A curated checklist of tips to protect your digital security and privacy
Authentication
Browsing the Web
Email
Secure Messaging
Social Media
Networks
Mobile Phones
Personal Computers
Smart Home
Personal Finance
Human Aspect
Physical Security
Too long?
See the TLDR version instead.
For a list of privacy-respecting software, check out Awesome-Privacy.
A mirror of this repo is available at codeberg.org/alicia/personal-security-checklist.
Most reported data breaches are caused by the use of weak, default or stolen passwords (according to this Verizon report).
Use long, strong and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches and take care while logging into your accounts.
| Security | Priority | Details and Hints |
|---|---|---|
| Use a Strong Password | Recommended | If your password is too short, or contains dictionary words, places or names- then it can be easily cracked through brute force, or guessed by someone. The easiest way to make a strong password, is by making it long (12+ characters)- consider using a 'passphrase', made up of many words. Alternatively, use a password generator to create a long, strong random password. Have a play with HowSecureIsMyPassword.net, to get an idea of how quickly common passwords can be cracked. Read more about creating strong passwords: securityinabox.org |
| Don't reuse Passwords | Recommended | If someone was to reuse a password, and one site they had an account with suffered a leak, then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts |
| Use a Secure Password Manager | Recommended | For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is BitWarden, or see Recommended Password Managers |
| Avoid sharing passwords | Recommended | While there may be times that you need to share access to an account with another person, you should generally avoid doing this because it makes it easier for the account to become compromised. If you absolutely do need to share a password for example when working on a team with a shared account this should be done via features built into a password manager. |
| Enable 2-Factor Authentication | Recommended | 2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download an authenticator app onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds) |
| Keep Backup Codes Safe | Recommended | When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe to prevent loss or unauthorised access. You should store these on paper or in a safe place on disk (e.g. in offline storage or in an encrypted file/drive). Don't store these in your Password Manager as 2FA sources and passwords and should be kept separately. |
| Sign up for Breach Alerts | Optional | After a website suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. Firefox Monitor, Have i been pwned and DeHashed allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for anonymous forwarding) |
| Shield your Password/ PIN | Optional | When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen |
| Update Critical Passwords Periodically | Optional | Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is no longer recommended, as it encourages colleagues to select weaker passwords |
| Don’t save your password in browsers | Optional | Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords |
| Avoid logging in on someone else’s device | Optional | Avoid logging on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here. Using someone else's device is especially dangerous with critical accounts like online banking. When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will request browser to not save your credentials, cookies and browsing history. |
| Avoid password hints | Optional | Some sites allow you to set password hints. Often it is very easy to guess answers. In cases where password hints are mandatory use random answers and record them in password manager (Name of the first school: 6D-02-8B-!a-E8-8F-81) |
| Never answer online security questions truthfully | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager. Using real-words is better than random characters, explained here |
| Don’t use a 4-digit PIN | Optional | Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code) |
| Avoid using SMS for 2FA | Optional | When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as SIM-swapping and interception. There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow. If a website or service requires the usage of a SMS number for recovery consider purchasing a second pre-paid phone number only used for account recovery for these instances. |
| Avoid using your PM to Generate OTPs | Advanced | Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated authenticator app on your phone or laptop |
| Avoid Face Unlock | Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to fool it and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras |
| Watch out for Keyloggers | Advanced | A hardware keylogger is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger. |
| Consider a Hardware Token | Advanced | A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. SoloKey and NitroKey are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. This post is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled |
| Consider Offline Password Manager | Advanced | For increased security, an encrypted offline password manager will give you full control over your data. KeePass is a popular choice, with lots of plugins and community forks with additional compatibility and functionality. Popular clients include: KeePassXC (desktop), KeePassDX (Android) and StrongBox (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely |
| Consider Unique Usernames | Advanced | Having different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see Mail Alias Providers). Usernames are easier, since you can use your password manager to generate, store and auto-fill these. Virtual phone numbers can be generated through your VOIP provider |
Recommended Software: Password Managers | 2FA Authenticators
Most websites on the internet will use some form of tracking, often to gain insight into their users behaviour and preferences. This data can be incredibly detailed, and so is extremely valuable to corporations, governments and intellectual property thieves. Data breaches and leaks are common, and deanonymizing users web activity is often a trivial task
There are two primary methods of tracking; stateful (cookie-based), and stateless (fingerprint-based). Cookies are small pieces of information, stored in your browser with a unique ID that is used to identify you. Browser fingerprinting is a highly accurate way to identify and track users wherever they go online. The information collected is quite comprehensive, and often includes browser details, OS, screen resolution, supported fonts, plugins, time zone, language and font preferences, and even hardware configurations.
