• Developing good password management practices
• Using multifactor authentication (at bare minimum for sensitive accounts)
• Keeping devices and software updated

What about my privacy?

Users reading this guide may also be interested in improving and maintaining their online privacy - or otherwise, starting their own privacy journey.

If you are starting from "zero" in both security and privacy, you should be sure these cybersecurity basics are in play first before anything else. Security lends itself to privacy in both the real and online worlds; basic security is a must for maintaining privacy.

However, this security guide has a "sister" guide for privacy. It's highly advised to finish this guide (no rush) before jumping into the privacy version of it.

Improve your privacy

Develop good password management practices

Good password management overall greatly improves your security posture as a user.

Passwords are by far the most common means for securing your accounts - if a malicious actor has your password, then they could log into your accounts, even though they are not you. This spells trouble for crucial accounts such as email accounts and bank accounts.

For example, if I successfully guess the password to your email account, then I can compromise other accounts connected to your email and/or send far more convincing phishing emails to your contacts. If I successfully guess the password to your bank account, I have access to your money and a wealth of information about you.

The assumption between the authenticating service and you (as the user) is that only you know the password. I'm not you, but I know your password(s), so to the online account service/website, I have authenticated as you. So, as far as the server handling the logging in/authenticating, I am you.

Of course, what accounts are compromised can have different consequences. Other ramifications for failing to implement basic password best practices for various online accounts includes, but is not limited to:

• Compromised accounts or full account takeovers
• Compromised personal identifiable information (PII) (ex: tax returns)
• Compromise of sensitive information (ex: social security numbers)
• Theft/selling of personal information
• Doxxing (publicly posting private information without consent)

Stop reusing passwords

Stop reusing passwords.

Stop reusing passwords.

Stop reusing passwords.

Reusing passwords (even those considered “strong”) does zero security favors; by reusing passwords, users place an increased trust in the security of the website, web app, or web service’s servers and place a higher risk for unauthorized account access on themselves.

While this may not seem like a big deal to most users, it creates compounding issues when/if credentials (including passwords) are exposed/leaked, which is very common given the prevalence of data breaches and data leaks in the modern landscape.

With data breaches continuously on the rise, credentials - such as passwords - are increasingly falling into the hands of malicious actors. Reusing passwords ultimately malicious actors' lives easier; they frequently take leaked credentials and try them in credential stuffing campaigns, where the malicious actors attempt to break into user accounts across different websites and web services using the leaked credentials.

Reusing passwords leaves you open to these credential stuffing attacks because credential stuffing campaigns rely on the assumption users reuse passwords across different accounts and services. Unfortunately, they are often correct in this assumption - many users reuse passwords,

What exactly does this mean? A breach where credentials are compromised at Company A can result in your accounts at Company B and C also getting breached if you reuse the same password from Company A. So, if a user actively uses a password that is compromised, the attackers bet users will reuse these passwords (or weak variations) across different accounts.

In this specific example, the attackers don't specifically know your credentials at Company B and C but given the assumption behind credential stuffing (users reuse passwords), and the past successes with using this password attack method, they're betting the "theory" holds true... because it works. But only because users reuse passwords.

Keep in mind the security of most web apps and web services struggle to detect these types of attacks - most of the time the credential stuffing attacks are distributed and use sophisticated methods of automation. Very rarely, if at all, are these attacked carried out by hand. Attackers are constantly evolving methods to successfully carry out credential stuffing campaigns, such as using residential proxies to look like "regular" users signing into their accounts.

Stop reusing passwords. Use unique passwords. Each of your accounts should have its own password not used by any other account.

Create strong passwords

Your passwords are the keys to your digital kingdom.

Therefore, it is important to have strong (and unique) passwords. Weak passwords leave your digital kingdom open to invaders and raiders and other unpleasant entities you might not want inside the great walls of your kingdom.

Chances are if you are reading this, you may employ weak passwords. Even passwords you think are strong, may in fact be considered "weak."

As a baseline, if any of your passwords are found on Nord's annual Top 200 most common passwords, then they are weak and at far higher risk of being cracked/guessed by malicious actors. Even if you use a derivative of passwords found on this list, such as l33t 5p3ak, your passwords are also weak.

By extension, you'd also want to ensure your password isn't on widely circulated wordlists, such as the infamous rockyou.txt which includes more than 14+ million unique passwords.

Admittedly, wordlists are harder to systematically check because many wordlists exist. Additionally, it is impossible to link/capture them all as malicious actors frequently use custom wordlists. In many cases, these custom wordlists include passwords found on wordlists that are widely available - including common derivatives of these passwords.

