What is Encryption & How is it Useful? Basics of Public Key Encryption


What is Encryption & How is it Useful? Basics of Public Key Encryption

Encryption is the act of encoding data into an unintelligible "ciphertext" until decrypted by a key.

A great example of this is PGP encryption. The text "I like rainbow waffles" when encrypted using PGP looks like this:

-----BEGIN PGP MESSAGE----- Comment: GPGTools - https://gpgtools.org

hQIMA1H82UVEZMDOARAAljhLee60mhmiISQ8X9y7/u9ZOgXrCJk0nLaCIezmY3sb lRz/ZgoyJerc/XLqT7BjbinJN3QE32Csn/VNl89ZUnQIYF2Fi4HkP0FlZtV5sl9t MZEmz/hzTfXg6Al69kXVzokNmP2+sr2lsh/F20FWw+Sn+t13Jd682F3p6O3EgTJV 8dZxvGFLpC5SiOajoYGZpa3100QaC438tyLP7g4tVZ7mVxsKtSOlXmnEc6Ge1xmM pxTcYeqdXQgUbCb1iLOFHctFEh6xrT6RoMawV7YmSzJaGJ+r3Hc205rSWUua202t aG+r/FMDIgBPz5Py9lKf9qcqhK8LGqPTVIN5uVbE53YeyEpWZOkpx+uSVFStziqJ iB7UIQB7UwllWPLmCo96j0YCB/O5ITSDkdEf9pGAAYw/HW1dm9w4+VcHCfwH+/2d 5+2f1iQX25EQvdj93H2Rw1qxYnDSt7s+5RfnEzPX9H+9b/KyCqGeh4/VGwpaO2n/ 1Su0B9wEUj4mbFfZQ54fwpUSZZHURmXsiTVE8UMQ+QjOxtKPreVDKSCMdhEbS8rs h26vr3qf51NT3ASNGHUbDC0GJR6MarwyUlgU0grX/g17oeLeh+9YhJG1POuPQ6jM 1Kn1LW261HHg/vYT9u7aPlXCfAUjZOH1DgOmS/puXmFkRXnPpuU9QHYWAqTn6BiM LgQDAwIXnfl85S/9puT5Y8rB+1W52kZpebaSCSre51W9fTtx93a3dI8gfaD4zHnS 6QFDeRz/pRyOduJVsA4BxmtvAmkUCjfcOruC1/t3jJ6NPwjdvmw8aWNzs/0Ey056 kPucintT1fuPwSO5+Gwa+7CG81YBnNJOQSoQQlLbpbvyAFYHV2QNkqyISqwuXqAN qYGs4Ch99od7O+5kqs1B5a70A/RHsXV2jaEUoqKUM24t+t75mgx71RYQTv0t4+Jp gG66psXiER6NP4ROXUm7bj8EpqdimM4B9EifY/gC9VnGJpmk+eZlbZwEGjd6j29F MOADJLHrsNDGBZGLNRywnA55y4DJ+EbAF1tPzYQHhqKyWlHsHx0xE/sWK0jJ5TgJ Tto7DmTJRMb4GKDUl1EqhfQZpD7eSXHKAnPkWsg1S92YFdZlhDi7SACAYXnBzELB /VeFyuXdjDDZz7B9tSoHaa7BIZuxq2Ae4n662SwkHuI4hvCBb+F4sUa5cGBMMDB9 ekdjUmostA/cUo4ZJzl+OApm/xKNH1Vzb1RLOTF7EHX8NgzWr7HMZ2e5WGDoD8KZ V4IrBhww2s4aunU6ODyaSJQkZuIzhfoUvGcRYhuWILqZUP4UtdKuk+eI2sZ9Ylqi pVW/CTlT9FoMaxEOpJzb4Y6SrMlY8IRdxJcDHQSU5FZnZHCfHKylZkPbn1L99yWs 1Olakan9vqSK5kbWss61X49xbm+LgaxcE5wHS6TntCnydp/c7t/rvsDI4myeaEht PaDz5yYHEtGxHz5S6x15lIoaHqYNZko6pzwu95/aIa1/myBd5ClZ6tye313a8QsX igsMY4bpLOl0aXvf4agR+wU3Ab4P/iHC80mQcihvcgNkdDgFlsHoxqLznGF4BzjQ A/t9HSCEgUo= =Vjd2 -----END PGP MESSAGE-----

This is obviously completely useless to someone who intercepts the message, but it is also useless to us. That is unless, you have the key. The key is usually although not always, passcode locked. Once authenticated, the key is used to decrypt the message back into its original form. Do note that encryption doesn't stop messages from being intercepted, but from being read.

Now that we have discussed encryption in the context of messaging, how does encryption work on hard disks? On a computer, phone or external hard drive etc, encrypting the device's storage turns the data on the device into a similar mess as seen above. Once booted, the device will only decrypt the data when a correct passcode is entered. Once authenticated, the key is then used to decrypt the devices storage. Once decrypted, the device works as normal. When the device is powered down, the storage is encrypted once again.

Public Key Encryption

Public Key Cryptography is the basis for most encryption used today. If you have seen a padlock in your browser or sent an email using Gmail or Outlook, Public Key Encryption was protecting the contents of your browsing, email or data. The following video discusses the basics of Public Key encryption.

When a person generates keys using dedicated software, a public and private key is generated for that one individual. When person A wants to send person B and email, person B must first provide person A his/her public key. Then, this public key is used by person A to encrypt the message so ONLY person B can decrypt it. That's the magic of public key encryption. When key pairs are generated, the private key is the one correct solution out of the 2^128 total possible wrong solutions to unlocking messages encrypted using the public key. Put simply, without a private key, it is impossibly difficult to break public key encryption by brute forcing it.

So the key takeaways are for a service using public key encryption to work, you must have the public key of your intended recipient. If you do not have it, you must have it sent to you. You can exchange public keys unencrypted out in the open, as a public key cannot be used to decrypt messages. Facebook even allows you to put your public key on your profile when using PGP email encryption.

Person A's private key are used to decrypt emails that were encrypted using person A's public key. Never, EVER share your private keys. Many public key encryption software managers do not easily allow exporting of public keys, to prevent a person from accidentally sharing their private key with anyone. I only keep a backup off my private key offline on encrypted hard drives. If someone were to attain your private key, they would be able to decrypt all your messages you have ever received using that key.

Note the fact the encryption and decryption occurs at person A's and person B's devices only, and no external server ever decrypts the contents of ones message. This is known as End-to-End encryption. Further discussions about End-to-End encryption and link encryption can be found here: How to Send Secure Encrypted Instant Messages & Calls.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


How to Send Secure Encrypted Instant Messages & Calls


How to Send Secure Encrypted Instant Messages & Calls

These days, it would be pretty much essential for your information to be encrypted in some way. Some encryption is stronger than others however. The most common form of encryption (Link Encryption), used by Gmail, the HTTPS version of Facebook, Outlook etc does not protect the contents of messages once the message has reached Gmail, Facebook, Outlook etc's servers. The two most important types of encryption are End-to-End and Link Encryption. We will discuss the differences, between the two, identify messaging/calling services that use the best form of encryption and how to use them.

End-to-End Encryption vs Link Encryption

In Link Encryption, there are two devices and a central server. When a message is sent, the server must decrypt the message, in order to send it in the right direction, and encrypt it again. The weakness here is that the service can see your messages, not to mention, your messages will probably be stored in the services server. Additionally, the server(s) may bounce the message unencrypted between servers, before finally dispatching the message to the intended recipient.

