Basically wondering how to keep my information/web/identity protected. I’ve heard Nord VPN is good but also wondering if that completely protects me against releasing info to the dark web. Right now I just have some AT&T vpn that was part of a free app…and it blocks calls/tells you what info has been leaked.
Good digital hygiene. VPN’s or similar services are snake oil at best.
To answer the question, Proton has always been my favorite service of choice. Better email than any of the free services, better vpn with country options worldwide and surprisingly fast, etc. You get what you pay for and it isn’t cheap, I think I pay ~$200 and change every other year but it’s well worth the cost for what I get out of it.
That being said, follow what /u/NightWolf105 said as they said better than I could so I’m going to save myself the trouble. As for data breaches some credit cards do offer services for free now, but haveibeenpwned.com is still the best free resource for that with notification service by email.
I also work in cyber security and second what this guy is saying. There’s a ton of FUD pushed by companies like NordVPN to make you think that you need a VPN.
Here is what a VPN can give you:
- IP masking. This isn’t really that useful for the average person unless you’re concerned about a web service knowing the general area you live in.
- Full traffic encryption. Your connection from your device to the VPN server is encrypted. There are some protocols your device uses that are still not encrypted like DNS (the protocol that translates a domain name like google.com to an IP address like 123.123.45.67). This buys you mostly privacy but generally not security for the average person.
- Based on #2, VPNs can insert their own ad blocking for you by blocking lookups to known domains that serve advertisements. This helps people not fall for scams, but you can just use uBlock Origin.
None of these things help protect you from identity theft or hacking. They only help protect your privacy from a hostile network (e.g. you live in a country like Iran where the government may be monitoring network traffic and patterns) and to protect your IP address from a website operator.
If a website is breached your email/information you provided to that website is still the same as it’d be if you hadn’t used a VPN (except your IP address, but not valuable information in a data breach for the most part anyways).
I would like to stop data breaches but thank you for that as well, I’ll make sure my 2FA’s are installed (I think most are but some aren’t). Sometimes Google signs me in and out which I don’t understand…(I have an iPhone 14 Pro 17.5 IOS). Guess I have to ask this. Which is worse PW in your phone/notes or PW written down. I’ve come to find the latter makes more sense w all the BS now……but lmk what you think?
Edit: my accounts are all frozen as far as credit reporting goes. Too many scammers when I was living in a different state and just decided to freeze everything….
Well I’m definitely worried about data breaches is that weird?
Wow thanks so much for explaining how this works.
Yesssss thank u my defense bestie! Lol I thought I was tech savvy until I looked into this stuff 
Thank you; this was extremely helpful. How do I do #2. Am I missing something or can I actually protect myself from hackers per DNS? Anything? Can I DM you? Thx again 
Which is worse PW in your phone/notes or PW written down. I’ve come to find the latter makes more sense w all the BS now……but lmk what you think?
This entirely depends on your threat model. The dangerous thing with notes app is that the notes aren’t encrypted or password-protected, so someone with physical access to your unlocked device can get your passwords. This is no different from having a note pad, but you gain convenience of being able to easily copy/paste passwords. A note pad is fine as well. The thing that matters is that your passwords are UNIQUE and not “close” to each other – i.e. you aren’t just changing some capitalization or digits.
Why not use a password manager? There are multiple free options:
- https://proton.me/pass
- KeePass (Kepassium is one app you can use: https://keepassium.com/)
- 1Password is not free, but a good app: https://1password.com/
I would like to stop data breaches but thank you for that as well
There is nothing you can do about data breaches besides from limiting its blast radius, but also it sounds like your concern is with falling for scams. Here is some advice:
- Use a password manager to prevent password reuse. If you use the same email and password combo on multiple websites, scammers and hackers will test for this against common websites and suddenly your account is taken over. Even if you have 2FA enabled, they may trick you into giving over your 2FA code so they can log in.
