This is part one in what will be a series of blog posts on security. The series will cover things from security essentials to data removal to deep opsec.

Part 1 will be focused on very generalized security practices, because security shouldn’t just be for tech enthusiasts and professionals, everyone needs some.

I’m Lillian, a software engineer with extensive experience in malware development, primarily focusing on x86_64 Windows platforms. My background includes gamehacking, malware analysis, and more, giving me unique insights into both offensive and defensive security practices.

Don’t feel overwhelmed by the thought of having to do every little thing outlined below, and especially not all at once. This is meant to be a nice starting resource for people and an outlet for me to write. The absolute most important section in the entire post is definitely Account Security, and is the biggest thing we all need without question.

Table of Contents

1. Definitions
   1. Acronyms
2. Documentation
   1. Storage Requirements
3. Device Security
   1. Phones
   2. Windows Computers
   3. Apple Computers
4. Account Security
   1. Passwords
   2. Password Managers
   3. Two-Factor Authentication
   4. Privacy
5. Data Security
   1. Backup Strategies
   2. Encryption
   3. Data Deletion
6. Conclusion
7. Educating Others

Definitions

• opsec: Operational security.

Acronyms

• 2FA: Two-Factor Authentication.
• MFA: Multi-Factor Authentication.
• PII: Personally identifiable information
• TOTP: Time-based one-time password
• SMART: Self-Monitoring, Analysis and Reporting Technology

Documentation

Documentation is not optional, it’s essential for security maintenance

Document every security measure you implement. While this may seem tedious, it becomes invaluable in many circumstances, including:

• Troubleshooting issues
• Setting up new devices
• Recovering from an incident
• Educating others and yourself further
• Maintaining consistency

Storage Requirements

• Must be stored offline (such as a physical notebook) or on an airgapped system
• Avoid storing it in the cloud or on any system that frequently connects to a network

The easiest forms for this are a plain text document or physical notebook. You should have at least two copies available, as things do go wrong from time to time.

This information contains sensitive details about your security setup. Keeping documentation completely independent of technology provides the best protection.

Remember: The time you spend documenting now will save you hours of frustration later and could be crucial when an incident occurs.

Device Security

Phones

⚠️ If your phone is rooted I would highly recommend flashing back to a non-rooted rom, you don’t need root access and it tends to defeat the purpose of putting forth the effort to secure your device in the first place.

This section could vary depending on the ROM/OS of your device, but for the most part everything should apply.

The first thing is to set a passcode on your phone—not FaceID, not fingerprint, just a numeric (or alphanumeric!) code.

In America, it’s legal for police to force you to log in to your phone if it’s “protected” via biometrics. Using a pin simply allows you to have your 5th ammendment back.

Afterwards go ahead and just get rid of any apps you don’t use, make sure that some random app doesn’t have every permission granted etc.

Phone OSes are constantly adding and modifying privacy settings, you should review them after every OS update. Find wherever the security/privacy settings are for your device and opt out of anything that shares unnecessary data or “feels off”.

Phone browsers are annoying to configure for adblocking, Chrome on Android doesn’t offer any extensions but thankfully Firefox does so you can install uBlock Origin there. Basically you just need to find a browser that isn’t complete spyware (i.e chrome and most chromium based browsers) and also allows for adblocking.

On iOS as far as I’m currently aware the Browser situation is much more dire as everything is just a Safari frontend. I don’t have a ton of advice here, you’ll just need to research this on your own.

Windows Computers

First, Make sure your UAC (User-Access Control) settings are set to “Always Notify”, this may seem annoying but, it’s very worth it. (You can find these settings by searching for ‘uac’ in the start menu or Control Panel)

When it comes to Antivirus software for most people Windows Defender will be plenty good enough, and in most cases if you’re currently using something third party it’s most likely considerably worse than Defender. If you insist on using a different Antivirus I would recommend BitDefender, it has a free tier that’s great from what I’ve heard.

Now, let’s get rid of some of the Microsoft crap. I personally use chris titus’ winutil for debloating my system, I would recommend also going to the “updates” tab in it and putting on the “Security” update cycle. This reduces the frequency of “feature updates” to every two years, and security updates to four days. Feature updates very often seem to lead Windows computers to instability for no gain. Security updates are more important but every once in a while have bugs that can make your system unstable, but they’re usually pulled back and fixed before you’d get them at that point. Afterwards I generally run O&O Shutup 10 and disable most of the telemetry that O&O says won’t reduce any functionality of the system.

Afterwards just make sure you aren’t using a spyware browser, even Firefox by default isn’t great but there’s forks of it such as Librewolf that offer much better defaults. (honestly, I just use regular Firefox for convenience and bite the bullet)

Apple Computers

When it comes to security MacOS is a very hardened OS, which is amazing as an end user.