End-to-End Encryption takes this central server out of the equation (mostly). Instead of the server decrypting the entire message, it only encrypts the message enough to know where to send the message to. The encryption and decryption of the contents of the message occurs on the devices involved in the messaging conversation. The central server cannot see the message contents. nor can anyone running the network. Only the people that are actually in the conversation can see the contents of messages. Even if a government was to ask the service for the contents of the message, if the service used E2EE, they would not be able to divulge the content of the message. Just note that E2EE protects the contents, not the traffic pattern of your messaging. Additionally, it is possible to implement E2EE and Link Encryption at the same time to protect both the contents and destination information. Though, this is uncommon as of publication.

E2EE is also far harder to hack, as the key to encrypt messages is known between individuals. If the individuals check if each others public keys are valid, they can be sure their messages are going to the intended recipients. Link Encryption does not inherently allow for such verification, as the server manages the public and private keys on your behalf. More on this and Man in The Middle Attacks later.

Traditionally, E2EE has been used in email encryption such as PGP or X.509. Unfortunately, PGP has earned itself a reputation for being hard to setup and difficult to understand, albeit probably the most secure way to send an email. Happily however, E2EE apps are now becoming increasingly popular, and do not require a basic knowledge of public key encryption to operate. Its usually as simple as having both people using the same application (inherent with E2EE).

Examples of Link Encrypted Services

  • Gmail
  • Outlook
  • HTTPS websites (padlock in the browser indicates a website is encrypted using HTTPS)

Examples of End-to-End Encrypted Services

  • PGP (email)
  • X.509 (email)
  • Signal
  • Whatsapp
  • iMessage

With that out of the way, lets discuss what messaging services using E2EE I can recommend and how to use them effectively.


I recommend the Signal app from Open Whisper Systems for iOS and Android. Signal replaces Androids default messaging app, and has a standalone app for iOS (due to Apple's OS limitations on apps in it's app store). On top of that, Signal supports audio and video calling, group conversation and file exchange. Best of all, it's free! Signal can only send encrypted messages to other Signal users. Thus, on Android, if you send a message to someone who is not using Signal, the message will be sent as a standard unencrypted SMS/MMS. For Android way you can tell if Signal will use E2EE for data exchange between your particular contact is the phone icon will have a lock placed next to it:

In both screenshots, note the call icon on the top right. If there is a padlock, the contact is using Signal and therefore, the messages and calls are all using E2EE. If there is no padlock as shown in the right most picture, the recipient is not using Signal, and the message will send as an unencrypted SMS/MMS. Additionally, the padlock shown inmessages boxes indicate the message was sent encrypted.  As Apple users can only message Signal users via the iOS Signal app, you don't have to worry about this. All your messages and calls will use E2EE.


As of the 5th of April 2016, Open Whisper Systems has collaborated with Whatsapp to implement E2EE. With over a billion users worldwide and E2EE enabled by default , Whatsapp is another great service to securely message on. It is worth noting however that many Whatsapp users have not updated their apps since April 5th. To check if your messages will be sent using E2EE, open their contact and note the padlock:

If you see the open padlock, E2EE will not be used, and the contact must update their app before E2EE can be used.

Man in The Middle Attacks (E2EE)

To understand Man in the Middle Attacks, we must understand the basics of encryption. In particular, public key encryption. Read more about this at my article: What is Encryption & How is it Useful? Please note that knowing the basics of Public key encryption as discussed in the article are not mandatory to run E2EE messaging apps. However, it does provide a more comprehensive understanding of encryption and how to protect yourself from certain threats. To recap, a public key encrypts messages, a private key decrypts messages.

In the context of E2EE, a Man In The Middle Attack (MITMA) is the act of an attacker exchanging your public key for his own public key during the key exchange process in E2EE apps. Effectively, the hacker would then receive your messages instead of your intended recipient and decrypt them using the keys exchanged. To avoid detection, the attacker would then send off the message using his own private key to your intended recipient. The way we secure ourselves against MITMA's is by verifying our recipient's public keys and vice versa. Using Whatsapp as an example, click the lock (pictured above) and a QR code and a string of random digits will display (pictured bellow).

How to verify your recipients public key.

Enable This Setting to Detect MITMA's after you have verified public keys with that particular recipient.

To verify your contacts public key, you will have to exchange this QR code or string of numbers to your recipient, ideally on another messaging service, or by stating the code during a phone call. Verifying public keys using a different service than the one you are using is known as Out-of-Band verification. If you go the phone call route, be sure to state every single digit, as the attacker may change only one number in your recipients public key. This single digit could be the difference between your messages going to your intended recipient and an attacker. You will only have to do this once, as Whatsapp has another setting that warns you when a persons public key suddenly changes. To enable this go to settings -> accounts -> security and enable "Show Security Notifications."

Signal's main way to exchange public keys is to call the user using Signal (make sure to the padlock is on the phone icon if your using Android). Your screen should look like this if your using Android, but the Apple version is fundamentally the same:

Call Screenshot from Android

Note where it says "classroom pedigree." At the beginning of your call, verify if this text matches your recipients. If it does, your calling him directly. If the text is different between you and your recipient, you are falling victim to a man in the middle attack.

iMessage for Apple also supports E2EE. Albeit without protection from man in the middle attacks and cross-brand compatibility.

Although key verification may seem irritating, it is good to practice good security practices. However, if it is just too much, it is still far safer to use E2EE messaging apps that using Link Encrypted Messaging apps (i.e. Gmail) or unencrypted messaging services like Facebook. Note that Facebook messaging can use SSL/TLS encryption (Link Encryption) when browsing on the HTTPS version of Facebook (not HTTP). Install HTTPS Everywhere on Firefox or Chrome to enable this by default. This is most useful on unsecured wireless networks, where hackers can sniff the contents of all unencrypted traffic without the need to break any encryption or passwords.


Signal also can be accessed using Google Chrome on Desktop by downloading the extension.

Whatsapp vs Signal vs iMessage

iMessage does not allow for any form of key verification nor support for calling and can only be used between Apple devices.

Whatsapp can be used securely, but be sure to turn of iCloud/Android backups. Otherwise, your Whatsapp messages will be stored unencrypted in Apple/Google's servers. Be sure your contacts do the same. Similarly, taking screenshots of conversations usually results in the image being uploaded to the cloud. Whether it is via iCloud, Dropbox, Google Photos, Onedrive, etc. Sadly, none of these services encrypt data stored in their cloud storage servers. Currently, governments don't even need a warrant to access a persons cloud storage data, so I'd advise against this. Signal has a setting enabled by default that prevents screenshots from being taken from within the app. Additionally, Signal, unlike Whatsapp, does not automatically upload its messages to the cloud when cloud backups are enabled on your phone's operating system. You can also have the app delete your messages automatically after a specified number of messages.

For this reason, I recommend Signal, but I also use Whatsapp. Just know the precautions you must take in order to secure your data fully, and encrypt your phone with a strong passphrase. Lastly, its great that you may be taking steps to protect your data. However, if your recipient doesn't do the same, your efforts may be futile.


