I'm often asked by non-tech people what they should do about security on the Internet, and there are some simple steps that you should follow.
But first, I think it's important to understand the types of risks that you're going to try to mitigate.
In order of concern (in my opinion)
This is not a guide on how to be a spy, or evade the NSA, if you are targeted by the NSA, this guide can not help you. This is for regular people trying to be responsible on the internet. So if you want to contact me about how the NSA could defeat these strategies, please don't.
Secondarily, you should accept these 3 points
The number 1 concern about password theft, is that you've used the same password on a pile of sites, an extremely common situation. Secondarily is the concern that you use very bad passwords, which almost everyone does (Passwords Surveyed from leak data ).
The problem here, is that once any site you use is 'hacked', the attacker will then try those user/passwords against other popular sites and banks, then voila. This is not pretend, this happens all the time.
So there are a couple easy rules
You can accomplish #1 by having some personal heuristic, like
domain+myname+emailname, so here my pass would be
bigmojonetbillbigmojonet .. or something. This is 'ok', its a lot better than using the same password everywhere.
But MUCH better is to use a real password manager, I recomend 1Password, it costs a few dollars (about 50) but is by far the best product, and way cheaper than getting hacked.
You could also use the free Keepass which works well but is missing synch. between devices and such, or the online tool lastpass.
Using one of these tools, you can easily generate unique strong passwords eg:
FYI, swapping out @ for A, or 4 for R, does not actually provide much if any extra protection for your passwords.
As soon as you have a solution, go to your most important sites (bank, gmail, etc..) and change your password to a long generated password. This should give you great peace of mind.
For fun, go here haveibeenpwned and see if your email address has shown up in one of the many data breaches. ( hint: It probably has ).
Lets say you need to send your partner bank information, or more likely a password to some service (gmail/iTunes/whatever), sending someone secure data is a real hassle. If they don't have GPG, or some such tool, then what do you do? Send a user name in one email. password in another most likely.
That email sits on a server forever! If their email is EVER compromised, then so is your data.
The simplest way you could send this info, (without advanced tools), would be iMessage (end to end encrypted), and have the other person delete that message on receipt.
Even better than that would be to use a 1 time message service, for example Dead Drop , I wrote this service FYI.
There are other services, e.g. onetimesecret , but I like mine.
True Virus' are actually pretty rare these days, what is VERY common though, is users installing malicious code that sends spam, mines bitcoins, what have you. Your own behaviour is the primary defence against these things.
I've seen several machines HORRIBLY infected, simply because Microsoft disabled solitaire by default. So, everyone went to yahoo and downloaded random free solitaire programs, which were terrible machine killing malware.
Ask yourself why someone would write that software, and then give it away for free.
If for some reason, that's an issue for you
Make sure you've run all software updates for your OS
This isnt' really my area of expertise, but will add resources. If you think your machine is compromised, rebuilding with a fresh updated OS is your best bet.
Don't do that. This is prime virus / malware delivery territory.
Opensource has come a long way, e.g.
* photoshop -> [The Gimp](http://gimp.org) * office -> [Libre Office](http://libreoffice.org)
Many software packages now have a monthly subscription, e.g. office is $45 a month, adobe creative suite is $30 a month, this makes professional software affordable to own.
If it's not worth $20 or $30, maybe it's just not very important and you can live without it.
Don't install it, or turn it off
You don't really need flash anymore, Youtube doesn't need it for example. I haven't had flash in months, and really haven't had any issues. WARNING: You may possibly miss one or two cat videos.
This gets a bit more complicated. But a passwords.txt file on your desktop is easy pickings if your machine does get compromised. Another point is what happens when your machine dies, do you pull the hard-drive and destroy it? Probably not. So that data should be secured. Your password doesn’t do much, if I can take the hard-drive out and pop it in another computer to read it.
Enable full drive encryption, its built into windows AND mac
Make sure and do the 'make recovery disk' step these things offer
Have some sort of strategy for saving secure files.
This is a bit more advanced, at its most simple, you could create a password protected zip file using 7Zip, which is also just a great archive utility.
Beyond that, I would recommend True Crypt, although this product has a complicated history, its one of the only open/audited solutions. When used, it creates a .crypt file, that when you open it, shows as a separate drive on your machine, which you can use normally. I for example have all my tax docs in a .crypt file, which I can then safely keep on dropbox.