Of course the downside is that it’s Apple, telemetry hell (You can say this about most OS’ though). You can disable a lot of the OS telemetry but not the telemetry that comes with a lot of the Apple Apps. Weather, News, Maps, and such each have explicit tracking for example. You’ll want to go through the Security & Privacy settings to reduce as much telemetry as possible from Apple, and switch off of using the default Safari Browser to something like Firefox or Librewolf, and probably find privacy-respecting alternatives to any Apple App that you can.

Account Security

Passwords

This section will mainly go over how to create passwords that are sufficient against various types of bruteforce attacks.

There’s two main ways people create passwords to meet that criteria: randomness, and passphrases.

A random password may look something like q8!TtmX*3^jJyq&gXMAn while a passphrase may look something like Curly.Untamed.Satchel.Semester.Confusion.

This section exists even though we have a Password Managers section because, those need passwords too, and if that one isn’t secure then your stored ones aren’t either. You also don’t want to store every single password inside of your password manager for various reasons, for example, I don’t have my bank login stored there.

Random Passwords

For random passwords, you should use an application made for generating secure passwords. While computers cannot be truly random, they’re considerably better than humans at producing random values, and every modern computer has some cryptographically secure pseudo-random number generator available. Randomly generated passwords are extremely hard to remember, you should store it securely, preferably a password manager. (See: Password Managers)

If storing it in a password manager isn’t a choice, then I would recommend doing so on paper and putting it somewhere safe.

Passphrases

This is how I personally prefer to create passwords as they’re much easier to remember than random characters, and there’s a lot of room for making your own tricks to make them even harder to bruteforce.

A passphrase is something you want to be able to remember, how you decide what the passphrase will be I’ll leave up to you for the most part, but just don’t make it something like firstname-momsname-lastname-birthyear.

I mentioned something about tricks, what I mean by that is say you’ve thought of a phrase for a site: Cat Meow Banana Mrrp Lizard. You can create a unique method of mutating the passphrase and set that as your password, of course this means you have to remember how you mutate the passphrase and the passphrase itself though.

For example you could add dashes, spaces (yes, on most sites passwords can have those!), periods, carets (^), or whatever else is valid for that site!

So your Cat Meow Banana Mrrp Lizard could become something like (!Cat@Meow#Banana$Mrrp%Lizard^).

I would highly recommend writing down your passphrases on paper and storing them somewhere safe, just in case.

Password Managers

Do you already have a password manager? If so, good! You can read the rest of this section if you like, but you can skip to Two-Factor Authentication.

There are plenty of different password managers good for their own reasons. To start, I’ll list a few I have personal experience with:

• Bitwarden: Free (There is a paid plan, but most features aren’t locked behind it), Open-Source. Can be used from any device. Good record of security.
• KeepassXC: Free, Open-Source. Local storage with options for automatic backups, encryption, and more.
• Proton Pass: Free (There are paid plans, but most password managing functionality is free), Open-Source apps (Backend is proprietary)

PSA: Stay away from LastPass, as it has a horrid security record and have had breaches almost yearly for quite a while as of late 2024. Their free plan also became nearly useless around 2017, though this could have changed since.

There are plenty of other good password managers out there, cloud and local, you’ll just have to do some research and choose what you think fits you and your situation best.

If I had to recommend one, it would be Bitwarden for sure. I’ve used it for a long time, nearly all of my friends use it, and I’ve heard barely anything negative about it at all (Well, my wife doesn’t like the new UI changes I guess :p).

Two-Factor Authentication

2FA adds a crucial layer of security to your accounts, but not all 2FA methods are equally secure. I’ll give a brief example of a method that could make you less secure, and then explore a much more secure way.

SMS 2FA is bad, especially in America, where it’s often worse than having no 2FA at all. Some may see that as an exaggeration or outright false, but with how easy it is to SIM-Swap someone here and just how rampant it is, I disagree. Way too many services not only allow you to do 2FA through SMS, but also password resets and in a few cases email resets as well! These services make SMS 2FA worse than no protection at all, because attackers don’t need your password in that case. To really drill it in, millions of dollars in crypto-currency is stolen every single year where sim-swapping was one of the main tactics used, this is an oversimplification on how these teenagers (yes, teens, it’s not hard) are doing it but I’m not about to write a “how to fraud” post :p.

2FA is widely described as a pick two: Something you know (Login information, security questions), Something you have (Phone, Other device, Security Key), or Something you are (Biometrics). There’s also MFA (Multi-Factor Authentication) which 2FA is a form of, but can also involve more than two factors. I will not be covering any of that here as I don’t think it’s applicable for the vast majority as they want a good middleground between security and convenience.