The result of these E2EE messaging services is that Signal, Apple, Whatsapp and others who use E2EE do not store any data regarding the content of your conversations and voice calls. This also effectively subverts government surveillance and hackers, as although the data is intercepted, the data is safely encrypted. Additionally, governments can't attain the information from Signal or Whatsapp, as all the information is stored only on the users hopefully encrypted phones. Put simply, only you and the person you are messaging can read the conversation, nobody else. The obvious downside to E2EE services is that you are going to have to convince people to use the app with you. Though, once you have your friends using the app, you can have your own private community of private messengers, immune to all ease droppers.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


Pretty Good Privacy (PGP) Email Encryption Guide - GPGTools (MacOS)


Pretty Good Privacy (PGP) Email Encryption Guide - GPGTools (MacOS)

Many will be shocked to become cognizant that emails, even when using traditional means of encryption, are not encrypted once the email reaches the email providers servers. Since emails often travel across the world before they reach their final destination, your unencrypted emails will have likely been intercepted and stored in a government database.

The aptly named Pretty Good Privacy (PGP) encryption standard is one of the most (if not the most) secure ways to encrypt a email, End-to-End. Ever since whistle blower Edward Snowden used PGP to email Glenn Greenwald about the revelations about NSA spying in 2013, many journalists now put their public key in plain view on social media. Presumably, hoping that they will be the ones to leak classified information from their source. It's not only journalists that use PGP. Anyone who wants to encrypt emails End-to-End rather than by conventional (and inferior) Link Encryption methods such as SSL and TLS, will have found what they are looking for in PGP. For more information on End-to-End Encryption and how it compares to traditional Link Encryption, see my article: How to Send Secure Encrypted Instant Messages & Calls.

PGP works on the basics of Public Key Cryptography. To understand how to use PGP and why it functions as it does, you'll definitely need a basic knowledge of the topic. Learn about the basics at my article: What is Encryption & How is it Useful? Basics of Public Key Encryption. Consider this a prerequisite.

With the basics out of the way, lets discuss how we can use PGP to secure our email communications.

How to Setup PGP

In order to use PGP, you'll need a compatible mail client like Mozilla Thunderbird and a software package that incorporates PGP into your respective mail client. In this case, we will be incorporating MacOS's built in Mail client with GPGTools. Follow the link and install the package. Once you run GPGTools you should find yourself finding yourself needing to generate your very own key pair (your private and public key):

Generate Key Pairs in GPGTools for Mac

Type your name and your email address. The first consider you may want to make is, do you want to put your real name in the name field? After all, you are using PGP to encrypt traffic, using a fake name may ensure you additional anonymity. You will probably want to Upload your public key to the key servers so others can find,  verify and sign your key later. You can upload your key at anytime. However, you can't delete your key off the key servers. You ca only revoke the key. More on this later.

Although email addresses are usually not case sensitive, it is in GPGTools. So if your contact lists you as having uppercase letters, you'll want to type with uppercase letters here. Do keep in mind your contacts will also need to type in your email address with the correct upper/lowercase letters in order to send you an email. You'll be able to add more email addresses to your private key later, including the same email address using uppercase and lowercase letters. The advanced options can be left as is. You may want to disable the "Key expires" checkbox (you can also change this later if you so wish). Lastly, enter a secure passphrase. Information on passphrases at my article: Passphrases, Password Managers & Multi Factor Authentication. This passphrase will be your last line of defense if your private key is acquired by a hacker. Click "Generate Key."


Add Email Addresses to Your Private Key

You will only be able to send encrypted emails if your using an email address that has been entered under the "User IDs" of GPGTools. Once again, you must type your email case sensitive for this to work. If your having problems, add the same email addresses with uppercase letters if commonly used.

Double click your key in the GPG Keychain menu to access this window:

Add Email Addresses to GPGTools

Press the "+" icon to add an email address:

What Happens if I Want to Delete My Private Key?

If someone has acquired your private key or you delete your last copy of your private key, you'll want to revoke it from the key servers. You cannot delete a key from the key servers. Hence, PGP public keys are still out there from the 1990s readily accessible from the key servers. Click "Key" and then "Revoke:"

This will show other users

Backup Yours Keys

If you somehow loose your private key, you will no longer be able to decrypt messages. On top of that, you'll have to generate a new key, and revoke your key from the key server. It is therefore imperative that you keep an offline and preferably offsite backup of your private and public keys as well as the aforementioned Revoke Certificate. Be sure if you backup the keys that you encrypt the disk with a strong password. Do note, USB flash drives have a terrible shelf life for archiving.

Sending Encrypted Emails

You'll notice a OpenPGP button on the top right. To encrypt the email, click the padlock. If you want to sign, click the tick. Usually, you'll want to do both. More on signing keys and key verification in the next section.

Sending mail Using GPGTools in MacOS

These options will be greyed out unless you satisfy two conditions. First, your email address you are sending from must have been added to GPGTools. Second, you must have added your recipients public key to GPGTools. Usually, you will attain your recipients public key in the form of a ".asc" file. Open the file using GPGTools by clicking the import button on the top left.

Why Sign an Email? Key Verification

Signing an email may not encrypt the email, but it sends a copy of your private key in the form of an ".asc" file. This allows others to encrypt emails to you in future. In addition, a recipient will be able to verify the email was sent using your private key (assuming they already have your public key). Presumably, confirming the email was sent by you. If they suddenly notice your public key changes, that may be a sign of a man in the middle attack. More information on key verification at my article: How to Send Secure Encrypted Instant Messages & Calls. Keep in mind you can verify an email even if the email is encrypted.

What Does PGP Encrypt?

GPG encrypts email contents. This includes text in the body, subject line and attachments. This does not include your email address or recipient of the email. Email encryption also doesn't hide your metadata such as your IP address and hence, your location unless you are using a proxy/Tor/VPN/Tails OS etc.

Signing Friends Keys

PGP has a ingenious way of building reputations of the legitimacy of a persons public key. As you may have noticed, GPGTools has a column on the far right called "Validity." You can boost a persons public key's "Validity" by signing it with your own. Click their public key, then click "Key" on the top toolbar and then "Sign."

You'll be greeted with a brief synopsis of what your doing. Choose your private/secret key that you will be using to sign (likely, you will only have one private key). Then, choose how certain you are the person's public key you are signing actually belongs to whomever it states it does.

Facebook PGP Email Encryption

To begin with, you may have very little use for PGP. However, Facebook can encrypt all emails to you using PGP. So as a bonus to this guide, lets discuss how we can setup Facebook to send all emails to you encrypted using PGP. Do note, this includes account recovery emails, and if you loose your private key, you will not be able to decrypt these emails. This can both be an advantage or a disadvantage, as even if a hacker gains access to your emails, they won't be able to decrypt the password recovery emails anyway.

First, go to your Facebook Security Settings:

Facebook Settings Screen

Download Facebook's public key and place your public key in the textbox. Generate your public key by exporting your key using GPGTools and then opening the the file in TextEdit (Mac).

Public Key for Facebook PGP

Email Sent by Facebook Confirming You Can Decrypt Their Message


In conclusion, PGP may seem irritating to setup, but it really gives you a comprehensive understanding of Public Key Cryptography. If you truly value the contents of your emails, PGP may be one of the best methods of ensuring the contents of your emails are only read by the intended recipient.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


Top Privacy & Security Browser Extensions - Firefox, Chrome, Opera, Safari


Top Privacy & Security Browser Extensions - Firefox, Chrome, Opera, Safari

- Updated on the 24th of Feburary 2017 -

Your data is valuable, more than you know it. Cookies or data loaded into your browser that track you across websites are now pretty much ubiquitous. In recent times, flash cookies, browser fingerprinting and other techniques have also become pervasive. To protect ourselves online, here are some privacy and security related browser extensions for Chrome, Firefox, Safari and Opera. I'm focusing on extensions that require little/no attention from the user after the preliminary install, as many extensions will disable many websites functionality. These extensions should increase your security and privacy simply by running them in the background.



