to the latest version +- [ ] Update your applications to the latest versions +- [ ] Mac: Don't forget to frequently `brew update && brew upgrade` for Homebrew + +## Smartphone security +- [ ] Use a long passcode on your phone - 12+ characters, preferably alphanumeric +- [ ] Require a passcode immediately after sleep +- [ ] Enable Find My iPhone or Android Device Manager to use remote wipe if your phone is stolen or lost +- [ ] iPhone: Enable erase data after 10 bad passcode attempts (take good backups!) +- [ ] iPhone: If you're really, really paranoid don't enable Touch ID +- [ ] Android: Don't use [common and predictable lock patterns](http://www.androidauthority.com/lock-pattern-predictable-636267/) +- [ ] Android: Encrypt your hard disk +- [ ] Frequently update your operating system and apps, especially security patches +- [ ] Frequently backup your phone and [encrypt your backups](https://support.apple.com/en-us/HT205220) + +## Network security +- [ ] Find a reputable VPN service with a laptop & mobile phone client to use for hostile networks (e.g. unencrypted wifi) or as an everyday privacy guard +- [ ] Install the [HTTPS Everywhere](https://www.eff.org/Https-everywhere) extension in your browser to prevent inadvertent HTTP connections +- [ ] Install an ad blocker like [uBlock Origin](https://github.com/gorhill/uBlock) - internet ads are a common malware vector +- [ ] Enable [plugin click-to-play](http://arstechnica.com/information-technology/2016/04/edge-to-follow-chromes-lead-make-flash-ads-click-to-play/) to protect against Adobe Flash vulnerabilities + +## Account security +A strong complex password is at least 16 characters (the longer the better) and has several special characters (`!@#$%^&*()`). Two factor authentication (2FA) protects your account even more than a strong password. + +- [ ] Use a password manager like [1Password](https://1password.com/) or [Encryptr](https://spideroak.com/solutions/encryptr) +- [ ] Use a [diceware passphrase](http://world.std.com/~reinhold/diceware.html) as the encryption passphrase for your password manager +- [ ] Add all of your account usernames and passwords to it +- [ ] Rotate all of your old or insecure passwords with strong passwords generated automatically via 1Password +- [ ] Make sure every password for every account is unique +- [ ] Replace any accurate questions to security question with false answers (store false answers in 1Password) +- [ ] Download a 2FA app on your smartphone like [Google Authenticator](https://en.wikipedia.org/wiki/Google_Authenticator) +- [ ] Enable 2FA or two step verification on every account where available (see 2FA audit section) - add the software token to both your smartphone and [1Password](https://support.1password.com/one-time-passwords/) +- [ ] **Immediately store your 2FA backup and recovery codes in 1Password.** + +## 2FA Audit +Make sure 2FA or two step verification is enabled on all of the following accounts: + +- [ ] Google +- [ ] Amazon +- [ ] Facebook - enable [Login Approval](https://www.facebook.com/notes/facebook-engineering/introducing-login-approvals/10150172618258920/) +- [ ] GitHub +- [ ] Dropbox +- [ ] Apple ID +- [ ] Slack - all of your Slack teams! +- [ ] Twitter - two step verification with SMS +- [ ] Yahoo! - two step verification with SMS +- [ ] LinkedIn - two step verification with SMS + +This is an incomplete list! For more information about two factor authentication, see [twofactorauth.org](https://twofactorauth.org/), [Turn It On](https://www.turnon2fa.com/), and [#LockDownURLogin](https://www.lockdownyourlogin.com/).