For example, an attacker may take the password dragon (which is number 70 on Nord's top 200 most common passwords for 2022, specifically) and add derivatives to their list, such as:

• dragon1
• Dragon
• Dragon1
• drag0n
• dra60n
• dragondragon

Disclaimer: none of these are strong passwords, please do not use them.

If the attacker adds similar derivatives to passwords that have been leaked in databreaches and found on the Nord list, then they've created a rather effective wordlist for future password attacks.

The bottom line is: the stronger your password, the better. Strong(er) passwords aren't necessarily complex - but rather a combination of length and complexity. General guidance for strong passwords includes, but is not limited to:

• Minimum of 20 characters
• Randomization if dictionary words are used
• Combination of upper and lowercase letters, numbers, and non-common symbols (!@#$ are typically considered common symbols)

Whether you consider yourself an advanced user or a beginner, it’s highly recommended to use a password manager to handle creating strong, unique passwords to both create strong passwords and securely store them. With proper and frequent use, password managers help users ensure their passwords are both strong and unique.

Ideally, users would use passphrases over passwords. Passphrases are longer and when sufficiently randomized, substantially hard(er) to crack or guess, even if their hashed or hashed and salted forms are leaked.

However, I recognize many services and apps may impose character limits/requirements, which could make generating a viable passphrase difficult. Password managers typically have password generators that take user defined parameters when generating a strong password, thus making it easier to accommodate logins where such restrictions are in place.

Users should avoid creating passwords that are easily guessable and/or too short. Storing passwords in password managers is preferable to writing them down - even if the password manager is cloud-based, assuming security and infrastructure transparency are apparent.

Change default passwords

Default passwords are passwords that come as the “default” for administrator (privileged) access into a device or account. Default passwords should always be changed as soon as possible. When changing default passwords, users will want to make sure the new password is indeed strong.

For example, depending on a device manufacturer, a device's default username may be admin and the default password may be admin. If this is an internet-facing device, then this could spell disaster as it could easily and swiftly compromised because anything that communicates with the internet directly is... well, public.

The password admin is a very common inclusion on a password wordlist - a list of passwords malicious actors use in commonly automated brute-force attempts. All it takes is an attacker scanning the internet for various IP addresses, ports, and then trying common passwords like admin, which isn't a sophisticated attack.

Generally, when concerning default passwords, the main concern is the default credentials shipped out with consumer-grade (home) routers. For most hardware, default credentials can be easily discovered; many router manufacturers have the default credentials for their routers models and sub-models posted online.

Retaining these default credentials (or weak variations of) astronomically increases the likelihood for unauthorized access to the device by a malicious entity. The device could then be "weaponized" to how the malicious entity sees fit.

It's easy for regular users to assume their devices with default passwords won't be compromised/attacked because they are "not a target." In many cases, they are right about not being target - most brute-force attacks are indeed automated, often targeting ranges of devices and IP addresses using compromised, common, or default credentials (like admin for username and password).

This means if you are using these default credentials, you are placing your devices - and by consequence, your online security - at extreme risk. Always change the default credentials for any device.

Update software/firmware

Many device, software, and firmware updates include security fixes for previously disclosed or discovered vulnerabilities. Therefore, it becomes highly important to keep devices and installed software updated with the latest security patches.

As a general trend, the gap between public vulnerability disclosure and exploitation (“hacking”) in the wild is closing. Publicly disclosed vulnerabilities get exploited quicker by malicious actors year-over-year; therefore it is important to install security updates as soon as possible.

Failing to update your devices and/or software in a timely fashion leaves your devices vulnerable. These vulnerabilities could be exploited by malicious actors to take over your device or execute remote code - such as instructing it to download malware, which could further compromise your security. Many malicious actors (correctly) assume users will not update to the latest security patch once it is available. In many cases, regardless of the reason to not update, they are correct in their assumption. Hence the general trend of disclosed vulnerabilities being exploited quicker.

Software updates also frequently come with quality of life improvements for users, such as bug fixes and access to new features. In some cases, bugs can morph into vulnerabilities themselves or lead to more security concerns, especially if exploited.

Avoid using end-of-life devices/software

Users should avoid using software that is end-of-life (EOL). EOL software generally does not receive security updates and often has unpatched vulnerabilities. EOL devices typically do not have support from the manufacturer and do not receive firmware security updates.

For example, Microsoft officially ended Windows 7 support in January 2020. Security updates, even for newly discovered vulnerabilities in Windows 7, would not be fixed. Therefore, the longer you to use Windows 7 past January 2020, the higher your risk of compromise.

We can take another example with devices. In February 2022, Google ended support for its Pixel 3 family of smartphones. After February 2022, security updates for the Pixel 3 series were discontinued.