1. HTTPS Everywhere

HTTPS is the green padlock in the URL bar you'll see on Facebook, Youtube and most checkouts in online stores. It signifies that your connection to the web server is encrypted, and cannot be read by third parties (i.e. hacker, internet service provider, government surveillance). HTTPS Everywhere forces all webpages loaded to use HTTPS encryption whenever possible. This is extremely important on public wireless networks, where all web traffic (i.e. passwords, emails, instant messages etc) is sent over the network completely unencrypted, allowing anyone with free software to see exactly what your doing. I would describe this extension as common sense, as if encryption is available, there is no reason not to use it! Available for Safari, Chrome, Firefox, Firefox on Android & Opera.

2. Disconnect

Disconnect 'Private Browsing' is an open source, anti-cookie and anti-tracking extension that boasts a database of cookies/trackers. All of these cookies/trackers are categorised for easy blocking of all social media cookies for example, or all advertising cookies. You can unblock any type of tracker on the fly, and if the tracker is necessary for a website to work properly, you trust add entire websites to a white list. Usually though, this is a install and forget type of extension. Available on Firefox, Chrome, Safari and Opera.

3. uBlock Origin

A simple general purpose blocker of third party cookies, scripts etc that runs in the background with little/no setup or attention needed from the user. It's amazing to see the counter of blocked items, whilst sustaining website functionality. Available for Chrome, SafariFirefox and Opera.

4. AdNausium

Unlike your traditional ad blocker, AdNausium (a clever play on words) not only blocks ads, but clicks them as well. Your pages will load faster, you won't see tens of malevolent download button ads on download websites and you'll save a little on bandwidth too. From a privacy standpoint, advertisers won't be able to profile your interests, because you have clicked on literally everything. Available for Chrome, Firefox and Opera.

5. Privacy Badger

Privacy Badger blocks any cross website trackers. Once you leave a website and Privacy Badger notices trackers are still logging your movements long after you've left that website, the extension will disallow any connection to the trackers source. Available on Chrome and Firefox.

6. TrackMeNot

TrackMeNot is a Chrome and Firefox extension that creates random search queries in the background, that obfuscates your genuine searches amongst it's fake searches. Much like Adnausium's approach to privacy (they are the same developer), search engines and advertisers cannot profile you accurately, as they cannot distinguish which searches are actually legitimate.

7. Decentraleyes

Decentraleyes compliments other adblockers. What the addon does it beyond my expertise, but you can read about the addon on the Firefox and Chrome store pages.

Good to Haves

8. Random Agent Spoofer

Random Agent Spoofer (Firefox) and Random (Hide) User-Agent (Chrome) changes the information that identifies your browser to a different, randomly selected browser. This web browser spoofing can be made to change on every website request and at random time intervals. This is particularly effective against browser fingerprinting as discussed earlier.

9. Terms of Service Didn't Read

Terms of Service Didn't Read summarises any alarming items in popular End User License Agreements (EULA). The extension gives every EULA a grade mark between A to F, and then states why. Although very different from the other extensions discussed, it does put into perspective how much privacy we are expected to give up to use certain services such as Google and YouTube. Available for Chrome, Safari, Firefox and Opera.

10. Lastpass

Lastpass is my favourite password manager. They have a great security and transparency record, have great browser extensions and phone apps, and are a great value. See my guide: Passphrases, Password Managers & Multi Factor Authentication for more details. Full disclosure, Lastpass are not a sponsor, and I have absolutely no affiliation with Lastpass. I just like and recommend their product.

Firefox Only

11. Privacy Settings

Thanks to Firefox's customisable back frame in the form of about:config, users can alter specific privacy settings that simply cannot tweaked in Chrome based browsers. A list of these about:config configurations can be found here, but Privacy Settings (Firefox only Addon) allows 36 of these settings to be changed on the fly, by selecting from privacy and security presets. I personally like the "Privacy (compatible) and Security" preset. However, if you choose another more secure preset and it disables a website, you can, at the click of a button return to a more compatible preset.

12. Multi-Account Containers

This Firefox addon allows you to categorize your websites into "containers." Cookies are kept within whatever container you specify. Thus, your browsing in one container cannot be seen by cookies from websites in other containers.

Final Tip

  • If you are having trouble installing an addon, try disabling antivirus software.
  • Don't install Adblock. Having multiple adblockers is a waste of processing power. If you already have an adblocker, uninstall it and stick to Adnausium. This includes U-Block and Privacy Badger. If you are using Chrome, you may wish to use U-Block and Privayc Badger instead, as Google has blocked Adnausium from it's store.
  • If the Firefox addon website states you aren't running the latest version of Firefox when you actually are, revert Privacy Settings addon back to default original settings.


It somewhat baffles me why web browsers don't come with many of these extensions by default. In the meantime however, I encourage anyone seeking more privacy and security online to install some of these extensions. Additionally, give Firefox  a try. It's open source, meaning their code is open for public security auditing, and has recently had a nice speed enhancement. Additionally, Firefox now protects against browser fingerprinting, a tracking method that allows advertisers to track you based on the uniqueness of your browser (including what addons you are running). Google recently introduced an adblocker on Chrome by default, but it doesn't block any advertising served through Googles Advertising platform Adwords.

Google does not exactly have a great reputation for protecting users privacy. For more, check out my guide, How to Live Without Google.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


How to Live Without Google?


How to Live Without Google?

Google has become so ubiquitous, something inspired me to write this guide. Someone saw me use a search engine they had ever seen before, and they seemed shocked! "Yes, I don't use Google," I said. It was at that moment that I became cognizant that Google knew more about me than my best friends. So, lets discuss why you may want to try alternatives to Google search and how to survive without Google services in general, all with the motivation of privacy.

Privacy Checkup

Under your Google Account, look for Privacy Checkup:

Google Accounts Homepage

Click get started and follow the prompts. Points 5 and 6 are most important.

Privacy Checkup Homepage

You'll see a bunch of expandable drop downs which you can switch off. Switching off anything will pause Google from storing that respective information. For example, turning off Web & App Activity will disable Google from collecting your web/app data from this point forward. However, it does not mean your past web/app data is removed. To remove past web/app activity, press "Manage Activity."

Web & App Activity

You should see a window with all your web history. Click on the three dots on the top right to open additional options. Then, click "Delete Options:"

Delete Web & App Activity for All Time

Click "Advanced" and then from the drop down, select "All time." Press "Delete" to finish. Repeat this process for all other options under section 5 such as Location History,  Device Information etc.

Once you get to section 6, click "Manage Your Ad Settings."

Disable personalized ads

Disable personalized ads

Simply switch this setting off to turn off personalized ads. I like to turn this off, as it scans all Gmail messages etc, and I use Adblock anyway, so having this option on is not advantageous to me.

An option that Google does not include here, is your Google Now voice recordings. Delete your Google Now Recordings.

