A lot of folks feel overwhelmed when it comes to ensuring that their personal InfoSec posture is secure. As someone who’s brooded over his security setup, I thought it might be useful if I were to expound a bit on my personal approach to securing my computing situation.
My goals are simple: to make sure it’s not easy for others to log into my accounts, steal my identity, or install malware, and to not be totally screwed if a device is stolen.
I want to be clear on the basis for this posture! I’m not a named executive at a multinational company, who I’m defending against doesn’t extend to “the Mossad,” and the secrets I protect won’t get anyone killed should they be improperly disclosed. I talk WAY too much to be worth the headache of holding me hostage, so people busting into my home to demand my passwords is simply not part of my threat model. If those things aren’t true for you, make different choices than I do. Understand your threat model first!
There are four basic components to my personal security posture: enabling protections on my devices, tightening up my logins, making the internet conform to my security standards, and pulling together a smart setup for my SSH keys.
1. Protect your computerboxes
Let’s start with the basics. Look at your computer, phone, and tablet. Install all of the outstanding software updates, both to the operating system and the applications you use. Those aren’t there because the developers got bored with their jobs and decided to ship a new version number. You’re surely missing important protections if your software isn’ t up to date.
Next, ensure that full disk encryption is turned on for all your hardware. Every platform available today offers some form of this, and you’ll never even notice that it was enabled. But that single decision to check the “full disk encryption” box means that the consequence of a lost or stolen laptop, phone, or tablet is “ugh, now I’ve gotta replace the device” as opposed to “OMFG, my entire life has just suffered a data breach.”
2. Take care of the basics: How you log in
Be smart about passwords
For the sake of all that’s good and holy, be sure you use a password manager. This provides a couple of very useful protections that aren’t always fully appreciated.
First, a password manager lets you have incredibly long and complex passwords that, if read aloud, will sound like vaguely pronounceable line noise at best. Those are hard to guess!
Second, and I would argue more importantly, you’re not particularly likely to type your password into a bad actor’s website if you don’t, in fact, know your passwords. If your password manager doesn’t auto-populate your login info into a website, make for darn certain that you’re visiting the site you think you are. Humans are easy to fool with deceptive domain names, but computers are remarkably bloody-minded about ensuring that you don’t drop your banking password into someone’s Facebook page because you got confused.
Even before they started sponsoring some of my nonsense, I’ve been using 1Password as my password manager of choice, but there are a whole bunch of other password managers out there to choose from. Heck, Apple is increasingly rolling out its own that’s built into its browser and operating system. The result of using one of these, whichever you decide upon, is that in my model, all but three of my passwords are a string of random nonsense, much like my tweets if you don’t know what Amazon Web Services is.
I only know three of my own passwords: my login password for my workstation, my Apple ID, and the password for 1Password. Without those three passwords memorized, it would be really hard to log into my computer in the first place, set up a new iPhone, or unlock my password manager.
To generate those passwords, I’m partial to an approach and eponymous tool called Diceware. This has you roll a number of dice (either in the real world with physical dice, or virtually in a JavaScript app that only runs locally in your browser), then look up the rolls you got in a giant list of words. So if you roll the dice and get, for example, “Poppy Cymbal Splurge Crept” you can remove the spaces and boom: there’s your new password. That said, things will whine and complain if you don’t do silly things, so after you get your four random words, add a symbol or a number to the password somewhere to make “password strength” requirements stop complaining. For what it’s worth, “add a number” isn’t really good advice nowadays. Neither is “rotate passwords every X days,” but that’s a hill I’ve grown tired of dying upon.
Enable multi-factor auth
Enable multi-factor authentication, or MFA, everywhere that supports it. “MFA” sounds similar to “MMA,” the acronym for Mixed Martial Arts. They’re closer than you think, because if you don’t enable MFA, either your security person or bad actors are going to metaphorically beat the living snot out of you for your poor choices.
There are a few options for what those additional factors are; SMS messages, codes generated by an application on your phone or desktop, and physical security keys. I personally bias toward using physical security keys. For redundancy, I use three YubiKeys (or, preferably, three Y’allbiKey). One lives on my keychain. The second is permanently plugged into my desktop. The third is in my home office, and I only drag it out to add new services to it. If all three of those keys are stolen or destroyed at once, I figure I have way bigger problems than not being able to tweet about it immediately.
If that’s too much for you, use an application like Authy. I’m a big fan of it because it syncs between devices, so I don’t have to worry about losing my phone and getting locked out forever. I do not use my password manager’s built-in MFA support, because that compresses multiple authentication factors back down to one.
You’re going to want to go out of your way to avoid getting MFA codes via text message. It’s not just about having spotty luck getting the codes to actually come through sometimes; apparently those texts are not difficult to intercept or spoof.