Using EOL software/devices is risky for most users, as the likelihood of sufficient mitigation measures being taken is simply far less; end users typically have less experience and resources to enact proper mitigations for EOL software and hardware. In most cases, at a basic level, EOL software and devices should have their internet-connectivity features disabled and be segmented on a network that is not directly connected to the internet.

Naturally, this is a tough ask for the average person and quite frankly, for most end users, the juice simply isn't worth the squeeze - a smartphone in this context would be rendered a useless brick.

As such it is far more prudent for most users to acquire a new(er) device still receiving firmware security updates or to migrate to newer, supported versions of software.

Enable and use multifactor authentication

Multifactor authentication (MFA) is a multi-step approach to authenticating a user; in addition to providing a username and password, the user may be prompted to also provide something they are, have, or know. Sometimes MFA is also called two-factor authentication (2FA).

MFA can prevent malicious account takeovers where credentials are compromised.

In authentication without MFA, a user gains access to their account - or specifically, the data stored on that account - by providing their credentials. The set password was something set by the user, so in theory, they should be the only one who knows and could provide it.

However, passwords can be compromised numerous ways, even without the direct fault of the user. MFA methods are harder to impersonate/steal than credentials; the malicious user would need to know your credentials and have access to your MFA method. Since the assumption by the authenticating server is that only you, as the user, know your credentials (password), then if these credentials are provided that means you are... well, you.

So, if a malicious users somehow obtains your credentials through any myriad of methods, then when providing them to the authenticating server for logging into your account, they are you.

(I touched on this in the beginning of the password section of this guide.)

With MFA enabled, an added step is introduced to the authentication process. Typically, the second step requires providing something you are, you know, or you have. Therefore, if a malicious user gains your login credentials (email/password), with MFA enabled they would not be able to login as you because they would not be able to prove they are, in fact, you.

For example, let's say you've enabled time-based authentication (TOTP) on your Mastodon account. If a malicious user acquired your Mastodon account credentials due to successfully guessing your password, after entering your credentials, they would be challenged to enter the code generated by your authenticator app. They wouldn't know the code, so they fail this step, and are denied access to the account. They couldn't prove they were you, despite knowing your password.

Generally, in this specific example, they would not have access to the second-step of authentication. In this example, to gain access, this would involve gaining access to your phone where the authenticator app is installed - or somehow obtaining the shared secret known by your authenticator app and the Mastodon server. This is costly in terms of effort and time, and unless you are a truly high-value target, the malicious actor will not find this a worthwhile venture.

Continuing with the specific example, the unauthorized access attempt on your Mastodon is effectively stopped. Though, to completely close the loop, in this case you should change your password and ensure to not use the compromised password again; which goes back to avoiding the reuse of passwords.

Different types of MFA

Ultimately, What MFA options available depends on the platform/service. Some methods of MFA are more secure than others. FIDO2 (hardware keys such as the YubiKey) and TOTP are frequently regarded as the strongest forms of MFA available, with FIDO2 the most secure authentication protocol available.

Unfortunately, most US financial institutions and government organizations primarily rely on text-message (SMS) or email MFA methods, despite these being weaker when compared with stronger MFA methods like FIDO2 and TOTP.

SMS is an insecure protocol because it does not use encryption. SMS-based authentication is also vulnerable to sim-swapping attacks, where the attacker successfully "steals" your telephone number and ports it to a device they control. Email is arguably more secure than SMS-based MFA, but security is ultimately dependent on how secure the user's email account is; at the end of the day, email accounts are vulnerable to malicious takeovers, especially if MFA is not enabled on the email account(s).

At minimum, users should enable the strongest possible MFA methods - TOTP or use hardware keys (FIDO2) for critical/important accounts where possible. Critical or important accounts are not necessarily just financial accounts, but can also include (not limited to):

• Email accounts
• Accounts used to sign into other services or devices (AppleID/iCloud, Google Accounts, Microsoft Accounts, etc)
• Government related accounts
• Work-related accounts

It is highly recommended to enable MFA for any account, where MFA is supported. But users should definitely enable strong forms of MFA on accounts used to authenticate/login to other services such as email accounts, AppleID/iCloud, Google accounts, and Microsoft accounts.

Remember: In most cases, you are far better of enabling MFA than not!

What about antivirus?

Prior to Windows 8/8.1, antivirus software was considered “essential” for most users primarily due to major shortfalls existing within Windows Defender and Windows Firewall.

In current versions of Windows, starting with Windows 10, Windows Defender and the native Windows firewall have come a long way, and are arguably respectable antivirus/antimalware solutions for many users.

