TL;DR
- Never. Ever. Reuse. Passwords.
- Use passwords that can't be easily associated with you, ideally completely random.
- Consider using a password manager and securing it with a long and random passphrase.
- If you can, use two-factor-authentication for services that allow you to do so.
- Consider using a reputable and/or open source 2fa solution.
- If you want to go the extra mile for *some* services, consider physical 2FA like Yubikey.
- You know this one - don't just click on links, even if it's from your friend.
- Don't run any programs or scripts unless you know you can trust the source or understand the script itself.
- If you are giving away personal/secret information of any kind, verify the identity of the other party.
Why should I even trust you?
Honestly, you shouldn't. I can give you some context on who I am, and you should make up your mind on whether you want to take what I have written down seriously yourself. I strongly recommend that you do a little of your own informed research and then applying the things you've found useful for yourself to your online safety.
I am as of me writing this a german computer science student in my 7th semester for a bachelors degree, and am employed at Cryptshare AG as a Student Developer. In some sections of my online presence, I've been more of a privacy nut than in others. Some things I do aren't generally advisable, but I have tried to keep these out of this page.
I have tried my best to give good advice on this page without getting too technical and not talking down to you in any way. If you're here, then you probably already know a lot about your computer. While I have written this page in good faith, I am also definitely missing a lot of things I could do better. If you have anything you want me to add, do tell! Let's make the internet a little safer for all of us.
Best practices with passwords
Passwords, at least for now, are your first and sometimes only line of defense for your online accounts. This unfortunately means for you that you will have to deal with people trying to guess or bruteforce your passwords constantly, especially when money or your private data is involved.
Here's some things you should keep in mind when you make a password for a platform:
Never reuse your passwords. Seriously. If for some reason your password gets compromised, no matter what that reason may be - if you reuse your passwords, then immediately, multiple accounts of yours may be compromised. An attacker can and will just attempt to log in to other services with the same mail or username and your found password associated to your already compromised account.
Don't use "simple" passwords. Things like birthdays, names, interests, can be social engineered from you with you often not even realizing it. Ideally, your passwords are completely randomly generated. Passphrases, a random combination of words, can provide great security through length while keeping them somewhat memorable.
Use decently long and complicated passwords. Most services enforce this already anyway, and it has probably annoyed you in the past, but they do this for a reason. Every character you add to a password exponentially increases the amount of time it would take to brute-force your password, so does having special characters in your password. It should be notable that things like l33tsp34k (replacing characters with similar looking numbers) and similar attempts of obfuscation are easily defeated by common password crackers - it could help a little, but probably way less than you expect. A metric for a safe password I have used is 20+ characters, completely random, using numbers, capitalization, and special characters.
Using password managers
If the previous section was daunting to you - don't worry. A password manager is probably exactly what you are currently looking for. Password managers exist to store your passwords safely, and lock them behind a single very safe and long password or passphrase.
I must however stress this: Your single password/passphrase must be kept safe and long. If your password manager has a weak password, you are exposing every single service to being compromised with little to no effort. If your chosen solution supports it, I strongly recommend adding 2FA to your manager.
There are a lot of options for password managers out there - some better than others. I strongly recommend you pick one that suits your use cases and your security concerns, so I will list some I have used and/or am currently using, and some additional ones that I have at least heard of to be reputable. Again, I strongly recommend that you choose one best suited for yourself.
Right out of the gate though: DO NOT USE LASTPASS. LastPass has been breached as of December 2022 and has wildly mishandled the breach in the first place, making me consider it as an utterly failed password manager - both from the security and the usability standpoints. I would not trust LogMeIn with their products anymore.
KeePass / KeePassXC is an open-source, entirely "offline" solution. It stores your passwords on your own device in an encrypted file, which can only be unlocked by your master password. This uncouples your passwords from any internet connectivity and keeps them entirely on your own devices. This however also means that password synchronization will require additional tools like syncing the file to your Google Drive or other cloud storage, if that is something you care about. I have personally used KeepassXC combined with its Firefox addon, which enables Keepass to use Autofill.
Bitwarden is an open-source password manager that allows you to host your vault on your own machines, and offers a 10 €/yr subscription service for smaller additional features like some encrypted cloud storage. Your passwords will synchronize to pretty much all of your common devices, including your phone, which can also offer biometric authentication. It also allows you to share your passwords with other Bitwarden users decently easily, if you wish to do so. It should be noted that password sharing is limited to one additional person on the non-paid version. I am unfortunately not sure if this limitation also applies to the self-hosted version. I always recommend this password manager, especially if you're new to the concept.
Other honorable mentions that I have heard are somewhat reputable but haven't used personally:
Two-Factor-Authentication (2FA)
Two-Factor-Authentication serves as an additional layer of security for your services. Most of the time, 2FA refers to timed passcodes that expire every 30 seconds and are generated on a second device like your phone. However, 2FA also can mean something like a physical USB key that you have to plug into or bring near the device you wish to log in, like a Google Titan or a YubiKey. Some phones like the Google Pixel have similar security chips built in and can allow for similar authentication. Unless you feel like being an absolute nerd (like me), you probably don't need a physical security key.