This section outlines the steps you can take, to be better protected from threats, minimise online tracking and improve privacy. A summarized shorter version of this list can be found here
| Security | Priority | Details and Hints |
|---|---|---|
| Block Ads | Recommended | Using an ad-blocker can help improve your privacy, by blocking the trackers that ads implement. uBlock Origin is a very efficient and open source browser addon, developed by Raymond Hill. When 3rd-party ads are displayed on a webpage, they have the ability to track you, gathering personal information about you and your habits, which can then be sold, or used to show you more targeted ads, and some ads are plain malicious or fake. Blocking ads also makes pages load faster, uses less data and provides a less cluttered experience |
| Ensure Website is Legitimate | Basic | It may sound obvious, but when you logging into any online accounts, double check the URL is correct. Storing commonly visited sites in your bookmarks is a good way to ensure the URL is easy to find. When visiting new websites, look for common signs that it could be unsafe: Browser warnings, redirects, on-site spam and pop-ups. You can also check a website using a tool, such as: Virus Total URL Scanner, IsLegitSite, Google Safe Browsing Status if you are unsure |
| Watch out for Browser Malware | Basic | Your system or browser can be compromised by spyware, miners, browser hijackers, malicious redirects, adware etc. You can usually stay protected, just by: ignoring pop-ups, be wary of what your clicking, don't proceed to a website if your browser warns you it may be malicious. Common signs of browser malware include: default search engine or homepage has been modified, toolbars, unfamiliar extensions or icons, significantly more ads, errors and pages loading much slower than usual. These articles from Heimdal explain signs of browser malware, how browsers get infected and how to remove browser malware |
| Use a Privacy-Respecting Browser | Recommended | Firefox (with a few tweaks) and Brave are secure, private-respecting browsers. Both are fast, open source, user-friendly and available on all major operating systems. Your browser has access to everything that you do online, so if possible, avoid Google Chrome, Edge and Safari as (without correct configuration) all three of them, collect usage data, call home and allow for invasive tracking. Firefox requires a few changes to achieve optimal security, for example - arkenfox or 12byte's user.js configs. See more: Privacy Browsers |
| Use a Private Search Engine | Recommended | Using a privacy-preserving, non-tracking search engine, will reduce risk that your search terms are not logged, or used against you. Consider DuckDuckGo, Qwant, or SearX (self-hosted). Google implements some incredibly invasive tracking policies, and have a history of displaying biased search results. Therefore Google, along with Bing, Baidu, Yahoo and Yandex are incompatible with anyone looking to protect their privacy. It is recommended to update your browsers default search to a privacy-respecting search engine |
| Remove Unnecessary Browser Addons | Recommended | Extensions are able to see, log or modify anything you do in the browser, and some innocent looking browser apps, have malicious intentions. Websites can see which extensions you have installed, and may use this to enhance your fingerprint, to more accurately identify/ track you. Both Firefox and Chrome web stores allow you to check what permissions/access rights an extension requires before you install it. Check the reviews. Only install extensions you really need, and removed those which you haven't used in a while |
| Keep Browser Up-to-date | Recommended | Browser vulnerabilities are constantly being discovered and patched, so it’s important to keep it up to date, to avoid a zero-day exploit. You can see which browser version your using here, or follow this guide for instructions on how to update. Some browsers will auto-update to the latest stable version |
| Check for HTTPS | Recommended | If you enter information on a non-HTTPS website, this data is transported unencrypted and can therefore be read by anyone who intercepts it. Do not enter any data on a non-HTTPS website, but also do not let the green padlock give you a false sense of security, just because a website has SSL certificate, does not mean that it is legitimate or trustworthy. HTTPS-Everywhere (developed by the EFF) used to be a brower extension/addon that automatically enabled HTTPS on websites, but as of 2022 is now deprecated. In their accouncement article the EFF explain that most browsers now integrate such protections. Additionally, it provides instructions for Firefox, Chrome, Edge and Safari browsers on how to enable their HTTPS secure protections. |
| Use DNS-over-HTTPS | Recommended | Traditional DNS makes requests in plain text for everyone to see. It allows for eavesdropping and manipulation of DNS data through man-in-the-middle attacks. Whereas DNS-over-HTTPS performs DNS resolution via the HTTPS protocol, meaning data between you and your DNS resolver is encrypted. A popular option is Cloudflare's 1.1.1.1, or compare providers- it is simple to enable in-browser. Note that DoH comes with it's own issues, mostly preventing web filtering |
