Tools and resources designed to improve your online privacy, safety, and security.
Use a password manager
A password manager helps you create a unique password for each online service you use. Having a unique password ensures that if one service you use is hacked, the compromised password won’t allow access to all of your other accounts.
At the very minimum, you should have a unique password for high-value accounts like Google, Apple, email, and banking accounts.
Create a strong device passcode
A four-digit passcode for your phone or other devices is no longer considered secure. You should use a 6+ digit passcode at the very minimum, and for extra security use a 6+ character passcode containing both numbers and letters. TouchID and FaceID should be turned off when traveling internationally.
You should enforce a strict lock policy on your devices. Always require a passcode and ensure that a device is not left unattended for more than a minute or two.
Use two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security on top of passwords. It ensures that someone logging into an account is who they say they are by requiring an extra piece of information besides the account password.
This extra information is usually either something you know, something you have, or something you are - for example, a biometric signal like FaceID.
You should not use your phone number as a two-factor method.
At minimum 2FA should be installed on accounts that can lock you out of other accounts: e.g. a Google account, email applications, an Apple ID, and financial accounts. For stronger security, ensure that 2FA is enabled on every service you use that supports it.
Note: Using an all-in-one solution like 1Password for both password management and 2FA creates a single point of failure. Take this into account when picking your 2FA client. Be sure to back-up any recovery codes given to you during the 2FA setup processes, otherwise you risk locking yourself out of your accounts.
What is two-factor authentication?
Two-factor authentication: a little goes a long way
So hey, you should stop using texts for two-factor authentication
List of websites and whether or not they support 2FA.
Step-by-step instructions on enabling 2FA
List of websites and whether or not they support One Time Passwords (OTP) or Universal 2nd Factor (U2F)
Set up a mobile carrier PIN
SIM hijacking is a process where a hacker socially engineers or bribes a mobile carrier to transfer your phone number to a SIM card they own.
If you use text messages as a two-factor authentication method, this gives hackers the ability to bypass 2FA and in most cases the ability to reset your passwords completely.
You should enable a carrier security PIN. This PIN will be used before a carrier can make changes to your SIM cards or mobile account settings.
Encrypt your devices
If your phone or computer is ever stolen, a thief may try to read or export your personal data. If your device is unencrypted, hackers will have access to anything stored on that device, including photos, emails, documents, and contacts.
You should enable encryption on every phone and computer you use. Encrypting your devices makes it nearly impossible for a thief to read your data without having your encryption password.
Freeze Your Credit
If you live in the United States, you should safely assume that hackers have access to your credit report, social security number, address history, and personal contact information. It is important that hackers with this knowledge are not able to open new lines of credit or make large purchases in your name.
You should enable a freeze on all credit report checks at the three major credit bureaus. Whenever you want to open a new line of credit or make a credit-backed purchase (for example, the iPhone Upgrade Program), you can create a "credit thaw" that will allow legitimate credit checks to be processed within a predetermined amount of time.
Ensure that you enable a freeze at all three credit bureaus.
Change your DNS settings to 188.8.131.52 or 184.108.40.206
DNS (Domain Name Servers) are the internet's equivalent of a phone book. They translate a name like 'google.com' into an IP address. By default, DNS is slow and insecure. Many internet service providers track and log data that flows through DNS, in some cases reselling this data to advertisers.
Cloudflare has released a privacy and performance-focused DNS tool that protects your internet traffic from internet service providers and people snooping on public Wi-Fi networks. 220.127.116.11 is faster than the average DNS service as well, making it faster to use the internet.
An alternative to Cloudflare is Quad9, which emphasizes security and privacy in your everyday browsing. It has been launched as a non-profit by the Global Cyber Alliance, IBM and Packet Clearing House, to protect you by blocking known malicious domains, and by not collecting any identifying data on their systems.
What is 18.104.22.168?
Cloudflare launches 22.214.171.124 DNS service that will speed up your internet
Cloudflare’s privacy-focused 126.96.36.199 is available on phones
New “Quad9” DNS service blocks malicious domains for everyone
Quad9, a Public DNS Resolver - with Security
Cloudflare and Quad9 Aim to Improve DNS
Use a VPN
A VPN, or virtual private network, is a useful tool to secure an internet connection. It guarantees that data you are sending and receiving is encrypted, preventing people from snooping on your traffic.
You should use a VPN provider that you trust to not harvest and re-sell your data. The best VPNs often charge a monthly subscription - this is a good thing because it means their business model is not reliant upon reselling your data to advertisers.
Review the privacy of your physical space
You should add a webcam cover on your laptop and desktop computers. A webcam cover provides peace of mind when entering and exiting video calls that you are only visible when you choose to be.
You should protect yourself from people shoulder-surfing when working in a public space, such as a cafe or on a plane. A privacy screen blocks side views outside a 60 degree viewing angle.
Use a privacy-first web browser
You should use a web browser that protects you from tracking, fingerprinting, and unwanted advertisements.
