Online security/privacy
March 27, 2015 5:12 AM   Subscribe

Serious advice about protecting your privacy/identity online is often monstrously impractical. Which are the tools/practices that offer the best real-world security-convenience tradeoff?

As an example, installing a password manager and (over time) converting all my passwords to random ones ...that's been a big gain in security and about a wash in terms of convenience or effort. On the one hand there are recurring annoying situations, like installing an app on my iPad, where it's sandboxed away and can't auto-fill, and I have to copy and paste the password, etc. On the other hand, I already had at least some variety in the passwords I kept in my head and often forgot which ones were for which site, and it removes that hassle completely.

Two-factor authentication for the password manager and my google/twitter/fb accounts is also a pretty minimal inconvenience, since I always have my phone on me, it takes a few seconds to input the token, and you rarely have to do it again on the same device.

As a counterexample, doing all my web browsing through Tor and/or a VPN/proxy is just too slow (and annoying in various other ways) to really stick with it, even if the security gains are much greater.

I realize that this privacy-for-convenience tradeoff is not something anyone can totally avoid, but what are the inefficiencies on that spectrum, the ways to get a lot more privacy/security without much extra inconvenience/effort?
posted by neat graffitist to Technology (10 answers total) 12 users marked this as a favorite
 
FoxyProxy for Firefox allows you to push some URLs through a proxy and not others.

I use an auto-generator for usernames as well as passwords now.
posted by Leon at 5:32 AM on March 27, 2015


The first question is always: what's the treat model?

What are you most afraid of and who do you want to hide information from? Your ISP knowing which sites you're visiting? Relatives/coworkers with acess to your device impersonating you? A thief stealing your laptop with all your family pictures? Advertising companies tracking you?

Depending on what you want to achieve, the solution may cover the spectrum from quite convenient (like your password manager that lets you have a different password for each site so that if one of them has piss-poor security practices, gets compromised and your plaintext credentials are leaked there's no greater harm done) to (almost?) completely impossible (preventing a government agency from cracking your system if they really want to). For example, 2-factor auth actually gives you less privacy since it tells Google your real phone number and tells your telco when and where you're using Google but that is a trade-off you're willing to accept for increased security against random criminals.
posted by Bangaioh at 6:33 AM on March 27, 2015 [6 favorites]


Bangaioh: "The first question is always: what's the treat model?"

Great answer by Bangaioh, but I think that was supposed to be "threat model" in case you are initially confused like I was.
posted by Rock Steady at 7:25 AM on March 27, 2015 [3 favorites]


2-factor auth actually gives you less privacy since it tells Google your real phone number

Doesn't have to, does it? There are apps you can run on your phone or desktop computer that can generate time-based passwords. Google acts like they don't have my phone number, even though I use 2fa.

I'm also a fan of practical privacy. I run a few apps (ghostery, Ad-block, better privacy supercookie safeguard, advertising cookie opt-out) that keep third party sites from tracking me These have to be selectively disabled for some sites but work decently to keep, for example, facebook from tracking me everywhere. I get off of junk mail lists. I have a PO box so mail goes there instead of to my home. I use completely different login names for a few sites that I would prefer to not be part of my immediately-googleable online persona.

I work with a lot of seniors who use computers and I tell a lot of them to choose good passwords but to write them down. They are less at risk from someone breaking in to their house and logging in to their email account than they are from generalized "10000 passwords stolen because of dictionary-style hack" I teach them about especially using strong passwords for anything that links to their bank or private health information. I set them up with gmail because it will send most spam email to a spam folder so they don't have to deal with it and warn about basic phishing attempts.
posted by jessamyn at 7:46 AM on March 27, 2015 [2 favorites]


- You don't have to do AND vpn AND Tor. Especially going through Tor can be very slow, but a good fast VPN like shadeyouvpn that you can toggle on/off with great ease can be a great boost in security. Shadeyouvpn works on my iOS devices and my OSX machine and in both cases going into and out of VPN is super convenient. That way you can decide for yourself which browsing activities should hide behind vpn.

- Route all your mail to a single email address that you can use with ssh. Using mutt or alpine is even more convenient than web browser mail.
posted by hz37 at 8:12 AM on March 27, 2015 [1 favorite]


For example, 2-factor auth actually gives you less privacy since it tells Google your real phone number and tells your telco when and where you're using Google but that is a trade-off you're willing to accept for increased security against random criminals.

As jessamyn mentioned, this is incorrect if you just use the app instead of the SMS feature. The app doesn't communicate with Google's servers at all. In fact, it's a generic implementation that you can use for random other services like LastPass, Amazon, etc.,

Two-factor is easily the most important additional security you can add to your accounts at this point. Enable it everywhere it's offered.

When you're asked to set up security questions, don't use predictable answers. Mine are all random numbers. Mother's maiden name? 80213.

Store this information in a password storage system, or if you don't want that complexity, a paper journal.
posted by odinsdream at 8:28 AM on March 27, 2015 [2 favorites]


When you're asked to set up security questions, don't use predictable answers. Mine are all random numbers. Mother's maiden name? 80213.

I also do this, but would additionally suggest that sometimes you may want to make tradeoffs here by using plausible wrong answers. On the rare occasions when I've had a CSR ask me a challenge question over the phone, they get really unhappy and confrontational when I tell them my favorite color is "#M8FW>RU;hqY3sii".
posted by dorque at 9:07 AM on March 27, 2015 [3 favorites]


from xkcd: Password Strength
posted by Little Dawn at 2:05 PM on March 27, 2015


That xkcd hints at the right solution but the example password is actually pretty terrible, 44 bits is too weak for a master password unless there's some process slowing down brute forcing significantly. For picking strong passwords, use Diceware.

Other links that may be of interest:
- EFF's Surveillance Self-Defense
- PRISM Break: a list of various privacy/security related software and services
posted by Bangaioh at 2:52 PM on March 27, 2015 [2 favorites]


I found an offline password filler for android. You might be able to find one for your iPad. I know the Lastpass app only works in-browser. grr
posted by irisclara at 1:02 AM on April 1, 2015


« Older Please recommend a book/article by a woman about...   |   Support Email from HTC in Taiwan Newer »
This thread is closed to new comments.