| Multi-Session Containers | Recommended | Compartmentalisation is really important to keep different aspects of your browsing separate. For example, using different profiles for work, general browsing, social media, online shopping etc will reduce the number associations that data brokers can link back to you. One option is to make use of Firefox Containers which is designed exactly for this purpose. As mentioned in #127, it's possible to use compartmentalize websites without containers, as done in @arkenfox's user.js. Alternatively, you could use different browsers for different tasks (Brave, Firefox, Tor etc). For Chromium-based browsers, you can create and use Profiles, or an extension such as SessionBox, however this addon is not open source |
| Use Incognito | Recommended | When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will prevent browser history, cookies and some data being saved, but is not fool-proof- you can still be tracked |
| Understand Your Browser Fingerprint | Recommended | Browser Fingerprinting is an incredibly accurate method of tracking, where a website identifies you based on your device information, including: browser and OS versions, headers, time zone, installed fonts, plugins and applications and sometimes device hardware among other data points. You can view your fingerprint at amiunique.org- The aim is to be as un-unique as possible |
| Manage Cookies | Recommended | Clearing cookies regularly is one step you can take to help reduce websites from tracking you. Cookies may also store your session token, which if captured, would allow someone to access your accounts without credentials (often called Session Hijacking). To mitigate this you should clear cookies often. Self Destructing Cookies is a browser addon, which will kill cookies when you close the browser |
| Block Third-Party Cookies | Recommended | Third-party cookies placed on your device by a website other than the one you’re visiting. This poses a privacy risk, as a 3rd entity can collect data from your current session. This guide explains how you can disable 3rd-party cookies, and you can check here ensure this worked |
| Block Third-Party Trackers | Recommended | Blocking trackers will help to stop websites, advertisers, analytics and more from tracking you in the background. Privacy Badger, DuckDuckGo Privacy Essentials, uBlock Origin and uMatrix (advanced) are all very effective, open source tracker-blockers available for all major browsers. Alternatively you can block trackers at the network level, with something like Pi-Hole (on your home server) or Diversion (Asus routers running Merlin firmware. Some VPNs offer basic tracking blocking (such as TrackStop on PerfectPrivacy) |
| Beware of Redirects | Optional | While some redirects are harmless, others, such as Unvalidated redirects are used in phishing attacks, it can make a malicious link seem legitimate. If you are unsure about a redirect URL, you can check where it forwards to with a tool like RedirectDetective. It is also recommended to disable redirects in your browser settings. |
| Do Not Sign Into Your Browser | Optional | Many browsers allow you to sign in, in order to sync history, bookmarks and other browsing data across devices. However this not only allows for further data collection, but also increases attack surface through providing another avenue for a malicious actor to get hold of personal information. For Chrome users, you can get around forced sign-in by navigating to chrome://flags and disabling the account-consistency flag. If you still need to sync bookmarks + browser data between devices, there are open source alternatives, such as xBrowserSync |
| Disallow Prediction Services | Optional | Some browsers allow for prediction services, where you receive real-time search results or URL auto-fill. If this is enabled then data is sent to Google (or your default search engine) with every keypress, rather than when you hit enter. You may wish to disable this to reduce the amount of data collected |
| Avoid G Translate for Webpages | Optional | When you visit a web page written in a foreign language, you may be prompted to install the Google Translate extension. Be aware that Google collects all data (including input fields), along with details of the current user. Instead use a translation service that is not linked to your browser |
| Disable Web Notifications | Optional | Browser push notifications are a common method for criminals to encourage you to click their link, since it is easy to spoof the source. Be aware of this, and for instructions on disabling browser notifications, see this article |
| Disable Automatic Downloads | Optional | Drive-by downloads is a common method of getting harmful files onto a users device. This can be mitigated by disabling auto file downloads, and be cautious of websites which prompt you to download files unexpectedly |
| Disallow Access to Sensors | Optional | Mobile websites can tap into your device sensors without asking. If you grant these permissions to your browser once, then all websites are able to use these capabilities, without permission or notification, take a look at the sensor-js study for more. The best solution is to not grant any permissions to your browser, and to use a privacy browser such as Firefox Focus (Android / iOS) or DuckDuckGo (Android / iOS) |