There are many forms of 2FA, I will be covering TOTP (Time-based One-Time Password) as it’s the most supported and easy to use forms of 2FA yet incredibly effective. TOTP combines “Something you know” and “Something you have”.

So, what is it? In brief, TOTP 2FA works when a server gives you a QR code, a secret key, or both. The QR code in reality just has the data of that secret key and the website for various apps to parse. Using the secret key and the current system time, it generates a code, over 99% of the time the code will be 6 ascii digits, though not always the case.

To get started you’ll need an application to generate you these codes, here’s some for mobile platforms I can personally recommend, though there are many, many more good options that exist.

Android

• Aegis
• 2Fast

iOS

• 2Fast
• Raivo OTP

There are desktop options available but I would highly recommend using your phone for TOTP generation over your main computer as your computer is much more likely to be compromised and a potential attacker gaining access to both your login credentials and 2FA secrets is a horrible scenario to be in.

Okay, you’ve made a choice, The first thing you want to have 2FA on is your password manager, as it will be one of your biggest points of failure especially if you’re using a cloud service. Once that’s setup, then look at your accounts and in order of most important to least important enable TOTP 2FA on everything you can. Some websites may force you into SMS 2FA (i.e Twitch) to enable TOTP 2FA which is highly unfortunate, it will be up to you to decide whether or not to enable it for that service, in most cases for most people it should be okay despite my earlier warnings, but if you understand your threat model and believe it would make you less secure overall, I believe it makes sense.

Privacy

You should be sharing as little PII (Personally identifiable information) about yourself as possible on things like social media sites, forums, and such. Some people’s professional lives exist on the internet, though so in some cases this is less possible, but if that’s not the case then you’re exposing information about yourself for zero reason at all.

Another simple thing is to always delete accounts you do not use anymore, Never leave accounts dormant. If a website does not allow you to delete an account you’ll have to find a way to contact them to send them a data removal request, basically every site nowadays complies with these due to GDPR even if you aren’t based in a EU country.

Data Security

Backup Strategies

One of the most common strategies for backing up data is 3-2-1. 3 copies, 2 different media types, and 1 off-site backup. Though, it does come with a financial cost which not everybody can cover.

I could infodump about NAS software and tons of different setups you could do, but this is not the place for that. Instead, I’ll go over a basic backup plan that’s simple and much more affordable for many.

To start off you want to be backing up your most important data first. Usually important means sensitive as well, so you’ll want to encrypt any cloud backups (and maybe even local copies too!).

There are many ways to encrypt files; see the Encryption section.

When it comes to cloud backups there are loads of different providers and ways to go about it, if you don’t do a lot of file reading you may consider object storage, Hetzner has their storage boxes, backblaze has their own backup solutions, proton has a google-drive alternative, etc etc. In every case there will be some cost to it though, and if there’s not then you are the product.

Depending on the type of data, you could always go super simple and just have a secondary hard drive which would make it a one-time cost. I will always recommend trying to keep at least two different copies of your data though, especially if it’s important. A random failure can happen at any time, even if unlikely.

You should also be periodically checking your backups, this is crucial for ensuring no data loss.

You should as a minimum:

• Test restores
• Validate data integrity via file hash or some other method
• Check for any drive errors, SMART (Self-Monitoring, Analysis and Reporting Technology) status, etc
• Make detailed documentation of all your checks, especially if you find any issues, be sure to document solutions as well.

Some cloud services:

DropBox

Hetzner Storage

BackBlaze Backup I don’t have a ton to say about it, it’s transparent encryption so the password you use for it is used to automatically encrypt and decrypt files uploaded to their service. Though, you should be manually encrypting any sensitive data regardless.

Encryption

Encryption is essential for protecting sensitive data both at rest and during transfer. Here’s an overview of reliable tools for different encryption needs:

File Encryption

Age

CLI encryption tool great for encrypting backups or files. It supports both password-based and key-pair encryption, making it great for many uses.

Picocrypt

If you’re more comfortable with a GUI, Picocrypt is great. It uses modern encryption standards (XChaCha20 + Argon2id) and includes built-in integrity checking. It’s amazing for less technical beginners while still being secure.

Full Disk/Volume Encryption

VeraCrypt

It can encrypt entire drives, create encrypted containers, and also supports hidden volumes for plausible deniability. Works great across different operating systems and has extensive documentation.

BitLocker

Built into Windows Pro/Enterprise. If you’re using Windows, this is the path of least resistance. It’s best used with a TPM chip, though one is not required.

FileVault

MacOS’s built-in encryption. It’s integrated with Apple’s hardware security features and supports encrypted backups with Time Machine.

