This is an old revision of the document!
Table of Contents
Passwords
Key points:
Use a unique email address, and a unique password, for every site and service
Whenever you sign up with a new site or service, use a unique email address, and a unique password.
The reason you do this is that, if a site's database is compromised, and someone obtains your username and password, and tries to log into other sites with them (something known as “credential stuffing”), they will not get access to your accounts on those other sites.
Unique email address
Email catch-all
If you run or rent your own email server, you should be able to enable something called “catchall” on your domain. This means that any email sent to any account name on your domain get delivered to you.
The benefit is that you can give a site any email address you like, and you will receive email sent to it without needing to do anything.
The downside is that you are likely to get more spam, as any email sent to any account name are delivered to you.
Gmail
You can use a “plus” sign after your username, and then any text you want, to create a unique email address.
For example, if your email address if johnsmith@gmail.com, you could use johnsmith+facebook@gmail.com to create a unique email address to give to Facebook.
You will still receive any email sent to that address at your normal account.
ProtonMail
You can use a “plus” sign after your username, and then any text you want, to create a unique email address.
For example, if your email address if johnsmith@protonmail.com, you could use johnsmith+facebook@protonmail.com to create a unique email address to give to Facebook.
You will still receive any email sent to that address at your normal account.
Use a strong password
Use a password manager
Password managers: NCSC
Do not change your passwords without reason
Advice used to be to change your passwords frequently. No longer considered good practice.
Change your password if you think it is compromised
Check your
PINs on devices
Fingerprint / face recognition / biometric unlock
In some jurisdictions, it appears that one cannot be forced to disclose a password, but can be asked to place a finger on a device to unlock it. If in doubt, you might consider disabling fingerprint unlock for the duration of a trip into such a country.
Convenient, fast, and not something which can be detected by just looking over your shoulder as you enter it into the phone.
Swipe patterns
Even with the Android swipe pattern unlock mechanism, it is pretty easy to watch someone do a basic pattern once and replicate it — so you need to go for something pretty complicated, coupled with shielding your phone when you enter your passcode.
Obviously defeated by security cameras nearby.