Email, online banking, and social media security

Here is how to secure your email and social media profiles. But if you want to communicate 1-1 with someone, use Signal instead.

Only use ProtonMail for email.

'As described in the Secure digital communication page, ProtonMail is a secure email client with encryption features that most other email providers lack. If not ProtonMail, consider using the chat messenger Signal.

Disable images in your email client.

Many emails contain embedded images in them. When you open an email, these images load from remote servers. Whoever owns these servers can often determine:

  • when and how many times you opened the emails containing their images.

  • your IP address, which can be used to approximate your physical location when you emailed them.

  • some basic information about your email client and computer.

In July 2019, the email client Superhuman was widely criticized for sending emails with tracking images that could expose the above information about the recipient. This is a common feature in a lot of email-sending software used by businesses or hackers.

Avoid opening links that you have been sent in your email client.

If you click on a link in an email to visit a website, the website will learn your IP address--which can reveal your approximate location. The website may also learn basic information about your computer that can be used to recognize you and de-anonymize you later.

If you are being sent an email with a link to a website that you regularly visit--such as your bank--do not click the link. The link may send you to an imposter website. Avoid this by storing your bank's URLs in your browser bookmarks or carefully and correctly typing the URL directly.

Avoid opening attachments sent to you by email.

Many attachments--such as PDFs and Microsoft Office documents--can store executable code that could install malware on your computer. This is a difficult rule to follow because many activists have to open attachments as part of their jobs, but always recognize the risks.

Use two-factor authentication (2FA) on your online accounts.

What is two-factor authentication?

Two-factor authentication is an additional security measure that protects access to an Internet account when your password is stolen.

Your password is the first factor that identifies you, and the second factor is typically a proof that you own a specific device or account. The second factor is usually a time-limited code:

  • sent to you via email or SMS. (Avoid using this. See below.)

  • generated from a mobile phone app like Google Authenticator or Authy.

  • generated by special hardware devices like the Yubikey.

Two-factor authentication makes it much harder for an attacker to hijack one of your online accounts. It is an important part of staying safe online.

Avoid text message/SMS based two-factor authentication.

Many of these websites will send you the time-sensitive two-factor authentication code via text message. This is a security risk, because it is possible for attackers to gain control over your phone number via SIM-hijacking attacks. Avoid using SMS 2FA unless it is the only type of 2FA offered by the website.

Do not tell anybody your two-factor authentication over the phone or SMS.

Sometimes an attacker succeeds in obtaining or resetting your password, but they need your time-sensitive two-factor authentication code to log in. Some attackers get this code simply by contacting you while pretending to be someone else (such as your IT department) and asking for the code so they can log in.

To avoid being fooled, never give your two-factor codes to anybody.

Backup your authentication codes somewhere.

People commonly use an app like Google Authenticator or Authy to generate 2FA codes. If you only have these codes on one device, you risk being locked out of your accounts if something happens to that device. Keep that in mind if you are bringing your phone to protests.

Authy lets you create encrypted backups of your 2FA codes to their servers. The password manager 1Password offers the same.

Store your passwords in the password manager 1Password.

1Password is a tool that securely stores your passwords so that you do not have to remember all of them. Instead, you only have to remember a master password used to lock your 1Password installation.

Do not attempt to memorize all of your passwords for various websites. Only memorize your 1Password master password. Do not write down any of your passwords anywhere else.

Why choose 1Password?

There are many password managers to pick from, but 1Password has a reputation for having some of the strongest security while still being easy to use. Thomas H. Ptacek is one of the most respected security researchers in the world. As of this time of writing, he recommends 1Password.

How to use 1Password

For ease of use, 1Password can sync your passwords to their cloud website. However, if your threat model includes your government, it may be more prudent to use 1Password without cloud syncing. If you do this, make sure to take backups to avoid losing access to all of your passwords.

1Password can also store your two-factor authentication codes. This makes it a lot easier to use two-factor authentication, but it also means that anybody that can compromise your 1Password vault can get complete control of all of your accounts.

When filling out account recovery "security questions," do not use any information people know about you.

When registering for an account at an online website, they may ask you for security questions to answer in case you forget your password or are locked out of your account.

Never use security questions based on your real-life biography, such as your birthday, the name of your hometown, your mother's maiden name, and so forth because:

  • Biographical information about you may be available on social media or Internet websites.

  • Some adversaries, like an abusive partner or family member, may know the answers to these security questions.

  • Once people know biographical information about you, it is hard to change it. Everybody can change a password, but nobody can change their birthplace.

Instead, pick arbitrary security questions and give them password-like answers. For example, select "What is your hometown?" as a security question, and type in random words like "correct horse battery staple" as an answer.

The answers to your security questions should be pronounceable over the phone, in case you need to validate your identity to customer support. However, only give these answers when you have made an outgoing call to website's customer support phone number. Do not give these answers when somebody calls you, because you may be speaking to a computer hacker.