Linux Full Disk Encryption

LUKS - Linux Unified Key Setup

It’s the most commonly used standard and is included with most distributions. Can individually encrypt partitions or all of them, most OSes have an easy setup option during installation but it can be used on an existing installation too.

Most distributions offers easy Disk Encryption in their setup, typically using LUKS. For desktop users, KDE’s Partition Manager and GNOME’s Disks application both provide easy GUI’s for managing encrypted volumes. If you’re stuck to CLI, cryptsetup is great.

⚠️ If you’re dual booting with Windows, make sure to encrypt both Operating Systems separately rather than trying to share encrypted partitions between them. It will not work.

Best Practices

• Always backup your encryption keys/passwords - Store them securely and separately from the encrypted data
• Use strong passwords - See the Passwords section
• Periodically Test decryption before relying on encrypted backups, they become useless if something went wrong
• Document everything
  • What tools you’re using
  • Where and how keys are stored
  • How to recover data

Important Notes

• Without backing up the key, encrypted data is permanently lost
• Always encrypt sensitive data before uploading to cloud services

The strength of your encryption largely depends on key security. The strongest encryption is useless if your password is insecure or stored improperly.

Data Deletion

When you “delete” a file through normal means on most operating systems, you’re only removing the link to where that file exists on the disk—the actual data remains until it’s eventually overwritten by new data. This means others can potentially recover your “deleted” files.

Secure data deletion ensures both the link and the physical data are destroyed by overwriting the data multiple times with either zeros or random data. While this is more secure, it’s also significantly slower, which is why it isn’t the default deletion method.

Windows

• SDelete is Microsoft’s official secure deletion tool
• Eraser is third-party but offers an easy to use interface

macOS

On non Apple Silicon Mac devices you can use the built-in Secure Empty Trash functionality, but this has been removed due to SSDs being very different from HDDs.

All is not lost though as on any Mac with a T2 security chip has data automatically encrypted on rest even without enabling FileVault. If you reset your drive using Disk Utility or through their factory reset the data is no longer recoverable.

Linux

ArchLinux Wiki entry on secure deletion.

• wipe - Similar to shred but with a few more options such as directory wiping
• secure-delete includes:
  • srm (secure remove)
  • sfill (secure free space wiping)
  • sswap (secure swap wiping)
  • smem (secure memory wiping)
• shred - GNU Coreutils CLI that overwrites the actual data
• nvme - Useful CLI for NVMe drives, includes format command which can be used for secure deletion
  • nvme format --ses 1 Will do a complete erasure

Important Notes

• SSDs: Traditional secure deletion methods may not work reliably on SSDs due to wear leveling and other optimization techniques. The best approach for SSDs is to use the drive’s built-in secure erase command or full disk encryption from the start

The most secure way to handle sensitive data is to encrypt it from the beginning.

Conclusion

Security is an everlasting game of cat and mouse, not a one time setup. While this guide covers basics, it’s important to regularly review and update your security practices as threat actors become more advanced. Research as much as you feel the need or want to, it always helps.

Perfect security doesn’t exist—it’s about finding the right balance between security and convenience for your specific needs. Start with the basics outlined here, document everything, and gradually increase your security as you learn.

You don’t have to feel overwhelmed by the thought of having to do every little thing in one go, instead start with the most important changes:

• Setting up a password manager
• Enabling TOTP 2FA on important accounts
• Creating secure backups of important data
• Documenting your security setup

The most secure system is one you’ll actually use, so make changes that increase security while not making you want to throw it all a way.

Educating Others

Education around these topics is so important, yet the average person on the internet has zero security awareness. We must educate others, especially our closest friends and family.

When trying to help someone with security, you must remember that not everyone is technical—be patient, be kind, and be understanding.

An easy way to get the ball rolling with someone is by explaining the implications of having poor security using common examples, like account hijacking, fraud, and identity theft. For non technical people you should focus on it being as simple as possible, give them actions/steps instead of all of the details. Make sure you know where they’re at in terms of security and knowledge, someone who’s never used a password manager before is much different than someone who just wants to improve their existing security. Finally, be patient. People who’ve never thought about security in this way can be extremely overwhelming, any progress is amazing.

Some people may retort with a phrase like “I don’t have anything to hide”, “It’s too complicated”, “I’m incapable of remembering all of this”, ensure they understand that the most sensitive details are the most important to secure, things like:

• Bank details
• PII - Such as SSN, drivers license photos, passport photos, medical records, etc
• Work documents
• Business related information and documents (if applicable)

We aren’t trying to make everyone a security expert, we just want to help people develop better habits that meaningfully benefit them without the removal of all convenience.