This is written for members of my family who are starting out with PCs on the internet (no comments here about Apple).
Install Webroot WSA - it uses less of your computer power running in the
background than other AV tools. Remember to run scans regularly - don't just rely on it working in the background.
Putting your data on a separate 'partition' of the disk to Windows etc.
is a good idea and may enable you to recover your data e.g. when Windows dies. If you are new to computers, it is best to get help, even though it is straightforward. This guide
seems clear (like much from Tom's Hardware). Make sure your
application data (such as email) is on the new partition.
Install CCleaner - this is useful for removing crud from your computer -
do regular cleaning, including cookies. It is also good for uninstalling programs, and for choosing which programs you want to run when the computer starts up.
CCleaner is also available as a Portableapp (see below).
If you don't want to use CCleaner for some reason, you can set up Windows
to remove crud.
is a good introduction to staying safe on the internet. Read
it and then come back here.
Internet security is now so complex, that working out your personal threat profile is probably impossible. Treat security
like dieting or exercise. Do the important things first and then keep working at it at a manageable pace.
Now go and read it properly, then come back.
The Robert Graham Project says "I think the most important security
precaution is to lie to computers compulsively". This includes
made-up user names, multiple email addresses, fake answers to security questions, and multiple mobile phone numbers. If you think the other side
is playing fair, read this (technical, I know).
Security questions are broken
- more than you would think. Fake answers (that you record safely!)
are becoming essential. The first school Robert Graham went to was &*O)IYHPU&G!!!.
Generating a fake identity can be helped with this.
It is worth remembering that Ross Anderson, Professor of Computer
Security at Cambridge, does not use online banking because the risks are all with the customer.
Update: you might want to take the Data De-tox to remove any unwelcome public data about yourself.
1. Re-using passwords.
Checking for data breaches is
very sound advice, and not often given. Do this first and regularly.
Data breach is the main threat for most of us. This is why re-using passwords is such a bad thing.
Google, Facebook, and
PayPal seem to take our security seriously. If you can use them as a login, that might reduce the risk. Minimising the number of people with
your credit card details is prudent.
Don't let your browser store your passwords and fill in forms -
that seems to be broken.
See also here.
If you have a password manager, it might be as well to disable auto-fill for forms (if it will let you).
My limited experience of a password manager (Dashlane) is mixed. A
book, and a password generator set to give you a readable password (passphrase) might be better to start with. NCSC advice is
to use passphrases, 4 random dictionary words or CVC-CVC-CVC style
passwords, picked for memorability. Advice from Angela Sasse: "A
longer password is preferable overall, but that has its own
problems,...More than 50% of passwords are now entered on
touchscreen devices, and longer passphrases create a significant
burden on touchscreen users.
...Passwords are rarely cracked by brute force. They are mostly
captured through phishing and malware, and with those attacks it
does not matter
how long or complex your password is."
Unfortunately, password strength meters (things that tell you if your password is weak or strong) are not good indicators of real strength.
a Password Manager for all the unimportant sites, and something
personal for the vital ones.
Mark Burnett: "Always remember the three main
authentication factors: what can be easily guessed, what can be left in a cab, and what can be chopped off."
Two Factor Authentication (2FA). Yubikey has not got the idea of usability (yet). This guide
to it was recommended by Zeynep Tufekci. A good idea if you can get
the hang of it (not on day one perhaps). Biometrics (including faceID and fingerprintID) look like being more trouble than they are worth, but if long passcodes for a
fully-used smartphone are too hard, then they are probably better than nothing. Barton Gellman points out you
can make this less painful with an
all-numeric PIN: 11 digits or more provide strong security. Big
advantage: you get the big-button number pad on the unlock screen.
It has to be a
truly random number. Your idea of “random” isn’t. [I am not an
expert, but I suspect the randomness required and number of digits is a function of how much you are under threat from major adversaries.]
2. Locking phone
How much do you need to use your phone? Maybe it doesn't need to be a
repository for your life. Android phones are not a good place to keep secure matters, whereas iPhones can be ok. Maybe you use a cheap feature
phone for some / all of the time? Cheap alternative phone numbers sound a
4. Adblockers and browsers
Perhaps use Chrome with a particular Google ID for transactions that
matter and a different browser for other matters. Your computer may not support two browsers open at once, because they are so resource-hungry. As
regards Adblockers, I use Ghostery, happily. Opera has one built in. Chrome is going to get one fairly soon (from Google). Adblockers are worth
it. Read Section C from DecentSecurity here.
Using the cloud helps but remember the cloud is short for 'someone else's
computer'. I haven't used Framasoft
but it is an alternative to Silicon Valley. Sort out a device to do
backups for any data that matter to you. ("you only need to clean the
teeth you want to keep" - same thing with data and backups). Freefile sync
will give you more capability than you need, is not too hard to learn, and is blisteringly fast. Also available as a Porteableapp. For important
items such as photographs, it is worth investing in 'archival Blu-Ray' - an external Blu-Ray read/write drive is not that dear.
6. email accounts
Go and read the advice again.
Email client: You can use webmail for basic purposes just fine, but an
email client means you have the emails on your machine (and can back them up). Chaos Intellect
is a great client for PCs etc., it can run on a memory stick, and has a great
approach to use on phones, It isn't free, but is well worth it - not least for the quality of support. If you are restricted to free, then the Opera
email client might be a good choice. If you are into Chat, it can
handle that as well.
You will need several email accounts. A Gmail account
makes sense, as everyone has one. If your ISP offers email accounts, that is another. Then maybe Yahoo, or Zoho.
If you start to use Zoho seriously, you will need to pay a subscription, but you could do much worse.
@pogue25 recommends using disposable email addresses when you have to
give an email address to a site that is bound to spam you. This
If you do get stung and locked out of your computer by Ransomware, then it is possible that the keys can be found here.
MS Office really likes to run macros - the major risk from dodgy email
attachments. Unless you really really need it, don't install it. Use LibreOffice
If you are going to be using other people's computers (or the ones at the
library) to help you learn, then it may be a good idea to put applications on a memory stick. PortableApps is
a bit more complicated to use than having applications installed on the computer - but only a bit - It reduces the demands on the computer and
allows you to take just a stick with you. You can also install the Opera browser on a memory
stick (or on your computer). It is pretty good, and then it would mean that your bookmarks travel with you easily. PortableApps
include the Opera browser and email client but since these are the
main applications, it might be worth installing them on the USB stick directly.
Photos on social media
The pace of facial recognition on social media is alarming. The Spartacus
Hack may well be worth doing. Just put up some misleading pics and
There is good advice here and here.
The do's and don't's here
are for folk at higher risk than many (including break-ups and
stalking), but the more you follow it, the safer you'll be. Advanced material here.