To summarize, you may not want to turn everything off and that's fine. For most people, leaving Youtube and Location history on is just fine. The one settings I recommend turning off is Web and App Activity, as we'll be looking for a Google Search substitute next.


DuckDuckGo is a third party search engine that does not track you. Simply change your default search engine in your web browser to DuckDuckGo.

DuckDuckGo Homepage

Click on the top right and then click "Advanced Settings" to customize DuckDuckGo to your liking.


One severe disadvantage of DuckDuckGo is that it omits Google search results, relying on Yahoo and Bing instead. Startpage is a search engine that includes Google results. It also boasts forward secrecy encryption, meaning all searches use a different encryption key. Put simply, an attacker couldn't just attain one key to decrypt all your searches, as each search has its own unique key. Although generally slower and lacking some of the bells and whistles of DuckDuckGo, Startpage still boasts security features like proxies and Google search results, and is definitely worth a try.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content.


Virtual Private Networks (VPNs), Proxies & DNS


Virtual Private Networks (VPNs), Proxies & DNS

To understand what a Virtual Private Network is, first, its best to explain what a Proxy is. In the content of networking, a Proxy server is a server that one can connect to, that acts as an intermediary connection to the internet.


Connection Without Proxy to Internet:

User --> ISP --> Internet

Connection With Proxy to Internet:

User --> ISP --> Proxy --> Internet

Note: ISP - Internet Service Provider

When you connect, the proxy assigns you an IP address. Proxies that use "Shared IP Addresses" use a range of IP addresses to connect to the internet. All users connecting to the internet via a proxy have there real IP addresses masked behind the range of IP addresses the proxy uses to connect to the internet. Assuming the proxy does not keep logs, your connection to the internet is anonymized and with little to no trace of your internet activity. This is because multiple users use the same IP address, making it harder to track you based on your IP address alone.

Further, If the proxy server is physically located overseas, you connection to the internet appears to originate from the proxy server. Thus, if you connect to a proxy server in the United States from Australia, you can bypass geolocation restrictions imposed by Netflix (The US has 7 times more titles than Australia on Netflix due to copyright reasons).


Finally, what exactly is a VPN? A VPN is a Proxy, but with the addition of End-to-End encryption. When you connect to a VPN server, a tunnel protocol is created, a secure conduit for your data is formed, between you and the server.

Although the internet may not be able to see your real IP address, the proxy/VPN server can see all your internet activity. So it is important to pick a VPN service that keeps no logs of your real IP address and web history. To compare, a VPN could be seen as a log-less Internet Service Provider (ISP). Unlike most VPN services, Internet Service Providers keep logs of your IP, search history and even the type of data you consume. In Australia under the new metadata retention laws, ISP's are now legally required to keep logs of your activity for a minimum of two years. ISP's use what is known as packet sniffing to examine your internet traffic. Using this technology, ISP's have been known to throttle users who connect to high bandwidth services like Netflix. If however you connect to a VPN server, your ISP cannot see what services you are using as all your internet traffic is encrypted, and therefore cannot throttle you.

The last big benefit of a VPN is guarantees you a secure connection to the internet, even when you are using a very insure public Wi-Fi network. Because your data is encrypted through the Wi-Fi router, through the ISP, all the way to the VPN server, hackers who also use packet sniffing techniques connected to the same unsecured Wi-Fi network cannot see anything your doing. Put simply, anyone who intercepts your packets of data, whether its a hacker, a router that allows for packet sniffing for analytical purposes or your ISP, will only see a giant cipher of encrypted text (see my article for an example of encrypted Ciphertext: What is Encryption). VPNs also protect against session hijacking attacks on unsecured wireless networks. Session hijacking works by stealing your login cookie (piece of information stored on your computer to indicate you are logged in). By stealing your login cookie, the user can press a button and then steal your login session, allowing the attacker full access to your account (albeit without your password). Believe it or not, that can be as easy as installing a browser extension.

Although VPN services probably sound like the greatest thing ever at this point, there are some trade offs you make when connecting via a VPN. Apart from the fact the VPN provider can see what your doing, VPN services cost money and due to the encryption that happens between you and the server, your connection will be slowed down. How much so depends on your distance from the server your connecting to, the strength of encryption you select, your device hardware and how good the VPN service providers server is. However, due to ISP's throttling users, many observe higher speeds to popular websites like Netflix and YouTube when connecting via a VPN. Some websites simply do not work over a VPN. This came as a shock to me when I realized the reason I couldn't access Carsales.com is because it doesn't support connections from VPNs. In these rare cases, simply switch the VPN off. Further, VPN users have been found to be put under more scrupulous surveillance by government organizations like the NSA. The NSA and it's subsidiaries have been known to store encrypted VPN traffic to be decrypted by supercomputers if the user were to fall under suspicion. This is as a pose to unencrypted traffic, which is stored and then discarded off, as the ISP and government surveillance agency can see the contents of the unencrypted web data without the need of decryption. Finally, in buildings with lackluster wiring, packet loss or loss of information during transit across the internet can look like a connection is compromised, resulting in the VPN server disconnecting to prevent any risk of exposing the users web traffic.

Benefits of a VPN

  • Bypass geolocation restrictions
  • Bypass censorship restrictions
  • Anonymize your connection to the internet and your ISP
  • Secure yourself against many public Wi-Fi risks

Downsides to VPNs

  • Will slow your connection speeds
  • Costs money
  • VPN provider can inherently see your web activity
  • To Hackers and ISPs sniffing your internet traffic, it is obvious you are connecting to a VPN
  • Government agencies like NSA and GCHQ reported to spy on VPN traffic

VPN vs Proxy vs Smart DNS

If your looking purely to get to US Netflix or a blocked website due to geo-restrictions, a Smart DNS service will suffice for the lowest possible cost. Proxies have slightly more anonymity over smart DNS, but most people choose a VPN over a proxy. The great benefits over proxies for the small price penalty is usually considered worthwhile. I personally recommend a VPN service for most people or possibly a Smart DNS service. Proxies are generally more difficult to setup as well.

What VPN Should I Choose?

If you so decide to try a VPN, your in luck. Many VPN's are cheap and most offer a trail period or a money back guarantee. There are a number of things you should consider when choosing a trailing VPN services.

Logs/Privacy Policy and Locality

An important part of what VPN you choose is their attitudes towards logging and privacy. This is usually advertised by most VPN providers, as most users seeking a VPN do so for the increased privacy and anonymity. Many VPN providers state they do not keep logs of any kind, which is a blatant lie.

Other VPN services may be very anti-piracy, blocking all P2P Torrent traffic altogether through their VPN. As many use a VPN purely to avoid their IP address being easily found while illegally downloading, take this into consideration if this matters to you. Although policies like no torrenting may be hidden on a VPN providers website, be sure to read reviews to find information like this. I personally need a VPN that supports P2P, as I use BitTorrent Sync (a Dropbox competitor). The difference between traditional cloud based options like Dropbox and P2P services like BitTorrent Sync is Sync takes the server out of the equation. Using Sync, files are directly transferred to your devices, rather than first uploading it to Dropbox's server, and then downloading across your other devices. As Sync uses P2P (torrenting) technology to transfer data, it is vital to me to choose a VPN that allows for torrent traffic.

