!!! NOTE: THIS GUIDE WILL BE UPDATED AND REFINED; CONSIDER THIS A FIRST PASS !!!
Preamble
this is a GUIDE on the basics of security, and how to set up a password manager. i'll run-through of the aims of security practices and include a glossary at the end for some of the more technical terms d:
The point of security
contrary to popular belief, the point of security measures (in cyber- or meatspace) is not to make it impossible to gain access to the Protected Thing; the point is to significantly reduce the chance of unauthorised access to the Protected Thing.
we do this by making it:
harder (think rpg skill check)
more time consuming (people get bored; it's also less profitable)
less appealing (add obstacles)
Security basics
the golden rules of security and privacy:
SHUT THE FUCK UP (for the love of Void, stop sharing your personal info publicly! or privately, for that matter)
sandboxes and containers ! (keep your personal shit separate from your work shit; doubly so for activists)
change passwords regularly
use 2FA/MFA (security layers are important !)
don't sign up for accounts/services you don't need ??
Password managers
a password manager is a tool that stores login information for your various accounts in an encrypted database, protected by a master password. this means you can have stronger passwords for your social media, bank login, online shopping etc. without having to remember them.
many password managers these days are cloud-based, meaning the password database is stored on the servers of the company offering the service, and you can access these across multiple devices. many also include browser extensions.
!!! WARNING: USING A CLOUD-BASED PASSWORD MANAGER MEANS PLACING TRUST IN THAT COMPANY TO PROTECT YOUR DATA !!!
there's also local password managers that keep their database on your computer/phone/external drive. the trade-off here is trust (and ownership of your data) vs convenience. there's methods to get around this (manual transfer or an automatic file sync) but they're beyond this GUIDE's scope.
How to set this up
i personally use a local password manager (KeePassXC) as i don't trust companies like Bitwarden and LastPass. the former, while open source, added a feature to send files/passwords between users, and the latter is proprietary so can't be independently audited.
KeePassXC pros:
open source (can be independently audited)
trusted lineage
multiple database support
in-depth encryption options (including 2FA via cryptographic* or hardware key)
strong and customisable password generation
folder-based organisation
password expiry
function to copy a username/password to clipboard then clear the clipboard after 10 seconds
cons:
is local only unless you set up a manual sync
*(no this isn't that kind of crypto, though that is where those currencies got their name)
Preparation
before setting up your fancy new password manager, i would recommend creating a list (ideally on paper that can be shredded, or an air-gapped device) of all your accounts and services you currently use. we're gonna weed out the ones we don't need and provide ourselves a way to track our progress.
follow these steps:
write down the names of all the services you use, including any you have multiple of (eg Twitter, Private Twitter, Amazon, Reddit, Old Reddit you don't use anymore)
put those you wish to delete into a separate column (mark if you wish to delete and remake)
organise the rest of your accounts into groups; these can be as simple as personal/work or you could split off nsfw content or your social media, however you see fit
Deletion
our next step is deleting those accounts we no longer want. depending on the service, this ranges from easy to impossible; there's also the issue of which services may still hold onto your data. the following sites cover most of the major services for deletion or getting your data:
https://justdeleteme.xyz
https://justgetmydata.com
now we have our accounts nicely organised ! it's time to structure things. with these groups we have a few options:
1 database, folder separation
separate databases
memorise master passwords
store master passwords in master database
store master passwords on air-gapped device/hardware key
store master passwords on something non-electronic
Each has advantages and disadvantages, but i recommend any of the separate databases methods. if someone gains access to your socials database they haven't also gained access to your bank account.
Database creation
choose strong (memorable if needed) passwords for your databases. for extra security, allow KeePassXC to generate a key - just remember you will need this key file and your password every time you unlock the database.
the time slider is a tradeoff between convenience and security - this is entirely down to your needs. as these databases are encrypted, they're safe to create backups of. i recommend keeping a backup on an air-gapped device or even external storage media. give this a strong password and store in a safe place.
!!! WARNING: IF YOU HAVE NO BACKUPS AND ACCIDENTALLY DELETE YOUR DATABASE FILE, YOUR PASSWORDS ARE GONE. PLEASE MAKE A SAFE BACKUP !!!
Migration
now it's time to migrate. using the organised sheet you created earlier, go through one-by-one and add each account. this is a good time to check your settings on each account, change their passwords (using KeePassXC's generator) and disable what tracking/data collection you can.
here are some useful links - i recommend switching from gmail/hotmail/yahoo to something more secure, and reading up on dark patterns (how companies trick you into being tracked or buying services):
email alternatives (will expand into proper post later:
https://protonmail.com
https://tutanota.com
https://posteo.de
dark patterns
privacy addons
cookies
Next Steps
that's it !! just remember to update your passwords regularly and keep from cross-contamination !! and don't overshare personal information !!! there will be more GUIDEs and REPO links to other aspects of privacy and security in the future. password managers are only the tip of the iceberg