| Disallow Location | Optional | Location Services lets sites ask for your physical location to improve your experience. This should be disabled in settings (see how). Note that there are still other methods of determining your approximate location (IP address, time zone, device info, DNS etc) |
| Disallow Camera/ Microphone access | Optional | Check browser settings to ensure that no websites are granted access to webcam or microphone. It may also be beneficial to use physical protection such as a webcam cover and microphone blocker |
| Disable Browser Password Saves | Optional | Do not allow your browser to store usernames and passwords. These can be easily viewed or accessed. Chrome does protect this data behind your Windows credentials, but these can be simple to obtain thanks to password reset utilities such as Offline NT Password and Registry Editor. Instead use a password manager |
| Disable Browser Autofill | Optional | Turn off autofill for any confidential or personal details. This feature was designed to make online shopping and general browsing more convenient, but storing this sensitive information (names, addresses, card details, search terms etc) can be extremely harmful if your browser is compromised in any way. Instead, if essential, consider using your password manager's Notes feature to store and fill your data |
| Protect from Exfil Attack | Optional | The CSS Exfiltrate attack is a where credentials and other sensitive details can be snagged with just pure CSS, meaning even blocking JavaScript cannot prevent it, read more this article by Mike Gualtieri. You can stay protected, with the CSS Exfil Protection plugin (for Chrome and Firefox) which sanitizes and blocks any CSS rules which may be designed to steal data. Check out the CSS Exfil Vulnerability Tester to see if you could be susceptible. |
| Deactivate ActiveX | Optional | ActiveX is a browser extension API that built into Microsoft IE, and enabled by default. It's not commonly used by legitimate sites any more, but since it gives plugins intimate access rights, and can be dangerous, therefore you should disable it (see how) |
| Disable WebRTC | Optional | WebRTC allows high-quality audio/video communication and peer-to-peer file-sharing straight from the browser. However it can pose as a privacy leak, especially if you are not using a proxy or VPN. In Firefox WebRTC can be disabled, by searching for, and disabling media.peerconnection.enabled in about:config. For other browsers, the WebRTC-Leak-Prevent extension can be installed. uBlockOrigin also allows WebRTC to be disabled. To learn more, check out this guide |
| Spoof HTML5 Canvas Sig | Optional | Canvas Fingerprinting allows websites to identify and track users very accurately though exploiting the rendering capabilities of the Canvas Element. You can use the Canvas-Fingerprint-Blocker extension to spoof your fingerprint or use Tor - Check if you are susceptible here |
| Spoof User Agent | Optional | The user agent is a string of text, telling the website what device, browser and version you are using. It is used in part to generate your fingerprint, so switching user agent periodically is one small step you can take to become less unique. You can switch user agent manually in the Development tools, or use an extension like Chameleon (Firefox) or User-Agent Switcher (Chrome) |
| Disregard DNT | Optional | Do Not Track is a HTTP header, supported by all major browsers, once enabled is intended to flag to a website that you do not wish to be tracked. Enabling Do Not Track has very limited impact, since many websites do not respect or follow this. Since it is rarely used, it may also add to your signature, making you more unique, and therefore actually easier to track |
| Prevent HSTS Tracking | Optional | HTTP Strict Transport Security (HSTS) was designed to help secure websites, by preventing HTTPS downgrading attacks. However privacy concerns have been raised, as it allowed site operators to plant super-cookies, and continue to track users in incognito. It can be disabled by visiting chrome://net-internals/#hsts in Chromium-based browsers, or following this guide for Firefox, and this guide for other browsers |
| Prevent Automatic Browser Connections | Optional | Even when you are not using your browser, it may call home to report on usage activity, analytics and diagnostics. You may wish to disable some of this, which can be done through the settings, see instructions for: Firefox, Chrome, Brave |
| Enable 1st-Party Isolation | Optional | First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain, this can greatly reduce tracking. In Firefox (under network.cookie.cookieBehavior), it is now possible to block cross-site and social media trackers, and isolate remaining cookies. Alternatively, to enable/disable with 1-click, see the First Party Isolation add-on |
| Strip Tracking Params from URLs | Advanced | Websites often append additional GET paramaters to URLs that you click, to identify information like source/ referrer. You can sanitize manually, or use an extensions like ClearUrls (for Chrome / Firefox) to strip tracking data from URLs automatically in the background |
| First Launch Security | Advanced | After installing a web browser, the first time you launch it (prior to configuring it's privacy settings), most browsers will call home (send a request to Microsoft, Apple, Google or other developer) and send over your device details (as outlined in this journal article). Therefore, after installing a browser, you should first disable your internet connection, then launch it and go into settings and configure privacy options, before reenabling your internet connectivity. This does not apply to all browsers, in this article Brave claims to be the on of the only browser to call out to a single, controlled TLD exclusively |