Pricing - Free vs. Paid VPN

You might ask, why not just use a free VPN service? Free VPN services always have to make money in order to be sustainable. This usually means no or very little customer support, inferior encryption, slower speeds and unstable connections. Further, some VPNs make you sit through some advertising before you connect. Others restrict the amount of servers you can actually connect to. Free VPNs almost always have low data limits and may sell your bandwidth and information to third parties for advertising purposes. Put simply, if your using a free VPN, your the product! Besides, VPNs are cheap, especially when bought in longer subscriptions. As an example, I use Private Internet Access (PIA). PIA offers a 7 day money back guarantee, and is priced at $6.95 for 1 a month subscription, $35.95 for a 6 months subscription or $39.95 for a annual subscription (US Dollars).

Data Limits

Definitely note if the VPN service your looking at has data limits and if so, how much data you are entitled to. Most paid VPNs allow for unlimited data. Note that if your VPN provider states they keep zero logs but have data limits, scrutinize their logging policy, as it is impossible to implement data limits without logging a users total consumed data.

Does the VPN Service Connect Using Their Own Servers?

Although uncommon, some VPN providers such as Vypr VPN from GoldenFrog only connect to their own servers. Most VPN services rent other servers and don't have direct control over them. Owner operated servers are definitely a plus. I am not being paid to state this.

Number of Connected Users

One of the most important things to look for in a VPN service, is the number of simultaneous connections to the VPN server the service allows for. As discussed, VPN services do keep SOME logs. For example, a VPN must keep logs on how many devices you are connecting to the VPN at once. Otherwise, you may be giving your whole family and friend base access to the VPN service via your one subscription. Keep in mind the number of devices you intend to connect at once. For instance, if you have a phone and computer, you will need a minimum of 2 simultaneous connected devices to the VPN.

VPN Protocol - OpenVPN

When looking for a VPN service, make sure it uses OpenVPN as its protocol for connecting to the VPN server. OpenVPN is the standard, and is pretty much ubiquitous. For more information on this topic, see BestVPN.com's article: PPTP vs L2TP vs OpenVPN vs SSTP vs IKEv2. For most though, just make sure your VPN uses the OpenVPN protocol.

DNS Servers

A good VPN will have its own DNS servers. DNS in case you weren't familiar is a phone book of website URLs and IP addresses. When you type in a URL in your browser, a DNS request is issued to a DNS server, that tells your web browser what IP address to connect to. Your web browser cannot connect to a website without knowing the URLs corresponding IP address. By default, your DNS server (usually set on your router in a home environment) is your ISP's DNS servers. To fully hide your traffic from your ISP, you should change DNS servers to a log-less DNS server run by your VPN service. The easiest way to do this is to find out if your VPN provider has their own DNS server and if so, what is the server address. Once you have their DNS servers IP addresses, input your DNS server(s) into your routers settings page (usually located under WAN). This will result in your devices using the DNS services specified when connecting to the wireless router. Alternatively, you can set the DNS server for each individual device to connect to. I often do this for networks I usually connect to such as my university campus wireless network. Many VPNs have guides on how to do this. Note that you can only change a DNS server on a device by device basis per connection. So if you switch to another wireless network (other than your home network), you'll have to set the DNS server again manually.

Some VPN servers only allow DNS requests from connections from their VPN service. So if you disconnect to say browse a website that is blocked on VPN connections, your DNS servers won't work, thus you won't be able to browse that site. So look for a VPN with its own log-less DNS servers that work even when not being accessed using the VPN. Alternatively, you can connect to a third party DNS server like OpenDNS, if your VPN provider doesn't offer its own DNS servers.

Finally, many VPNs allow you to specify an option to prevent DNS leaks. A DNS leak is when a DNS request is sent outside the VPN tunnel, unencrypted and possibly to an ISP's DNS servers if you have not configured your custom DNS servers. This would allow an ISP to see and log what websites you have visited.

Using Private Internet Access VPN, I have my DNS servers set on my router, and avoid DNS leaks set to "on," on my devices. PIA allows for an unlimited number devices using their DNS server, even when you aren't using PIA VPN for that particular device. This is vital, as setting their DNS servers on the router makes ALL devices connecting to that wireless router use those particular DNS servers. Additionally, PIA allows for a maximum of 5 devices using the VPN per subscription, so it is likely that not all your devices will be connected to the VPN at any one time (note above discussion on DNS server needing to be useful even when not connected to VPN). Sadly, the downside I have observed with PIA is it does not allow for OpenDNS and its proprietary technology "DNSCrypt" - a technology that encrypts all DNS traffic, even when a VPN is not used. If your using a VPN however, this really shouldn't matter too much, as DNS traffic is usually tunneled through the VPN (assuming avoid DNS leaks is set to "on"). Unfortunately, I don't find PIA particularly reliable, and it's Windows client at one point prevented the computer from accessing the internet without connecting to the VPN, even when disabled or uninstalled.

Router Support

Instead of connecting all your devices to the VPN (note maximum number of simultaneous VPN connections possible for your VPN service), you can connect your router to the VPN. In this configuration, all devices connected to the router will be connected to the VPN by default, despite the VPN provider only logging this as one connection to the VPN. Further, devices like AppleTV's that can't usually connect to a VPN, can be when connecting to a VPN enabled router. Sadly, most routers have comparatively horrid processing hardware (it takes a decent computing processor to be able to encrypt your data at a fast enough rate to keep up with your bandwidth without bottlenecking). Thus, your router will usually bottleneck your internet speeds. Even if you have a top of the line 802.11AC router, I noted a ten times reduction in speeds when connecting to the VPN via the router, instead of connecting from my laptop. Further, you probably won't want to connect your gaming console to a VPN anyway, as it will reduce speeds and introduce lag. Setup is also usually more difficult. PIA offers very little and at times misleading support for setting up their VPN on routers. Many tell you to install a third party router firmware like DDWRT or Tomato, which is often not necessary. ExpressVPN offers far more comprehensive guides with far more flexibility regarding types of encryption etc when connecting via a router. In any case, I cannot recommend connecting to a VPN using a router, due to the reduced speeds. Further, some VPN services don't offer support for connections from routers using the OpenVPN protocol, instead opting for the less secure L2TP protocol (PIA cough cough). If you connect via your computer or mobile device, it almost certainly is using OpenVPN. I can however recommend running a VPN on a pfSense custom made router.

Anonymous Payment Method - Bitcoin

Bitcoin as a digital decentralized currency. A decentralized currency works something like this:

Bitcoin: Buyer --> Seller

Mastercard/Visa/Paypal: Buyer --> Mastercard/Visa/Paypal --> Seller

Note: Mastercard/Visa/Paypal etc will keep logs of your purchase.

If you want there to be no log of your purchase of your VPN, consider using Bitcoin and finding a VPN service that accepts payment in Bitcoin. For a full guide on how to pay using Bitcoin anonymously, read Buying Bitcoins to pay for VPN anonymously, a step by step guide Part 1. You'll want to do this if you are worried about government surveillance, or if you are in a country with particularly oppressive internet laws. Note that Bitcoin is not inherently anonymous, but it can be made very difficult to trace using certain techniques.

Kill Switch

Even the best VPNs will experience disconnections from time to time. If this happens say during public Wi-Fi use, you may suddenly reveal your identity to potential threats. Make sure your VPN has a VPN kill switch, which is more like an internet kill switch, that automatically kills your connection to the internet if the VPN connection is not active.

