Author: @karpathy, co-founder of @EurekaLabsAI; Translator: zhouzhou, BlockBeatsEditor's Note: This article introduces some basic tips for improving computer privacy and security, covering password managers, hardware security keys, hard disk encryption, biometrics and other protective measures. It recommends the use of security tools such as 1Password, YubiKey, Signal, etc., while emphasizing the avoidance of unsafe smart devices, the use of privacy-protected browsers and search engines, and the use of VPNs and ad blocking tools. The article also recommends protecting personal information and achieving digital security through virtual credit cards, email management, and network monitoring.
The following is the original content (the original content has been reorganized for easier reading and understanding):
Basically, there are some simple things you can do to improve the privacy and security of your computer, and this article covers some of these.
Every now and then, I am reminded of the vast fraud machinery of the Internet, which reignites my pursuit of basic digital hygiene for everyday computer privacy/security. The problem starts with a few major tech companies, which have an incentive to build a comprehensive profile of you, either to monetize directly through advertising, or to sell to specialized data brokers, who further enrich, de-anonymize, cross-reference, and resell the data.
The inevitable and frequent data breaches eventually aggregate your information into black market archives, feeding a massive underground spam/fraud industry of hacking, phishing, ransomware, credit card fraud, identity theft, and more. This guide is a collection of some of the most basic digital hygiene tips, starting with the most basic and moving up to slightly more nuanced suggestions.
Password Manager
Your password is your "first factor," or "something you know." Don't be silly and create a new, unique, complex password for every website or service you sign up for. Combined with browser extensions, they can be created very quickly and filled automatically. For example, I use and love 1Password. This prevents your passwords from being: 1) easy to guess or crack, and 2) once leaked, opening the door to many other services. In return, we now have a centralized place for all of our first factors (passwords), so we have to make sure it is thoroughly protected, which leads us to...
Hardware Security Keys
The most critical services in your life (such as Google or 1Password) must be additionally reinforced by a "second factor", that is, "something you have". An attacker must have both factors to access these services. The most common second factor implemented by many services is a mobile phone number, where, in theory, you receive a text message with a PIN code, which you enter in addition to your password for verification.
Obviously, this is much better than having no second factor at all, but using mobile phone numbers is known to be very insecure due to SIM swap attacks. Basically, an attacker finds themselves in a position where they can easily call your cell phone company, pretend to be you, and ask them to switch your number to a new phone they control. I know it sounds completely crazy, but it is true, and I have many friends who have fallen victim to this attack.
So, buy and set up a hardware security key - the industry-strength standard for protection. In particular, I like and use YubiKey. These devices generate and store private keys on the device secure element, so the private keys are never present on general-purpose computing devices like laptops. Once you set up these devices, an attacker not only needs to know your password, but also physically possess your security key to log into the service.
Your risk is reduced by about 1,000 times. Buy and set up 2 or 3 keys, and store them in different physical locations, just in case you lose one of them. Security keys support several authentication methods. Check out "U2F" in your service's second factor settings as the strongest protection. For example, both Google and 1Password support it. If you have to use TOTP, note that your YubiKey can store a TOTP private key, so you can easily get a PIN login via NFC contact with your phone via the YubiKey Authenticator app.
This is much better than storing your TOTP private key in other (software) authentication apps, because you shouldn't trust general-purpose computing devices. This article is not going to go into detail, but basically, I highly recommend using 2-3 YubiKeys to greatly enhance your digital security.
Biometrics
Biometrics is a common third authentication factor ("who you are"). For example, if you are an iOS user, I recommend setting up FaceID almost everywhere, such as accessing apps like 1Password.
Security Questions. Dinosaur companies are obsessed with security questions (such as "What is your mother's maiden name?") and force you to set them from time to time. Obviously, these questions fall into the “things you know” category, so they’re essentially passwords, but they can be easily looked up on the internet for scammers, and you should refuse to participate in this ridiculous “security” exercise. Instead, treat security questions like passwords, generate random answers for each one, and store them in your 1Password along with your passwords.
Disk encryption. Always make sure your computer uses disk encryption. On a Mac, for example, this is a total no-brainer called “File Vault.” This feature ensures that if your computer is stolen, the attacker can’t get the hard drive and access all your data.
