Security Checklist

Created by Landfish

Instructions for using this checklist

Go through each section of the checklist. I recommend setting aside at least an hour to go through all of these things at once. Some sections have step-by-step instructions. This document is a work in progress. Feel free to make pull requests with suggested improvements.

If you want to be extra secure, take a moment now to go to amazon or yubikey’s website and buy two Yubikeys to use as your second factor and backup second factor.

Instructions to accompany the checklist

• Top level folder

• Instructions for setting up a password manager, unique passwords, and 2FA

• Instructions for securing your gmail account with security keys (yubikeys)

• Instructions for setting up Signal

Automatic updates

Make sure you have automatic updates turned on for your phone and your laptop. Google for this if you’re having trouble finding the right menu. Newer devices should have this turned on by default, but it’s definitely worth double-checking!

• Phone

• Laptop

• Secondary phone or laptop (if applicable)

Device encryption

Some devices will have this enabled by default. It’s usually as simple as checking a box and entering a password. Make sure you write down this password and keep it somewhere safe! If you forget / lose this password, you will lose access to your data forever.

• Phone

  • 6-8 digit pin required upon restart

  • Paper backup of PIN

• Laptop

  • Strong password set

  • Paper backup of password

• Secondary phone or laptop (if applicable)

Password Manager & Unique Strong Passwords

Instructions. Install a password manager and browser extension. Use the password manager to generate new passwords if your previous password for an account is too short or is reused. If you already have good, unique passwords on all your accounts, then add them to your password manager.

• Password Manager Installed

  • Browser extension installed (optional)

• Added passwords for your main accounts (use the 2FA list below if you need to)

• Changed insecure or non-unique passwords, using high-entropy passwords generated with your password manager

• Created secure master password (if you don’t know how, use this method or the Eff’s method if you want to be really secure)

• Backed up master password

• Memorized master password

Two Factor Authentication (2FA)

Instructions. I recommend setting up 2FA on any account you really care about. If you’re really limited on time, at least make to sure to secure Gmail and Facebook if you use these. You can 80:20 it by adding 2FA to only your top 5-10 accounts.

For any account you can, set up Authenticator as a second factor (and optionally yubikeys). Make sure you have a backup, either a written-down authenticator code or an extra yubikey. Don’t use SMS unless there is no other 2FA option. This list is mostly for reference, so feel free to edit it to reflect your actual important accounts.

• Primary email

  • 2FA backup

• Work email

  • 2FA backup

• Bank account

  • 2FA backup

• Facebook

  • 2FA backup

• Twitter

  • 2FA backup

• LinkedIn

  • 2FA backup

• Github

  • 2FA backup

• Coinbase

  • 2FA backup

• Dropbox

  • 2FA backup

• Tumblr

  • 2FA backup

• Reddit

  • 2FA backup

• Office 365

  • 2FA backup

• Slack

  • 2FA backup

• Apple account

  • 2FA backup

End-to-end encrypted messaging

Instructions. It’s a really good idea to set up an end-to-end encrypted messaging app. Even if you don’t think you need one now, you likely will in the future. It’s a good idea to have one already set up.

• Have set up Signal on mobile (or Whatsapp or Wire)

• Have set up Signal for desktop (optional)