security.md

Security and Privacy

Here are some tips for security and for keeping your data and personal information private.

Authentication

Passwords

• Use unique passwords and forget about remembering them: use a password manager!
  • Bitwarden is open source; multi-platform; multi-browser. This means your passwords are not stuck to a particular browser, account, or operating system (Apple Keychain).

Two-factor authentication (2fa)

• Enable two-factor authentication where possible.
• Use an OTP app such as OTP Auth (iOS/macOS), FreeOTP etc. Prefer open-source as they can be externally scrutinized.
• When activating 2fa you often get a set of recovery codes. Keep them in a safe place, preferably offline or printed.
• Avoid giving your phone number for OTPs via SMS. This connects your online identity with real identity.

Security Key

Security keys such as YubiKey or the open source Solokey is a convenient and safe way to avoid typing in OTPs as mentioned above. Far from all sites support this, but they seem to be increasing due to the WebAuthn standard. Security keys can also store other information for strong encryption. See video for some inspiration.

Privacy

• Your online movements are stored and used to profile you to determine your behavior and views. A VPN may reduce tracking and for work, you can use LU's VPN which further gives access to the Library. ProtonVPN is a Swiss based alternative.
• Avoid companies that live from your data: Facebook, Google, are prime examples. always log out of your account when not using the service.
• Do not use your Google or Facebook login to access other sites.
• Do not let websites store personal information (address, age, phone number etc.). There are many examples of databreaches where user information has been exposed and sold on auctions.
• Never give your personal id number.
• Do not give applications or websites access to your contact list.
• If you believe your privacy is safe just because you use end-to-end encryption in e.g. WhatsApp, think again
• Possible replacements:
  • Google search → DuckDuckGo or Startpage (no tracking)
  • Google mail → ProtonMail or Tutanota
  • WhatsApp → Signal.app (non-profit, open source, used by Edward Snowden!).
  • Apple Keychain → Bitwarden (open source, premium service available, "zero-trust")
  • Facebook/twitter → Mastodon (de-centralized)
  • Browser → Brave Browser (fights digital fingerprinting)
  • (Large) file sharing → Syncthing (open-source, encrypted, de-centralized)
  • Box/Dropbox → Mega.io (20 GB free, open-source, end-to-end encrypted, "zero-trust")

More information

This document is only a very brief set of recommendations. For much more information, see e.g. EFF's Surveillance Self Defence Guide