| Use The Tor Browser | Advanced | The Tor Project provides a browser that encrypts and routes your traffic through multiple nodes, keeping users safe from interception and tracking. The main drawbacks are speed and user experience, as well as the possibility of DNS leaks from other programs. There are also security threats specific to Tor to be aware of, such as malicious exit nodes (see #19) but generally Tor is one of the more secure browser options for anonymity on the web |
| Disable JavaScript | Advanced | Many modern web apps are JavaScript-based, so disabling it will greatly decrease your browsing experience. But if you really want to go all out, then it will really reduce your attack surface, mitigate a lot of client-side tracking and JavaScript malware |
Recommended Software
Nearly 50 years since the first email was sent, it's still very much a big part of our day-to-day life, and will continue to be for the near future. So considering how much trust we put in them, it’s surprising how fundamentally insecure this infrastructure is. Email-related fraud is on the up, and without taking basic measures you could be at risk.
If a hacker gets access to your emails, it provides a gateway for your other accounts to be compromised (through password resets), therefore email security is paramount for your digital safety.
The big companies providing "free" email service, don't have a good reputation for respecting users privacy: Gmail was caught giving third parties full access to user emails and also tracking all of your purchases. Yahoo was also caught scanning emails in real-time for US surveillance agencies Advertisers were granted access to Yahoo and AOL users messages to “identify and segment potential customers by picking up on contextual buying signals, and past purchases.”
| Security | Priority | Details and Hints |
|---|---|---|
| Have more than one email address | Recommended | Consider using a different email address for security-critical communications from trivial mail such as newsletters. This compartmentalization could reduce amount of damage caused by a data breach, and also make it easier to recover a compromised account |
| Keep Email Address Private | Recommended | Do not share your primary email publicly, as mail addresses are often the starting point for most phishing attacks |
| Keep your Account Secure | Recommended | Use a long and unique password, enable 2FA and be careful while logging in. Your email account provides an easy entry point to all your other online accounts for an attacker |
| Disable Automatic Loading of Remote Content | Recommended | Email messages can contain remote content such as images or stylesheets, often automatically loaded from the server. You should disable this, as it exposes your IP address and device information, and is often used for tracking. For more info, see this article |
| Use Plaintext | Optional | There are two main types of emails on the internet: plaintext and HTML. The former is strongly preferred for privacy & security as HTML messages often include identifiers in links and inline images, which can collext usage and personal data. There's also numerous risks of remote code execution targetting the HTML parser of your mail client, which can not be exploited if you are using plaintext. For more info, as well as setup instructions for your mail provider, see UsePlaintext.email. |
| Don’t connect third-party apps to your email account | Optional | If you give a third-party app or plug-in (such as Unroll.me, Boomerang, SaneBox etc) full access to your inbox, they effectively have full unhindered access to all your emails and their contents, which poses significant security and privacy risks |
| Don't Share Sensitive Data via Email | Optional | Emails are very easily intercepted. Further to this you can’t be sure of how secure your recipient's environment is. Therefore emails cannot be considered safe for exchanging confidential information, unless it is encrypted. |
| Consider Switching to a Secure Mail Provider | Optional | Secure and reputable email providers such as ProtonMail and Tutanota allow for end-to-end encryption, full privacy as well as more security-focused features. Unlike typical email providers, your mailbox cannot be read by anyone but you, since all messages are encrypted. Providers such as Google, Microsoft and Yahoo scan messages for advertising, analytics and law enforcement purposes, but this poses a serious security threat |
| Use Smart Key | Advanced | OpenPGP also does not support Forward secrecy, which means if either your or the recipient's private key is ever stolen, all previous messages encrypted with it will be exposed. Therefore, you should take great care to keep your private keys safe. One method of doing so, is to use a USB Smart Key to sign or decrypt messages, allowing you to do so without your private key leaving the USB device. Devices which support this include NitroKey, YubiKey 5 (See Yubico Neo), Smart Card (See guide), OnlyKey |