A small side rant: AWS’s IAM only allows one MFA device per IAM account, in a bold attempt to make Azure look on-the-ball when it comes to security. This is shameful. AWS SSO, on the other hand, does support multiple MFA devices.
Don’t sign in with Google
Here’s a thing I don’t do: take the lazy route by signing up for new services through my Google account. Google offers a federated identity offering, which you see all over the place via the Sign In With Google buttons. Google’s very good at security, but I don’t recommend that people use this option. See, the internet long ago decided that “your email inbox” was the absolute cornerstone of your online identity. If I can get access to your email inbox, I can effectively become you for basically any online account of yours that I want.
Google lets sites scope down which permissions they need access to when you elect to use them as an identity source, but you’re not going to read those in depth every time a new thing wants to authenticate via Google. You’re going to do what most of us do, because you’re a human being, and just click “OK.” The next thing you know, you’ve just granted access to your entire email inbox to TikTok or whatnot.
3. Mold the internet to your standards
Use an ad-blocker
Blocking ads is not optional. We can talk about the ethics of content consumption another time; when third-party ad platforms started becoming attack vectors for malware, I got religion on this.
I block ads networkwide by using Pi-hole as a DNS server. I use Tailscale on my devices as an amazing and lightweight full-mesh VPN — and also just so happen to pass out that Pi-hole as the DNS server to all of my stuff, no matter where on the planet I physically am. Suddenly, a whole mess of ads on web pages, mobile apps, and even things like smart TVs just vanish.
I get that this is something of a step beyond what many folks are going to want to do to secure things. If you don’t want to run your own ad-blocking infrastructure, run uBlock Origin instead.
Encrypt everything
Install your browser’s equivalent of the HTTPS-Everywhere extension. The EFF provides instructions on how to do this. Then laugh at the oft-repeated advice from the ’90s freaking out about using public Wi-Fi to do banking. If your bank doesn’t use transport layer encryption in 2022, I’m sorry, but you’re going to lose all of your money if you haven’t already.
4. Lock down your SSH key strategy
If you’re reading this, you probably ssh into things. I’m a big believer in keeping your private keys in secure enclaves or other TPM-branded things, because of the way they’re built: Universally, they will not let you remove or even gaze upon the private key. This is important! As a result, each device you have gets its own keypair, and the private key NEVER LEAVES THE DEVICE. You cannot have your SSH private key stolen if it’s physically impossible to extract it!
On the Mac, I do this via the open source application [Secretive](https://github.com/maxgoedjen/secretive]. You can optionally set it to require biometric or password authentication for each use. This effectively means that every time I ssh into something, I have to absent-mindedly tap the Touch ID on my MacBook. It’s not that heavy of a lift, I promise.
On iOS and iPadOS, I use Blink as my ssh client. It also supports using the device’s secure enclave to generate SSH keys. I’m sure there’s something equivalent somewhere for Android, Linux, Windows, and more, but I don’t have those things in my environment. I’m staying in my own lane on this one!
I’m also going to once again yell at AWS for this. Their EC2 keypair functionality that automatically installs SSH public keys onto EC2 instances at provision-time does not support the modern cryptographic protocols that Apple’s Secure Enclave requires for this type of SSH key. Another swing and a miss by AWS’s security posture–hey, wait a second. Exactly who did they hire from Azure’s security team who’s sabotaging them from the inside, anyway?Let’s be clear: this does mean that over time I have a lot of SSH keys since each device or instance gets its own. To manage all of this, I simply add the public keys to my GitHub profile so I can easily grab them from anywhere and add them to authorized_keys on any node that I want. github.com/quinnypig.keys lists all of the public keys that I’ve uploaded to my GitHub account. Every GitHub user has a page like this; that may be a surprise to some of you! I’m of the considered opinion that this is safe; private keys are private, public keys can be public, and it’s in the names of those things.
What I didn’t cover
There are some things I didn’t mention here. People have, for example, asked what email provider I use. The answer is “it doesn’t matter.” See, this is security advice for humans, and typical human beings aren’t going to change their entire email provider for a security benefit, just because it’s such an annoyingly labor intensive process.
You’re likewise not going to avoid using common services based upon their security issues if you’re like most people. Yes, Facebook is invasive with its privacy stance, but most people are not going to stop using Facebook once it becomes part of their daily life. Telling folks to behave otherwise is simply not realistic. This is where so much security advise falls apart.
What can I say except …
Hey, I’m just a do-gooder denizen of the internet giving back to my people here.
But in all earnestness, I do hope having some insight into my approach helps folks tighten up their personal security posture. As always, scream at me on Twitter if I missed something notable!