Being a tech nerd and having worked at both Google and Facebook, I find myself often being asked variations of the following question by friends and family: "What are your suggestions for keeping your online accounts secure?"
I often go over more or less the same list of suggestions. I finally decided to turn the list of suggestions to a blog post so I can send people a link to it next time I get asked.
While many would consider some of the suggestions below as much more than "minimum steps", my suggestion is to raise the standard so the following becomes the bare minimum baseline from where you can take even further measures if needed (which should generally be only needed if you suspect you will be directly targeted, for example if you're a journalist, politician, dissident, etc.)
List of steps
Step 1: Use A Password Manager
This is single-handedly the most important step in protecting your online identity. If you are not already, use a password manager! There are quite a few good choices now, some with free options. To list only a few: DashLane, 1Password, LastPass. There is also the open source and free KeePass.
Why is it so important that you use one? Because the usefulness of a password is significantly reduced if it's simple and easy to guess, and also each time you reuse the password. Password reuse is pretty bad. Therefore, you should use a unique, strong password for each account you create online. You likely have tens if not hundreds of accounts online. Remembering hundreds of complex and unique passwords is a practical impossibility. A password manager allows you to use strong, randomly generated passwords for all your accounts. This means you only need to remember a few passwords total, instead of hundreds. This in turns means you have no excuse not to use a strong password for all your accounts.
Since your password manager is effectively a "master key" to your digital life, it's very important to secure the password manager account itself. I recommend using a strong passphrase as the password (see Step 2), using a YubiKey as a second factor (see Step 3), and disguising your email address (see Step 4) for the password manager account.
With that said, I do not suggest putting all your eggs in one basket.I suggest remembering at least two passwords: one for your main email account, and one for your password manager. This means you should not store your main email account's password in your password manager vault. Why? This is an ultimate safety measure, in case your password manager account is compromised. If your email account is siloed and hence not compromised, you should be able to recover most of the accounts that will be compromised if your password manager is.
Note that a password manager compromise is still likely to be a major disaster and proper recovery from it might be quite difficult and time consuming. Taking this step should help a bit. Better yet is to do your best (through means mentioned above) to make password manager compromise as unlikely of a situation as possible. That being said, regardless of your efforts, vulnerabilities in password managers are outside your control, so this step provides some peace of mind if the worst possible scenario plays out.
Step 2: Use Passphrase Instead Of Pass "words"
By using a password manager, you will only ever need to remember two or maybe three passwords. The rest will be randomly generated passwords stored in your password manager. As mentioned, this means the few passwords you do need to remember should be very strong. My suggestion is to start thinking of passwords as "passphrases" instead. In other words, a set of words instead of a single word as the basis of the password. For example, you can use a full sentence, with spaces, proper punctuation, and capitalization, such as "Ice cream tastes better than broccoli!" This should make it quite secure against guessing, brute forcing, and dictionary attacks, unless you pick a particularly popular and simple sentence. This is more or less the same as XKCD's "correct horse battery staple" suggestion:
Now, the bad news is that many websites have poor password policies that do not allow such passwords (e.g, spaces or arbitrary "special" characters being disallowed, or unnecessary and harmful "maximum length" restrictions on passwords). The good news is, you're almost certainly not going to need to memorize passwords for those sites. Google and most password managers allow such complex passwords, and for all other sites, use randomly generated passwords stored in your password manager instead.
Step 3: Use Two-Factor Authentication, Preferably A YubiKey
After password managers and strong passwords for them, Two-Factor Authentication is the next most important step you can take towards protecting your online identity. Even with all due care, passwords can leak, be phished, extracted using malicious software like key loggers, stolen using social engineering, or even simply guessed. Two-Factor Authentication (2FA) can provide a second layer of protection in such cases. You can use SMS, an OTP device, an OTP app (such as Google Authenticator), or dedicated 2FA devices.
