Sometimes clients ask us about our recommendations for online security and related topics. This document is our brief list and explanation of our recommendations. All of these we adhere to ourselves to aid in the security of all our clients’ websites. Since we only use Apple devices some of this is more focused with expertise in that area, but the concepts are all universal.

Use a Password Manager

Most device operating systems and web browsers come with built-in password managers these days. Use whichever is best suited for you. If you need a more powerful solution, we recommend (and use ourselves every day) 1Password. Additionally you can store credit card info, secure notes, and much more in your password manager.

Strong Unique Passwords

Always use a strong and unique password regardless of what site you are creating an account at. No excuses. Use the password generator in your password manager to create passwords, never create passwords yourself. Anything with your name, email, or mention of the service that the password is for is not a secure password. Anything that you remember by heart (even if you replace some letters with symbols) is not secure enough, generally, except for device passwords and the master password of your password manager. If you don’t have a password manager, we suggest looking at your bookshelf and picking at least 6 words from book titles, concatenating those with hyphens and use that as your password.

Two Factor Authentication

Always use time-based one-time password two factor authentication where it is offered, like on your Tenseg-hosted website. Do not use SMS two factor unless it is your only option, since SMS is not a secure means of communication. This form of two factor shares a secret token with your device so that the device can independently generate the same one-time password as the website, without any communication between the two once initial setup completes via an on-screen QR code. But, if able, also save backup codes, since these are what you’ll need to get back in if your second factor fails.

Passkeys

Where possible, which includes many of the websites we host as well as most email services and social networks, use a passkey to further strengthen your accounts. When you use a passkey to log in there is nothing for you to type, strong authentication data is exchanged when you set up a passkey, and at time of login the most you need is your face, fingerprint, or device password, depending on the biometric hardware of your device. There is also nothing to be gained that lets a hacker access your account if the website’s database is breached, as passkeys only work if both the public part on the website and the private part that never leaves your device are used together.

Never Share Usernames and Passwords

Never share your usernames and passwords to accounts. If you use anything beyond simple passwords the other party won’t be able to use them anyway. Always create new, and if necessary temporary, accounts on websites for other people. Always assign someone as little authority as they need to get their job done. Demote their account when they are done with their job.

The exception to this rule is if the account is something like a family’s streaming service and the credentials are shared using the shared vaults feature in password managers.

Emails Are Postcards

Email was designed in a time when online security was not a consideration. As such, anyone between you and the email recipient can read an email. It is a digital postcard. Do not send passwords, credit card numbers, social security numbers, or other sensitive information in email. Since SMS is also insecure, we suggest iMessage, a phone call, or a shared document in a cloud service.

Software Updates Are Your Friends

Whenever an update to software or your device’s operating system is released, install it as soon as you can. They almost always bring security fixes. Your online security will be hampered by a device with outdated software. Once the device does not get updates any longer it is time for an upgrade to a new device. This is particularly important for the operating system and your web browser, but really applies to all software on all of your devices.

Related to this, only install software from trusted sources such as your device’s app store if at all practical. Definitely never open unknown downloads. Default macOS security settings insist on only running software that has been in some way vetted by Apple. Be aware of what all is running automatically on your device and ensure only what is necessary to do so is.

Physical Device Security

It goes without saying these days that each individual in a household should use their own user accounts on shared devices, where no one but that individual knows their password. But beyond that you must ensure that only authorized people have physical access to your devices. Be careful to not misplace them. Most devices these days have no option but to have their internal storage fully encrypted at all times. If it is optional, still turn this feature on. For recent Macs, FileVault is a no-brainer to add when the device is encrypted by the Secure Enclave in the SoC anyway. All mobile Apple devices are fully secured with no choices about their status.