Let me begin by stating that there is no such thing as perfect security. At least not anymore. From around 1780–1850 were the only period in human history that we had what is considered perfect security. This ended in 1851 when A.C. Hobbs picked what was then considered an un-pickable lock.

But I’m not here to talk with you about lock picking.

Who are you protecting yourself against?

Security doesn’t exist in a vacuum. Unless you know who you are protecting yourself from you won’t be able to choose the appropriate countermeasures. A good example of this is your choice in how you secure an iPad. When securing an iPad you can choose to allow unlocking with a password or thumbprint. Your decision here hinges on whether you are protecting yourself from a 3-letter government agency or from someone sitting behind you on the bus lifting your password as you type it in.

I personally believe that bio-metrics based unlocks like thumbprints are poor choices for security, but chances are that the guy behind you on the bus won’t have a copy of your thumbprint, nor will they be able to compel you to unlock it against your will. So in the case of protecting yourself from the guy on the bus, your thumbprint is probably a decent choice. If however you want protection from a 3-letter government agency, or just law enforcement in general, your should use a password. There is established legal precedent that the government can compel you to unlock a device that is secured with bio-metrics like a fingerprint, but the 5th amendment protects you from having to disclose the unlock password.

The lesson here is to stop and think about who you are protecting yourself from. Are there people actively targeting you? Does where you live or your standard routine expose you to attacks of opportunity like a pick-pocket on the subway or someone snatching your backpack on the bus? Do you live a pleasantly boring and safe existence in an area with near zero crime? Are all of your threats likely to be the passive kind such as having your credentials leaked by one of any of the hundreds of organizations that have your information poorly secured.

Now that we have setup a framework to think about these things, here is my take on best practices for securing your digital life.

My personal threat model

I take following things into consideration to establish my personal threat model.

I have personal crypto-asset holdings.

I maintain a number of open source software projects that people use to interact with crypto-assets. Thus I’m not just protecting my assets, but also by proxy all of the people who use and trust my software.

I am on a sufficiently public position to be individually targeted.

I choose to take above average measures to mitigate against passive threats (like Target getting their customer database hacked).

So with these things in mind, I have established the following security practices.

Passwords