Further, you may want to implement into your computers Firewall not to let any applications connect to the internet without the VPN service active. The security benefit to this is as your computer starts up, it may begin loading unencrypted data before the VPN connection becomes active, allowing your passwords to be seen if you were on an insecure Wi-Fi network. A guide on how to implement this here (recommended for advanced users only): Using Little Snitch to prevent internet access without VPN. Littlesnitch also comes with a free trail.


VPN setup can be complex when not using the default software provided by the VPN. In some cases, you may want to take your VPN service to the next level. Whether its by trying your VPN on your router, or using a different VPN client, or setting up DNS, great support staff is vital. Most VPN's I have tried reply within minutes. Comprehensive guides are also great. ExpressVPN has the best guides I have seen, to the point I never needed to use their support. PIA on the other hand, had to help me on various occasions for seemingly trivial reasons. Seemingly arbitrary things like the VPN software not connecting to the server because my IP assigned to my device from my router was not between a specific range etc. Luckily, I have a basic knowledge of networking, DHCP and IPv4. The support staff basically said they couldn't be bothered to teach me, thinking I had no idea how to change the DHCP range on my router. Although I managed to fix the problem once they pointed out the issue, if you aren't so savvy with networking, make sure the VPN functions without issue before forking out your money at the end of a trail.


Obviously, a VPN that yields faster speeds than another is preferable. I recommend also testing on your mobile devices. My phone always gets slower speeds than my laptop when connecting to a VPN. This may be due to my laptops superior processing power. Funnily enough, altering the encryption settings to require less processing power (and weaker encryption) did not help. Strangely, connecting to other VPN services using the same encryption standards resulted in faster speeds on my phone, but slower speeds on my laptop. So, just be aware that VPN speeds vary across devices and should be taken into consideration. Additionally, as speed is influenced by server location, test on all the servers you might regularly use. For instance, if you plan to be using Netflix, test a VPN server based in the US. You'll notice most likely the speed will be considerably lower than connecting to a local VPN server. If they are too low to stream high definition video on Netflix, try shopping around. On the other hand, your internet connection may be too slow to stream HD video even without a VPN, in which case, you will just have to watch in low resolution if you are to connect to US Netflix via a VPN.

Note, pricing and speed are not linked. I get the fastest speeds (on my computer and not my phone anyway) with Private Internet Access, one of the cheapest VPN services available. I've tried Astrill, Vypr, ExpressVPN and more. All of these services were 50-300% more expensive and were slower, despite similar encryption used and server locations. Not to give PIA too much credit, as there support staff I'd consider very average, but the saying "you get what you pay for" is true, but not for speed (unless you are on a free VPN).

To measure your internet speeds, visit Speedtest.net. On the bottom right is your IP address as detected by Speedtest.net. If you are not using a VPN, this is your real, ISP provided IP. If your connected using a VPN, it should show the IP address of the VPN server. Just be sure that when you connect to a VPN, that your IP address changes to one other than your ISP provided IP. Do note that your ISP does change your IP address periodically. You should also be able to see your location on a map. Once again, this will show your location unless you connect to a VPN server. If that is the case, your VPN servers location should be displayed instead. Press begin test to find your internet speeds. Ping is the latency, or speed at which a connection can be sent to the server. This is important when gaming, as gaming requires a faster connection, but doesn't necessarily require a lot of data. Upload and download bandwidth is the total amount of data per second you can upload or download. Obviously, higher numbers here are better. Download is what you'll care about when streaming Netflix or YouTube.

Censorship & Geolocation Subversion

If your connecting to a VPN in another country to subvert geolocation or censorship restrictions, not all VPNs will work. In China, VPNs are blocked by default. However, many VPNs still seem to work undetected. For example, Vypr VPN has a proprietary encryption technology called Chameleon that avoids VPN blocking. Sadly, when using Vypr VPNs Chameleon, the internet can see your real IP address and location.

For the Netflix users outside of the US out there, Netflix blocks most VPN and proxies when connecting to its services. However, some VPNs still seem to be unblocked. Research reviews and ask your VPN provider about this issue. Private Internet Access is an example of a VPN that is blacklisted by Netflix. Netflix simply blocks all connections coming from IPs originating from PIA. ExpressVPN at the time of publication does support Netflix. However, it doesn't when using the Netflix mobile app on iPhone (I have not tested on Android). The same is true for PIA. However, when using PIA from a laptop, I was able to connect to US Netflix until an hour later, where Netflix finally detected I was using a VPN/proxy. So make sure you try your VPN on Netflix on all your operating systems you use and for extended periods of time before buying. Additionally, look for reviews and do some searching or even contact the VPN provider directly.

Features & Encryption Types

Many VPN providers will offer many different features to differentiate themselves. Make sure to take these into consideration when choosing between providers. As aforementioned, Vypr has its Chameleon technology and NAT Firewall. Astrill VPN offers Nat Firewall as an extra add-on, as well as additional encryption, authentication and handshake options other than AES, SHA, and RSA respectively. AES, SHA and RSA are all National Institute of Standards and Technology (NIST) standards. If your worried about government surveillance, know that the NSA has a history of introducing backdoors into services like Skype etc and weakening encryption algorithms. Further, the NSA has worked closely with NIST for a number of years, and there has been reason to believe that AES and RSA can be subverted by the NSA as well. For more information regarding the NSA and encryption, visit the following article: Silent Circle moves away from NIST encryption standards. Astrill through their Crypto+ add-on (adds cost) allows Twofish, Threefish, CAST and Carmella encryption standards (all non-NIST). These encryption standards are believed to not be compromised by governments, although we can never be sure. For most people, I recommend AES, SHA and RSA, as it protects well against hackers unlike for example the Blowfish encryption algorithm, that has known security flaws. For more, read the following article: VPN encryption terms explained (AES vs RSA vs SHA etc.). Some providers allow you some options regarding what encryption settings you would like to use, others have a default that cannot be changed. be sure to check with your VPN provider what standards they offer regarding encryption, authentication and handshake (and protocol - hopefully OpenVPN as discussed earlier). A final note on Astrill, ask them if you can trail their Crypto+ add-on via their support staff, as it is not enabled by default during the trail. They will hopefully give this add-on to you for free for the trail period, as they did for me.


VPNs are one of the best tools to anonymize your internet activity. Although the basics of VPNs are quite simple, shopping around can be quite a tedious process. The VPN landscape is always progressing, so be sure to comment if I have left anything out, or have any further questions.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


Passphrases, Password Managers & Multi Factor Authentication


Passphrases, Password Managers & Multi Factor Authentication

We are all aware that 1234, 0000, "iloveyou" and "password" are horrible passwords. Yet, many of us still are either ignorant or can't be bothered to put proper password security practices in place.

Why Are Passwords Important?

Without fear mongering for too long, the consequences of having one of your accounts compromised can be tremendous. A list of possible consequences include but are not limited to:

  • Identity theft
  • Monetary theft
  • Loosing your job
  • Impacted relationships
  • Publication of personal data
  • Having all your accounts deleted, and your mobile devices remotely wiped

Now that we understand why account protection is important, lets discuss what we can do to protect our accounts and devices from unauthorized access.

Tips on Creating a Secure Passphrase

The best way to understand how to make a secure password, is knowing the ways a computer may break a password. There are two primary ways a computer can break a password:

  • Brute Force Attack
  • Dictionary Attack

Brute Force Attacks

A Brute Force Attack (herein refereed to as BFA) simply goes through every single possibility until it finds the password that unlocks the device. This is the reason why pin's are so insecure, as the computer only needs to guess 10 numbers per additional character in the pin, as opposed to the entire key space of upper and lowercase letters, numbers and symbols. This method of attack is considered effective primarily on random, short passwords such as h5%93"; (3 minutes to crack). Ironically, not only are short, complex passwords easily defeated, but they are difficult for humans to remember.