| Use Aliasing / Anonymous Forwarding | Advanced | Email aliasing allows messages to be sent to [anything]@my-domain.com and still land in your primary inbox. Effectively allowing you to use a different, unique email address for each service you sign up for. This means if you start receiving spam, you can block that alias and determine which company leaked your email address. More importantly, you do not need to reveal your real email address to any company. Anonaddy and SimpleLogin are open source anonymous email forwarding service allowing you to create unlimited email aliases, with a free plan |
| Subaddressing | Optional | An alternative to aliasing is subaddressing, where anything after the + symbol is omitted during mail delivery, for example you the address yourname+tag@example.com denotes the same delivery address as yourname@example.com. This was defined in RCF-5233, and supported by most major mail providers (inc Gmail, YahooMail, Outlook, FastMail and ProtonMail). It enables you to keep track of who shared/ leaked your email address, but unlike aliasing it will not protect against your real address being revealed |
| Use a Custom Domain | Advanced | Using a custom domain, means that even you are not dependent on the address assigned by your mail provider. So you can easily switch providers in the future and do not need to worry about a service being discontinued |
| Sync with a client for backup | Advanced | Further to the above, to avoid loosing temporary or permanent access to your emails during an unplanned event (such as an outage or account lock). Thunderbird can sync/ backup messages from multiple accounts via IMAP and store locally on your primary device |
| Be Careful with Mail Signatures | Advanced | You do not know how secure of an email environment the recipient of your message may have. There are several extensions (such as ZoomInfo) that automatically crawl messages, and create a detailed database of contact information based upon email signitures, and sometimes message content. If you send an email to someone who has something like this enabled, then you are unknowingly entering your details into this database |
| Be Careful with Auto-Replies | Advanced | Out-of-office automatic replies are very useful for informing people there will be a delay in replying, but all too often people reveal too much information- which can be used in social engineering and targeted attacks |
| Choose the Right Mail Protocol | Advanced | Do not use outdated protocols (below IMAPv4 or POPv3), both have known vulnerabilities and out-dated security. |
| Self-Hosting | Advanced | Self-hosting your own mail server is not recommended for non-advanced users, since correctly securing it is critical yet requires strong networking knowledge - read more. That being said, if you run your own mail server, you will have full control over your emails. Mail-in-a-box and docker-mailserver are ready-to-deploy correctly-configured mail servers that provide a good starting point |
| Always use TLS Ports | Advanced | There are SSL options for POP3, IMAP, and SMTP as standard TCP/IP ports. They are easy to use, and widely supported so should always be used instead of plaintext email ports. By default, the ports are: POP3= 995, IMAP=993 and SMTP= 465 |
| DNS Availability | Advanced | For self-hosted mail servers, to prevent DNS problems impacting availability- use at least 2 MX records, with secondary and tertiary MX records for redundancy when the primary MX record fails |
| Prevent DDoS and Brute Force Attacks | Advanced | For self-hosted mail servers (specifically SMTP), limit your total number of simultaneous connections, and maximum connection rate to reduce the impact of attempted bot attacks |
| Maintain IP Blacklist | Advanced | For self-hosted mail servers, you can improve spam filters and harden security, through maintaining an up-to-date local IP blacklist and a spam URI realtime block lists to filter out malicious hyperlinks. You may also want to activate a reverse DNS lookup system |
Recommended Software:
| Security | Priority | Details and Hints |
|---|---|---|
| Only Use Fully End-to-End Encrypted Messengers | Recommended | End-to-end encryption is a system of communication where messages are encrypted on your device and not decrypted until they reach the intend recipient. This ensures that any actor who intercepts traffic cannot read the message contents, nor can the anybody with access to the central servers where data is stored. Note that if an app is not completely open source, the extent to which the encryption is implemented cannot be verified, and it should not be trusted. |
| Use only Open Source Messaging Platforms | Recommended | If code is open source then it can be independently examined and audited by anyone qualified to do so, to ensure that there are no backdoors, vulnerabilities, or other security issues. Therefore proprietary applications should not be trusted for communicating sensitive information. In open source echosystems, bugs are raised transparently and are usually fixed quickly, and version histories can show who added what, and when. When downloading a pre-built package, you can verify that it has not been tampered with by doing a hash check and comparing the digital signatures. It's important to note that, no piece of software is totally bug free, and hence never t
DSI Content Management System. This site uses cookies for functionality ONLY. See our Privacy Policy. |