For Linux and macOS users, antivirus has never really been a strict necessity.

Despite popular opinion, for many users out there, a standalone antivirus solution is not necessary. Typically, antivirus is recommended for enterprise setups or large families - especially those with family members who are particularly susceptible to common malware transmission vectors, such as downloading infected applications or clicking on phishing links.

Antivirus and privacy

There are some privacy trade offs if you choose to use antivirus on compatible devices. Even if the antivirus “never” abuses/uses your data, antivirus programs require a high level of access to a system and thus can serve as the “ultimate backdoor” for anybody interested in conducting malicious activity on your devices.

Therefore, using an antivirus has privacy implications. Many antivirus programs, most commonly (but not only) the “free” versions, collect vast amounts of user data - including personal identifiable information (PII). Essentially, what the operating system has access to, it is highly likely the antivirus program will also have access to.

Data collected (such as search history or website clicks) can be sold to third parties, such as advertisers and data brokers. Sometimes this data, including PII or other sensitive data, is “phoned home” to remote servers. Some antivirus software can also upload suspicious files (whether a legitimate hit, or not) to a database for further analysis - which may contain PII.

Antivirus and "security"

In some cases, antivirus programs can introduce other security pain points, like being used for privilege escalation (typically gaining administrator rights) on a system.

There have been instances where anitvirus solutions engage in decrypting HTTPS traffic and essentially conducting man-in-the-middle (MITM) attacks to “protect” users from visiting malicious domains. However, this behavior can cause other issues for users - such as increasing the chances of falling for phishing attacks and leaving users open to “real” MITM situations.

Antivirus on smartphones is not as effective as it might sound; many exploits targeting smartphones are zero-days or not exactly something an antivirus can stop of it itself.

Whether on a desktop or a smartphone, simple but effective tips can help users avoid downloading and executing malware, such as:

• Avoid downloading non-official apps where possible or verify the download comes from the official source
• Keep devices and installed software updated
• Avoid clicking on unsolicited or suspicious links

For most cases, these tips will help prevent the download and execution of malware on your devices.

I've mastered this guide. What should I do next?

Congratulations on greatly improving your cybersecurity posture - especially if you weren't doing one/two/all of these tips listed in this post prior to now.

As noted, the foundations outlined in this guide should be followed prior to beginning on one's privacy journey at a minimum. However, users can pivot in a few different ways for improving their cybersecurity posture, such as (not at all limited to):

Improving Password Management

Password managers are a great solution for improving password management as was touched on in this guide. Users can read far more in-depth about password managers in the ultimate password manager guide by Avoid the Hack.

For users interested in improving their password management practices, then you should absolutely look into incorporating a password manager into your life. While it takes some adjusting at the beginning, Avoid the Hack walks through how to get started using a password manager to make the transition easier.

Understanding the importance of MFA

Everything you need to know about MFA and why you should enable strong(er) forms of MFA as an end user.

Using trusted adblockers

While the benefits of adblocking are typically viewed from a privacy stance, they have major wins for your security as well. Programmatic ads are a security concern as much as they are a privacy concern; they can carry malware or inject unwanted content/code into visited websites.

To further improve personal cybersecurity posture, users should look into different methods for deploying adblocking solutions.

Secure your network

Network security often caters to enterprise or big business networks, but the security of your home/small network matters as well. Most routers, whether rented from your ISP or purchased yourself, do not come with solid security selections by default.

While consumer-grade networking equipment certainly has limitations, users should take steps to secure their routers and home networks.

Start on your privacy journey

With security basics/minimums in play, you're in a great spot to build upon it by taking small steps to improving your privacy.

Improve your privacy

Final thoughts

Practicing these basic personal cybersecurity tips is essential for both improving your security and privacy posture, regardless of threat modeling. Threat modeling steps should happen after nailing down these basic steps for improving personal cybersecurity.

These steps are also important to master - or at bare minimum, be familiar with - prior to beginning on a privacy journey. Without taking these basic but effective steps, your privacy could be undermined. For example, it makes little sense to use an encrypted cloud storage provider if you use a weak password/reuse passwords from other services.

Likewise, it makes little sense to use a privacy-friendly operating system if you do not keep it and any other software installed on it (or firmware) up to date with the latest security patches and fixes; successful exploits affected outdated software/firmware easily undermine the privacy benefits of using privacy-friendly Linux distributions.

Making sure to develop solid password management skills (use a password manager), keep software/firmware updated, and enable strong(er) forms of MFA gives you a strong foundation to build upon when looking at other nuanced personal cybersecurity (and privacy) tools, techniques, and practices.

With that said, stay safe out there!