- Use multiple email addresses for important things. Have one email address for ecommerce that’s likely to receive a bunch of spam, have another email address for bullshit that requires your email that you also don’t care about (I combine this with my ecommerce email but it can make finding receipts kind of tricky sometimes). Then have another email that you use for important things to you like your utility accounts, banking, etc. If you receive an email to your “this bullshit service requires an email and it’s nothing important” email, you can likely safely ignore it.
- Many scams and “hacks” are delivered through ads. Use an ad blocker. uBlock Origin is the absolute best ad blocker for desktop: https://ublockorigin.com/
- For iOS the ad blocking story isn’t as great, but you can use something like Wipr or 1Blocker. Wipr is fine and I cannot personally vouch for 1Blocker but people seem to like it.
- Use a Passkey to sign in wherever you can. Passkeys simplify logging in to a website, and help reduce the chances of you getting phished.
- Don’t install random programs or things that people on the internet tell you to install – including me! Do your own research on these things and ensure that what I’m telling you to do is legit.
How do I do #2. Am I missing something or can I actually protect myself from hackers per DNS?
#2 is not going to protect you against hackers. My point was that all of the things a VPN does provide you with is not going to protect you against hackers at all. See my reply below about things you can do to better protect yourself.
Thank u!! I do most of these bullet points (esp the PW topic… I do need to do the ad blockers. I’ve come to realize (when actually reading the privacy policies) the apps that I go to download ESP the free ones; are downright scary and some ad-blockers will legit do the exact opposite so I appreciate the recommendation… it sucks there’s not more to do about hackers, but at least this is a start.
Are there no longer concerns about breaches of companies who manage your passwords?
I used 1password for a long time then recently migrated to Proton Pass since I was paying for the full Proton suite anyways. 1password I think is cloud-only now and Proton Pass is also cloud-based.
1password has a “secret key” that you only receive once and have to save somewhere. This is essentially a salt that is mixed with your “master key” to decrypt the vault. Some details of the secret key are in this blog post: https://blog.1password.com/what-the-secret-key-does/
The blog post also describes why a data breach doesn’t really affect you, but to summarize since they don’t store the master or secret keys the vault that would be leaked in a data breach is sufficiently encrypted to be useless.
Proton Pass’s security model is outlined in this blog post: https://proton.me/blog/proton-pass-security-model. It works fairly similarly where the vault on their server is encrypted at rest and Proton Pass should never have the vault plaintext or encryption key – it’s decrypted locally.
If you use either service’s web frontend I suppose there’s risk of an attacker injecting malicious javascript that can capture your credentials, they could backdoor a build, or backdoor the web extensions. I’m not sure what binary transparency practices etc. they have in place to help mitigate such a scenario.
KeePass’s model is similar, but you have to supply the storage for the vault which is also encrypted at rest, etc.
I’m not well-versed in other password managers to provide an analysis.
Also, is there any concern with pw managers that feature you can reset all your passwords on every site for you/with 1 click, since they are logging into your online account to change your pw?
I’d be wary of a service that does this on their own infrastructure without a whitepaper describing how they do this. I could imagine the following scenario:
- You want to reset passwords, so you punch in your vault password and kick off the process
- The server then receives a job with credentials from your decrypted vault of all of the websites they support this on. I can’t imagine it’s all websites since the reset flow may differ wildly from service to service.
- The server then performs the reset operations on your behalf and scrubs the plaintext credentials from their job queue/etc.
There are many points of failure here where the server has to make sure they’re doing the right things in terms of logging, crash dumps (if the server crashes), etc. to ensure they don’t accidentally log your credentials. A hacker could sit on the server as well and man-in-the-middle such requests and exfil passwords, so they better have good monitoring and a good network security team.
They could also do it on your device which removes the server risk, but it’d have to be kicked off from a native application (not a web browser) because of how cross-site web requests work.
I would personally have a hard time fully trusting that such a feature is implemented properly and exercise caution.