Internet of Things
More like @internetofshit. Try to avoid “smart” devices, which are essentially extremely insecure, internet-connected computers that collect tons of data, are frequently hacked, and yet people willingly put them in their homes. These devices have microphones that periodically send data back to the parent company to be analyzed and “improve the customer experience,” haha, okay. For example, when I was young and naive, I bought a CO2 monitor from China that demanded all my personal information and my exact location before it would tell me the CO2 level in my room. These devices are huge holes in your privacy and security and should be avoided.
Messaging. I recommend Signal over SMS because it encrypts all communications end-to-end. Also, it doesn't store metadata like many other apps do (e.g. iMessage, WhatsApp). Turn on disappearing messages (e.g. the default of 90 days is a good choice). In my experience, disappearing messages are information holes with no significant benefit.
Browsers. I recommend Brave, a privacy-first browser based on Chromium. That is, almost all Chrome extensions work out of the box, and the browser experience is similar to Chrome, but without Google's complete control over your entire digital life.
Search Engines
I recommend Brave Search, which you can set as your default search engine in your browser settings. Brave Search is a privacy-first search engine that has its own index, unlike Duck Duck Go, which is essentially a skin over Bing and has had to do some weird partnerships with Microsoft to compromise user privacy. Like all the services on this list, I pay $3 a month for Brave Premium because I prefer to be a customer rather than a commodity in my digital life. I find that, as a rule of thumb, 95% of search engine queries are very simple website queries, and the search engine basically acts as a small DNS. If you can't find what you're looking for, just prefix your search query with "!g" to jump to Google.
Credit Cards
Mint new, unique credit cards for each merchant. There's no point using the same credit card on multiple services, which lets them "associate" your purchases on different services, plus it increases the risk of credit card fraud because the service provider can leak your credit card number. I love and use privacy.com to mint new credit cards for every transaction or merchant.
You can see all your spending through a great interface and get notifications for every swipe. You can also set spending limits for each card (e.g. $50 per month, etc.), which greatly reduces your risk of getting charged unexpectedly. Also, with privacy.com's cards, you can enter a completely random name and address when filling out your billing information. This is very important because there is no need for those random internet merchants to know your physical address. Now onto...
Address
Most random services and merchants don't need to know your physical address. Use a virtual mailing service. I currently use Earth Class Mail, but to be honest, I'm a little embarrassed about it, so I'm going to switch to Virtual Post Mail because of its stronger commitment to privacy, security, ownership structure, and reputation. In any case, you can provide an address, they scan and digitize it when they receive the mail, and you can quickly review it through the app and decide what to do with it (e.g. destroy, forward, etc.). This way, you get not only security and privacy, but also considerable convenience.
Email
I still use Gmail because it's so convenient, but I've also started using Proton Mail partially. In the meantime, a few more thoughts on email. Never click on any link in any email you receive. Email addresses are very easy to forge, and you can never be sure if the email you received is a phishing email from a scammer. Instead, I manually go to any service I'm interested in and log in from there.
Also, it's recommended to disable image loading in your email settings. If you receive an email that requires you to view an image, you can click "Show Images" to view it, which is completely fine. This is important because many services track you by embedding images - they hide information in the URL of the image, so when your email client loads the image, they can see whether you opened the email. This is completely unnecessary. In addition, scammers often use obfuscated images to hide information to avoid being filtered as spam by mail servers.
VPN
If you want to hide your IP or location, this can be done indirectly through a VPN. I recommend Mullvad VPN. I turn VPN off by default, but turn it on when dealing with less trusted services for more protection.
DNS-based ad blockers. You can block ads by blocking entire domains at the DNS level. I like and use NextDNS, which blocks a variety of ads and trackers. For advanced users who like to tinker, pi-hole is a physical alternative.
Network Monitoring
I like and use The Little Snitch, which I have installed on my MacBook. This tool lets you see which apps are communicating, how much data is being transferred, and when, helping you track down which apps are "calling the mother phone" and understand how often. If an app is communicating too much, it's suspicious and may need to be uninstalled unless you expect this type of traffic.
I just want to live a secure digital life and have harmonious relationships with products and services that only divulge necessary information. I want to pay for the software I use so that incentives and interests are aligned, ensuring that I remain a customer. This is no small feat, but it is entirely achievable with determination and discipline.
Catherine
Weatherly
Kikyo
Joy
Anais
Alex
Miyuki
Weiliang