
Ask HN: What does your personal security/privacy stack look like? - sherlock_h
I am thinking about making my private life more secure. This includes thinking about 
a) a new email provider (currently Gmail with 2FA)
b) limiting tracking on websites, changing all my weak passwords, deleting all unused accounts (using 1Password, uBlock Origin currently)
c) more secure way to store my financial assets (currently Marcus, Coinbase, BofA, Chase, all with 2FA)
d) consolidating between my Google and Apple accounts (using Chrome on Mac) – both collecting a ton of data and passwords are often saved between the two
e) any other advice?
======
decasteve
Here are a few bits about my digital life:

1) I've been running my own email server on a VPS hosted by OVH since 2015
(dovecot+postfix). I also have a number of other email accounts. All of the
remote email gets moved and aggregated to a dovecot/IMAP server at home which
I can access from anywhere via dynamic DNS.

2) I use Firefox and sometimes the Tor Browser for the web. uBlock Origin and
NoScript. I whitelist only JavaScript from trusted sites and only what is
necessary to view/interact with the content. It's a bit cumbersome at first
but after a while it gets to be routine.

3) I run a PC Engines apu2 [0] as my main router at home and it runs OpenBSD
with the pf firewall and unbound for DNS. I maintain a blocklist/blacklist
that is likely functionally equivalent to Pi-hole [1].

4) I keep offline backups with a drive in a safe at home and another offsite
that I sneaker-net to my parents house.

[0] [https://pcengines.ch/](https://pcengines.ch/) [1] [https://pi-
hole.net/](https://pi-hole.net/)

------
giantg2
You can check out pi-hole to block ads (reduces tracking). While setting that
up, it's a good idea to evaluate your router configuration to see if you can
harden it.

Then there's the usual stuff: duckduckgo for search, ditch chrome for
something like Mozilla, etc. You could use Tor or a private VPN, but that
might be overkill and probably not as secure as many think.

------
ykdxq2ke47ebuqi
In no particular order:

* create throwaway accounts as necessary with no PII

* use a VPN on any networks I do not have insight into or control over the infrastructure.

* use a password manager. Have previous used Lastpass, currently use 1Password.

* Back up the data from the password manager on some frequency. I export my vaults from 1Password approximately every quarter, encrypt the results, and store that on an offline drive I have.

* Do almost all browsing in Firefox configured to erase all cookies and other site data every time it's closed. Yes, this is a pain in the ass.

* 2FA everything. Disable 2FA over SMS when possible.

* My "recovery" email is a paid service I use for nothing else. I don't send mail from it. I don't use it as the primary email on any accounts. It has 2FA. It does not have an address book. Delete any recovery emails sent after use, there's no archive of mail.

* For all financial accounts, the account email (e.g. ykdxq@example.com) is an alias to an email account. The email account is only used for financial services. The login username is a 32 byte sha1 hash from /dev/random piped through base64. The password is 64 bytes, stored in my password manager. The account has 2FA. If you have the account email and even (somehow) the password you cannot log in as it's not the login for the account.

* I will not use a financial service that does not provide some level of non–SMS 2FA.

* My primary email address is a paid G Suite account. It has 2FA set up in multiple ways. I use it for all email and most non–financial online accounts. I keep two years' email in it, periodically manually archiving email to mbox format and then deleting it (I do not use Google's data retention policies).

* My public cell phone number isn't tied to a physical phone. I do not use it for 2FA. When I need a number for 2FA I use a non-public cell phone number I do not use for anything else. I am still susceptible to sim-swapping and am still looking for a better solution here.

* I keep the text string of every TOTP QR code in an encrypted disk image. The default state of the image is locked, I have to unlock it whenever I want to store or retrieve data from it.

* I keep multiple encrypted backups of everything of value. Some are stored in the cloud, others on drives.

* I keep encrypted backups of all critical data (e.g. 1Password exports) on encrypted USB keys.

I used to think that having an S/MIME and/or PGP key would be the key thing
and, well, I've never once really had to use either.

~~~
sherlock_h
Wow this is great. Thanks a lot. Super super useful. I am definitely going to
steal some of these