Modern browsers have made it simple to transfer your bookmarks and preferences in order to reduce switching pains.
Don’t expect privacy from Chrome
Google Chrome‘s users take a back seat to its bottom line
What data of mine does Chrome send to Google?
Firefox multi-account containers
How to protect yourself from browser fingerprinting
Browser fingerprinting, and why they are so hard to erase
Who Tracks Me - Learn about tracking technologies, market structure and data-sharing on the web.
Use a privacy-first search engine
You should use a search engine that protects you from tracking, fingerprinting, and unwanted advertisements. DuckDuckGo is a privacy-first search engine that does not store your search history, has strict location and personalization permissions, and publishes regular content teaching people how to be safer on the web.
Use a privacy-first email provider
You should use an email provider that doesn’t read your email or gather data about your conversations to target you with ads.
Gmail vs FastMail
Stop the paranoia: it doesn’t matter if Google reads our email
How Google is destroying privacy and collecting your data
Privacy-friendly alternatives to Google that don’t track you
Opt out of global data surveillance programs like PRISM, XKeyscore and Tempora.
Knowledge and tools to protect your privacy against global mass surveillance
We should have a different email for each website
Review location, camera, and other sensitive device permissions
You should review all applications that have access to your photos, camera, location, and microphone. Ensure that you trust apps with sensitive permissions.
iOS camera permissions allow rogue apps to surreptitiously photograph & video users
How to stop your iPhone from tracking locations you frequently visit
How to manage app permissions on iOS
How to manage app permissions on Android
How to manage app permissions on macOS
How to manage app permissions on Windows
Apps and services with access to your Google account
Apps and services with access to your Facebook account
Apps and services with access to your Twitter account
Opt out of all the data sharing you wouldn’t opt in to
Review and remove metadata attached to photos you share
Geotagging is the process of adding geographical identification to media files (photos and videos, for example). Anyone who has access to these tagged media files can read this data and learn where the photo was taken. Most social media sites strip the EXIF data from photos, but if you're hosting your own photos, be aware that the geolocation can give away your exact location.
You should understand how location metadata is attached to your media and take steps to ensure you are not uploading sensitive information with your files.
Are Location-Tagged Photos Really a Privacy Concern?
Software Roundup: 5 of The Best Apps to Remove EXIF Data from Images
What is geotag security and how it helps to protect your family
Web photos that reveal secrets, like where you live
How to avoid the potential risks of geotagging
How to turn off geotagging for photos on iPhone and iPad
How To turn off geotagging on Android devices
Review your social media privacy settings
Over the years social media companies are able to gather staggering amounts of data about you, your interests, who you talk to, where you go, what you buy, and so much more.
If you‘re not ready to give up social media quite yet, you should take the time to review your security and privacy settings. Visualizing the amount of information that social media companies know about you may be enough to curb that unhealthy newsfeed obsession.
Facebook privacy settings
Facebook ad personalization settings
Facebook location history
Facebook face recognition settings
Your Facebook information
Facebook security settings
Twitter personalization settings
Twitter privacy and safety settings
Google location history
Google ad personalization settings
Google purchase history
Google subscription history
Google reservation history
re:consent browser extension gives you more privacy control on the web
Opt out of all the data sharing you wouldn’t opt in to
Use encrypted messaging apps when sharing sensitive information
When sharing sensitive information over chat, you should be using a secure, end-to-end encrypted messaging service. End-to-end encryption ensures that only you and your intended recipient are able to view messages. Your messages will appear scrambled (and will be nearly-impossible to unscramble) to anyone else, including app developers and ISPs.
Educate yourself about phishing attacks
Phishing is an attempt to obtain sensitive information (like an account password) by disguising as a trustworthy person or company. Phishing often occurs via email where a hacker will use social engineering to convince someone to click a link that goes to a fake login page. The fake login page then sends anything the victim types (including usernames and passwords) to the hacker.
In recent years phishing attacks have become increasingly sophisticated and hackers are learning to use data that people put on the web to create highly specific and targeted attacks.
Smart people are not immune to phishing.
You should learn the basics of phishing and how to identify a phishing attempt.
Keep your devices up to date
Many of the most damaging hacks in recent history were only possible because someone failed to update software. While update notifications delivered by your smartphone, computer, and other internet-connected devices can be disruptive, applying those updates in a timely manner is the single-most effective action you can take to protect yourself from these types of attacks.
You should apply software updates to every device you own as soon as they are made available, and develop a habit of checking for updates on devices that do not notify you of available patches to ensure their security.
Remove your public record listings
Public record listing services such as Whitepages, Intelius, and BeenVerified make it easy for anyone to find your information from public records. This information can include your phone number, home address, direct relatives, and more.
Someone with malicious intent could use this info to gain access to your online accounts or steal your identity, or create a physical threat by doxing or stalking.
Whenever you come across a record containing your personal information, file a request to opt out of the listing service.