Personal security / Internet opsec / anti-doxxing 101

A practical guide to protecting yourself online.

The Reality

Security is about trade-offs. Perfect security doesn’t exist, but you can make yourself a much harder target with just a few hours of setup.

First step: Check haveibeenpwned.com to see if your email/passwords have been exposed in data breaches. This will motivate you.

Mandatory (Do These Now)

1. Use a Password Manager

Use 1Password or Bitwarden. Always, always, always.

Why? When a service gets breached (and they all do eventually), attackers try those credentials on other sites. If you reuse passwords, one breach compromises everything.

A password manager lets you use unique, strong passwords for every site without having to remember them.

2. Enable Two-Factor Authentication (2FA)

Turn on 2FA for all important accounts: email, banking, social media.

Use an authenticator app (1Password, Authy, Google Authenticator) rather than SMS. SIM-jacking attacks can intercept text messages.

Priority accounts:

• Email (this is the master key to everything else)
• Banking and financial services
• Social media
• Cloud storage

3. Freeze Your Credit

Lock your credit reports with all three bureaus to prevent identity theft:

• Experian
• TransUnion
• Equifax

This prevents anyone from opening new accounts in your name. You can temporarily unfreeze when you need to apply for credit.

4. Lock Your Phone Number

Call your cell carrier and say: “I am concerned about my security. Please do not allow porting my number under any circumstances without additional verification.”

This prevents SIM-jacking attacks where someone convinces your carrier to transfer your number to their SIM card, then uses it to bypass 2FA.

5. Secure Your Devices

• Use strong passwords/PINs (not 1234 or your birthday)
• Enable auto-lock after 1-2 minutes of inactivity
• Turn on disk encryption:
  • Mac: FileVault (System Preferences → Security & Privacy → FileVault)
  • Windows: BitLocker
  • iPhone/Android: Enabled by default with a passcode

Recommended

Keep Everything Updated

Enable automatic updates for your operating system, browsers, and apps. Most attacks exploit known vulnerabilities that have already been patched.

Use a Virtual Phone Number

Services like Google Voice give you a separate number you can use for signups, reducing exposure of your real number.

Audit Your Accounts

Periodically review:

• What apps have access to your Google/Facebook/Twitter accounts
• What devices are logged into your accounts
• Recovery email addresses and phone numbers

Use Encrypted Messaging

• iMessage (Apple to Apple)
• Signal (cross-platform, gold standard)
• WhatsApp (end-to-end encrypted, owned by Meta)

Cover Your Webcam

A piece of tape works. Paranoid? Maybe. But it costs nothing and eliminates a real (if unlikely) attack vector.

Advanced

Network Monitoring

Little Snitch (Mac) shows you every network connection your computer makes. Eye-opening.

VPN

A VPN encrypts your traffic and hides your IP address. Useful on public WiFi and for privacy from your ISP.

Reputable options: Mullvad, ProtonVPN, IVPN

Encrypted Email

ProtonMail offers end-to-end encrypted email based in Switzerland.

Private Search

DuckDuckGo doesn’t track your searches.

Canary Tokens

Canary Tokens are tripwires that alert you if someone accesses your files or accounts.

Data Brokers

People-search sites aggregate and sell your personal information. You can opt out, but it’s tedious.

DeleteMe is a paid service that handles opt-outs for you automatically.

Manual opt-out guides:

• Big Ass Data Broker Opt-Out List
• Privacy Duck guides

More Resources

• EFF Surveillance Self-Defense
• Security Planner
• The Motherboard Guide to Not Getting Hacked

Originally written 2018. Suggest improvements on Google Docs →