Some services like Steam, Microsoft, ActiBlizz, and Google also offer their own authenticator services, often as an app on your phone, which send you a notification or one-time password to log in. If you trust the service, then it may be a good choice to opt for these apps in place of the "classic" authenticator code generators.
If you do decide to use 2FA, make sure that you store the "backup passwords" that the services provide to you somewhere safe. Reputable services will lock you out of your accounts forever if you lose access to your 2FA and your backup passwords.
I will also add that I personally strongly advise against using Authy. Authy will prevent you from exporting your secrets from their app, if you ever wish to switch services, and instead locks your 2FA secrets behind what is basically another account. In my opinion, this fundamentally breaks what 2FA is supposed to be - a secret that should only be stored "offline" on some devices.
I would personally use either Google Authenticator, andOTP, or Aegis. I still recommend that you make up your mind about your choice of 2FA app yourself.
For the services I know of that use special authenticators, here's a list of what they use:
Staying safe with links and downloads
You have probably heard this one over and over, and honestly - I'm sorry for bringing it up yet again. It is just way too important to forget to mention.
As a general rule of thumb - don't ever just click on a link without making sure that you trust where this link is going to, and making sure that you can trust whoever sent you this link. Emails especially are still widely used to attack you with malicious links/downloads. Always check whether the sender's email address looks reputable (are they who they claim to be? Does the address look suspicious?) and check where the link leads to. Link shorteners like bit.ly aren't inherently malicious, but can be misused for malicious purposes - exercise caution when following these links.
A currently unfortunately common and ongoing scam on Discord is an attacker using compromised accounts to trick them into running a program that supposedly is just their "university project" or a "game they've made", and they want you to test it. This program often effectively "just" takes control of your discord account, changing your mail and password and possibly creating charges on your payment details associated to it.
For this reason alone, never ever just download, or even worse, run a program or script from someone else, even if you think you can usually trust them. Make sure that the source of scripts and programs are always genuine, and if they are not and know how to read scripts, always double check what the script does before you even consider running anything.
Common scams to look out for
This section is my best attempt at raising awareness for very common scams that you should be aware of. This list is by no means exhaustive, and I'm terrible at describing them - but I still hope that you'll get some use out of it.
I also realize that you are probably already painfully aware of these kinds of scams, but I would say that it is generally worth it to remind yourself of the most common dangers out there.
These are not the links you were looking for
Links don't always lead to where they appear to go, like this one: https://google.com Generally, you should never just click an image or a link from an untrusted source without checking where it leads to.
Sure, a single misclick usually doesn't put you in immediate danger - even though it absolutely can - but you should always be aware where you are browsing. Most browsers show the link target in the bottom left when you hover over them. Additionally, most programs like email clients, Steam, Discord etc. will warn you about where a link leads to before actually redirecting you there, at least if the link does not match what it looks like.
Phishing / Fake login sites
Phishing sites deceive you by pretending to be something or someone else, and usually attempt to get your passwords, payment details, or personal information with it. If you have to put some information into any webpage, you should check at least two things: is the domain in your browser correct, especially the highlighted part, and is a locked padlock visible next to it? If either of these is missing, then it's a red flag for phishing, and you need to be extra careful.
When logging into applications, make sure that the app you downloaded/are running is absolutely genuine and/or trustworthy before entering any information. There is no catch-all for this kind of login - be vigilant.
Especially your email inbox is full of these. If you received a mail about missing or out of date payment details, a pending transaction you definitely haven't made, or something about your account being compromised - then in 99% of the cases, you're being scammed. Never ever click a link in these kinds of emails. If you are genuinely concerned, open the service/website in question manually instead.
Social Engineering
This is a huge rabbit hole that I don't even remotely have any chance of explaining in this writeup. Overly simplified, social engineering is the act of someone getting personal information without you realizing it's significance or manipulating you into thinking they are someone else. This can go from casual conversation to someone impersonating an authority asking for "identity verification". The one case I have had of the latter was someone impersonating my ISP, asking for personal information because supposedly, my parents were there in person and needed some form of verification. Thankfully, in the EU, you usually don't get spam calls, but if you're from the US, you are probably painfully aware of them by now.
TL;DR: Don't give out your personal information to anyone unless you've made absolutely sure that whoever is requesting the information has a genuine reason for knowing it and isn't malicious.
"Hey, can you vote for my CS:GO Team?"
Yes, this is basically just phishing but with a different coat of paint. I have seen this message on Steam, and it's many variations on the internet as a whole, way too many times. Which unfortunately also means that they work. No matter the message content, these attacks usually ask you to click some link, log in to some site or download some application or script. Current active variations of this attack for Discord specifically are "You have been accepted to Discord Staff/Moderation", "You won free Nitro!", and "Hey, can you help me playtest my game?"
These messages are often sent by accounts who you already have some contact with, i.e. your friends list. Don't just blindly trust your friends - their account could've been compromised, and the scammer might now try to get into yours. If you encounter such a message, reach out to your friend on a different platform and tell them, and report the account to the platform as compromised. Both Steam and Discord have these as separate buttons when reporting.