I very strongly suggest using a YubiKey with FIDO U2F support. YubiKeys with FIDO U2F are the best form of 2FA that I know of, since they use private-key cryptography and digital signatures to authenticate not just you to the server but also to authenticate the server to you. This provides very strong protection against phishing and other similar attacks like man-in-the-middle attacks.
Use the YubiKey to secure your password manager account as well as email account, at the minimum. You can also use it for other accounts such as Dropbox, Facebook, Twitter, GitHub, etc.
I recommend against SMS as an authentication factor unless you have absolutely no better option, since SMS is quite insecure (phone number take-over and recycling, stingray devices, lack of encryption and authentication, etc.) and even NIST has been suggesting deprecation. That being said, if SMS is your only choice for 2FA, it is still significantly better to add SMS as a second factor than to not have a second factor at all.
Step 4: Disguise Your Email Address
Many websites use your email address to identify your account. This means an attacker will need your email address and password to gain access to the account (unless you have multi-factor authentication set up, for example using a YubiKey). To make things harder for attackers, you should consider using a unique email address for each service. I assume you are thinking "that's crazy, you can't make a new email account for each website you sign up for!" Very true, that would be a major inconvenience. Fortunately, if you use Gmail as your email provider, you can use Gmail's nifty feature that allows you to add any string after a '+' to your username in your email address. For example, if your email address is email@example.com then you can use firstname.lastname@example.org (where you can replace blah with any random string, for example email@example.com) to sign up for a service.
Assuming you followed step one and use a password manager, you don't need to remember the random string you append to your email address as it will be safely stored in your password manager for future logins.
I recommend following this step for accounts that are of importance, such as bank accounts, anything to do with payments and credit cards, or anything with private information stored on it.
Finally, some websites use a "username" instead of email address as the identifier, or in addition to email address. For those websites, use a random string as the username also. No reason to make it easier for attackers to guess your username based on your name or based on leaked data from another site.
Step 5: Secure Your Devices
Even with password managers and 2FA, you are still vulnerable if your devices are compromised (e.g., if your device is running malware, key loggers, or has rogue certificates installed). Some basic sub-steps to securing your devices are:
- Keep your operating systems, browsers, and software on all your devices (phones, laptops, tablets) up-to-date and make sure security updates are installed automatically.
- Secure all your devices with a solid password (I recommend against 4-digit PINs or even unlock patterns, due to how easy it is for someone to read them off your screen when you type or draw them, although they are better than nothing).
- Do not install and run software that does not come from a trusted source. If you really have to, definitely do not allow such software elevated privileges (i.e., running them as "Administrator" or "root" users, or in other words, if a dialog from the software pops up asking you to type in your device password, be very cautious about doing so).
- Do not lend the device unlocked to anyone you don't trust (use guest user accounts for this), and do not allow debug level access to your devices through USB or otherwise.
- Lock access to your devices when you step away from them. Make sure a reasonable auto-lock timeout is set.
- Enable the firewall settings on your device.
- As much as possible, do your best to avoid logging into sensitive accounts such as your password manager, banks, or email account using devices you have not fully vetted and can not trust (e.g., borrowing a friend's phone, an internet cafe computer, or even a lab computer at a university).
Step 6: Use Third-Party Login For Less Important Sites
Assuming you have thoroughly secured your Google, Facebook, Twitter, and GitHub accounts (especially if you followed Step 3 and got a YubiKey and added it as a second factor for those accounts), you can now use them as third-party login providers (using OAuth) to login to other websites instead of using a password for each. This has the convenience of signing into the websites with just a few clicks on devices where you're already logged into to the third-party login provider, with the additional security of two-factor authentication and a strong password.
A note on privacy: be careful about the level of access the third-party provides to the website you are giving access. Google is relatively good at making the information shared quite clear. Most often, only public profile information and email address is shared but some apps are quite intrusive with the level of access they request. Pay careful attention to the initial level of access you grant, and occasionally review apps with access to your accounts and remove ones you no longer use. If in doubt, or if you do not trust the third-party login provider not share your data, avoid this method and just create independent accounts.