Have password, Turn in ON
Picking a secure email provider is great first step toward email security, but you need to do your part too. After all, it takes less technical wizardry to take advantage of your security mistakes than it is to break into an email company. Here’s what you need to do to make yourself more annoying to hack than the next guy.
Have password, Turn it ON.
You password isn’t doing you any good if you don’t have to actually type it in. Yes, it’s annoying. There is some interesting research in replacing passwords with _places_ and _things, _but for now your phone or computer is just asking to be messed with if you haven’t turned the password lock on. People that might be interested in messing with your stuff include pesky siblings, untrustworthy partners, pick pockets, corrupt police, mob violence, silent border searches, etc. etc. In some cases having a password won’t protect your data, but it will, at a minimum,force the adversary to inform you of the compromise by requesting you for your password. Here’s how to turn on your password protected screen lock for your desktop (Windows, Mac) and mobile phone (iPhone, Android).
Now that you have your password turned on, it’s time to pick a password that your friends as well as really smart computer people won’t be able to guess. The rule is simple: longer is better. For passwords, longer than 10 characters. For pins, longer than 6 digits. You can check the security of your password at https://howsecureismypassword.net
Required bonus points: encrypt your device to protect yourself from technical people. Passwords are generally just a check that your computer performs before giving you access to your files. If a technical person gets a hold of your stuff, he/she can just disable the check if they’re smart enough. What you need to do is scramble all your files with your password. Now it’s not just a little check, the password is fundamentally required to understand your files. This is called encryption, and here’s how to turn it on for Windows, Mac, Android, iPhone.
Use HTTPS://.
Every website you visit, every email you check, every file you download, every password you type without the required “https://” can be easily recorded by anyone at the same coffee shop, hotel, or conference; in addition to the internet company, national police, and most countries’ intelligence apparatus. Furthermore, the adversary only needs to see your password once before I can simply login to to your account and read/modify/delete your data.
Remembering to type in https:// for every website is difficult. Here’s what you need to do:
Let your browser do the hard work for you. HTTPS Everywhere will add the s, for secure, in https:// to every website that supports it.
Make sure your email program isn’t leaking your password all over the internet by setting it up to only connect with SSL/TLS.
Run away from these protocols that send your password in the open for all to see: POP, IMAP, FTP, HTTP, TELNET.