Digital Security Basics Everyone Needs

Passwords protect everything from your email to your bank accounts. Weak passwords remain the leading cause of security breaches. Strong password principles: • Length over complexity: 16+ characters is better than 8 complex ones • Avoid personal information: birthdays, names, pet names are easily guessed • No dictionary words: "correct horse battery staple" style is outdated • Unique for each account: one breach shouldn't compromise everything Password managers: • Generate truly random passwords • Store passwords securely (encrypted) • Auto-fill reduces phishing risk • Sync across devices safely • Popular options: Bitwarden, 1Password, KeePass Passphrases: • Combine random words with numbers and symbols • Easier to remember than random strings • Example: "Sunset7!Mountain-Penguin42" • Still use a password manager for most accounts What to avoid: • Reusing passwords across sites • Simple substitutions (pa$$w0rd) • Patterns (qwerty, 123456) • Writing passwords on sticky notes

2FA adds a second verification step beyond your password, dramatically improving security. Types of 2FA (best to worst): 1. Hardware security keys (best) • Physical devices like YubiKey • Nearly impossible to phish • Most secure option available 2. Authenticator apps (very good) • Google Authenticator, Authy, Microsoft Authenticator • Time-based codes (TOTP) • Doesn't require cell service • Cannot be intercepted like SMS 3. SMS codes (better than nothing) • Vulnerable to SIM swapping attacks • Can be intercepted • Still blocks most automated attacks • Use only when better options unavailable Where to enable 2FA: • Email (highest priority - gateway to other accounts) • Financial accounts (banking, investments) • Social media accounts • Cloud storage • Any account with sensitive information Backup codes: • Always save them when offered • Store securely (password manager or physical safe) • They're your recovery option if you lose your 2FA device

Phishing tricks you into revealing sensitive information. It's the most common attack vector. Red flags in emails: • Urgency or threats ("Your account will be closed!") • Generic greetings ("Dear Customer") • Spelling and grammar errors • Mismatched sender address and display name • Suspicious links (hover to preview before clicking) • Unexpected attachments Red flags in URLs: • Misspellings (goggle.com, arnazon.com) • Extra words (login-paypal-secure.com) • Wrong domain extension (.co instead of .com) • HTTP instead of HTTPS for sensitive sites Safe practices: • Never click links in unexpected emails • Go directly to websites by typing the URL • Verify requests through official channels • When in doubt, contact the company directly • Check the email header for true sender Common phishing scenarios: • "Verify your account" emails • Fake delivery notifications • "Prize winner" announcements • Tech support scams • Romance scams on social media • Job offer scams

Keeping software updated is one of the simplest yet most effective security measures. Why updates matter: • Patches fix known vulnerabilities • Attackers target unpatched systems • Most breaches exploit old vulnerabilities • Zero-day exploits are rare; known exploits are common What to keep updated: • Operating system (Windows, macOS, Linux) • Web browsers (often targeted) • Email clients • Office applications • Mobile apps • Router firmware (often forgotten) • Smart home devices Update best practices: • Enable automatic updates when possible • Restart devices to apply updates • Don't postpone updates indefinitely • Update all devices, not just your main computer • Check for updates on devices without auto-update End-of-life software: • Stop using software no longer receiving updates • Windows 7, old browsers pose significant risks • Upgrade or find alternatives • Running outdated software puts your entire network at risk

Your web browser is a primary attack surface. Safe browsing habits prevent many threats. HTTPS everywhere: • Look for the padlock icon • Don't enter sensitive data on HTTP sites • Be wary of certificate warnings • Note: HTTPS means encrypted, not necessarily trustworthy Browser security settings: • Block third-party cookies • Disable unnecessary plugins • Use a reputable ad blocker (blocks malicious ads) • Clear browsing data periodically • Consider privacy-focused browsers (Firefox, Brave) Downloads and extensions: • Only install extensions from official stores • Review extension permissions • Download software from official sources • Verify checksums for important downloads • Scan downloads with antivirus Public Wi-Fi: • Avoid sensitive transactions on public Wi-Fi • Use a VPN if you must use public networks • Forget networks after use • Disable auto-connect to open networks • Mobile data is safer than public Wi-Fi

Backups protect against ransomware, device failure, and accidental deletion. The 3-2-1 backup rule: • 3 copies of your data • 2 different storage media • 1 copy off-site (cloud or physical location) What to back up: • Documents and photos • Financial records • Password manager database • 2FA recovery codes • Device configurations Backup methods: • Cloud sync (Google Drive, OneDrive, iCloud) • External hard drives • Network-attached storage (NAS) • Professional backup services Ransomware considerations: • Keep some backups offline (air-gapped) • Ransomware can encrypt connected backups • Test restore process periodically • Version history helps recover from encryption Recovery planning: • Know how to restore from backups • Test restores periodically • Keep a recovery plan accessible offline • Consider what you'd do if you lost everything tomorrow