The best way to defend yourself against an attack of this nature is to create long passwords, herein known as passphrases. Passphrases are long passwords, made of multiple words. By adding upper and lower case letters and special symbols, you increase the amount of possibilities the computer must check. By checking the HowSecureisMyPassword.net, we see that the passphrase: "i eat chinese food" would take 454 billion years to crack. Not only is this easier to remember, but its almost 80 quadrillion times harder for a computer to guess! Further, if we add a uppercase letter to "food," it would take a computer 2 quadrillion years to break the code, 4400 times harder to guess than without the capital letter. Add a ":)" to the end of the code, and it would take 388 quintillion years to break the code; 194 thousand times longer than not having the smiley face at all. So to summaries, use a long passphrase that works for you and is easy to remember. Use numbers, upper and lowercase letters and symbols. I will caution replacing an S with a $ or a e with a 3 however. Since these are common password techniques used by many of us, hackers writing their tools often account for this.

It should be noted that the website provided is to be used as a guide only, and computational power is always advancing. For instance, government supercomputers can be over 10 thousand times faster at password cracking than standard consumer desktops. Further, quantum computers can be even more powerful. Although, chances are if a government has enough resources to brute force you with a super/quantum computer, they'll be able to hack you through other means. Don't be satisfied until you reach a password that would take millions of years for an average desktop computer to crack. Furthermore, don't let websites give you a false sense of security when it says your password you have entered is strong because you have more than 8 characters, a capital and a number. These are guidelines only, and websites like howsecureismypassword.net are far more reliable. To put it in metaphorical terms, a weak password is a weak lock to your online identity. A kick to the door is all it takes to break a weak password.

Dictionary Attacks

A dictionary attack further complicates things a bit. Dictionary attacks try to replicate human thinking, by trying to guess passwords that are common in password dictionaries or contain information like your name or birth date etc. For instance, A horrible password for me would be Daniel van Driel (insert birth date here). Sure, it would take 768 sextillion years to brute force, but it can be easily guessed if the attacker knows anything even remotely identifying. Using the door lock analogy again, you wouldn't install a lock to your door, if literally anyone who knows your name and birth date can unlock it. Unfortunately, it seems all to common that people do this.

Usually, password cracking software will first try a dictionary attack. Usually, this entails first running through a database of common passwords. Then, it may attempt to try many commonly used words in conjunction with each other (i.e. "never say never," or "chicken ice crackers"). A more sophisticated password attack would allow the hacker to input user identifying words such as their name and birth date to be used in the dictionary attack. If the dictionary attack fails, the program will proceed to brute force methods.

Remember, you can use the best encryption in the world, but if the key used to decrypt the data can be unlocked by a weak password, you are effectively defeating the purpose of encryption, increasing your data security. Strong encryption and passphrases are essential in order to properly keep your data safe.

Things Not to Do with Your Passwords

  • Do not store your passwords on your computer unless encrypted in a password manager
  • Do not send your passwords to others. If you must, use a secure app such as "Signal", a VPN and voice call instead of sending in plain text.
  • Do not write down your passwords in your home after you memorize them. Store your passwords in an encrypted USB drive. Although, you will still need a strong passphrase to encrypt the drive with that you must remember.
  • Do not use an easy keyboard combination like qwerty, abcd, wasd, qaz. These are well known and are commonly used in dictionary attacks on passwords.
  • Do not use self identifying information like birthdays or names etc in your password.
  • Never reuse passwords, particularly between websites.
  • Be careful with answers security questions. If you loose your phone, you'll need the answers to login. However, don't make it easy for anyone who knows anything about you to guess the answers. More embarrassingly, make sure the answers to your security questions cannot be Googled! This has famously caught celebrities out in the past.

Tips on Password Management

The majority of people have one password and one only. A single keylogging piece of malevolent software (malware) is all it takes for your password to be sent to an attacker and used to unlock all your accounts and devices. Therefore, no matter how secure your password is, one password on all accounts can never be considered safe.

There are two ways to secure yourself against keylogging malware.

Two Factor Authentication

The first, is Multi Factor Authentication (MFA) or Two Step Authentication (2FA). MFA is a form of authentication that requires 2 "factors" that you must provide to the service in order to unlock the account. Here is a list of examples of "factors" that services might accept:

  • Passphrase
  • Facial Recognition
  • Fingerprint
  • Code sent to your email/phone
  • Code generated in MFA apps on your phone such as Google Authenticator/Authy
  • Physical USB "Key"
  • Physical credit/debit card

The most common form of 2FA is a passphrase combined with a pin randomly generated on (or sent to) your phone. The logic being, your phone is assumed to always be on you. Though, any two of these factors can be used in conjunction given if the service allows for it.

The way MFA/2FA protects you against keyloggers and/or brute force passphrase attacks is even if an attacker has acquired your password, they will still need your phone to unlock the account. Go to TwoFactorAuth.org and check which services you use offer two factor authentication and implement 2FA on whatever accounts you feel could be damaging if compromised.

2FA can be set to only require the second factor of authentication on new devices. Therefore, still protecting from external attackers whilst being more convenient. The one place this falls down is when malware tries to brute force attack your passcode from your own device. Since this is rare (although feasible through malware), many turn this setting on. As with everything security, it's a trade off between convenience and protection, and 2FA with "remember this device" setting turned on is still infinitely better than no 2FA at all.

One final tip on 2FA, if your second factor is to receive a code in the form of a message, disable the option to see message contents on your lock screen! Otherwise, an attacker won't even need to unlock your phone to have access to the code to access your online account.

Password Managers

The second way to protect yourself against keyloggers and possibly brute force attacks is by using a password manager. Password managers work by creating a database housing all your passwords. Most password managers create random passwords for you, like "6Sa!90032y8wryv" (created at StrongPasswordGenerator.com). Passwords like this are incredibly difficult to be broken by computers and luckily for us, do not need to be remembered. The password manager locks our passwords away behind a single master password, and usually auto fills in the usernames and randomly generated  passwords for specific apps/websites. For this reason, the master password must be extremely strong and 2FA is an absolute must. This leaves us with two passwords to remember, a password to your device, and a password to your online websites and apps (managed by the password manager).

You might be asking, why don't I just use my browsers remember password function? Firstly, many of these passwords are not encrypted unless you encrypt your entire disk. Additionally,  an attacker may be able to brute force your login password to your device and have access to everything, without needing to subvert a second passphrase and 2FA. Password managers are more convenient, offering finger print and face unlock amongst other options. Android also allows for screen overlays, which automatically appear when the password manager detects a app or webpage with a recognized password field. Simply tap which password from the already narrowed down list to autofill.

Password managers come in two flavors, cloud and offline. This matter is based on convenience. Cloud based password managers sync passwords between all your devices. However, as they are stored and encrypted on external servers, it does add another point of failure to the system. I personally use and recommend Lastpass. Lastpass is a cloud based solution that allows for finger print unlock, 2FA, syncing across devices and has a great record on transparency and security. Any password manager that has a good safety and transparency record whilst having the features you want is definitely worthwhile. Other password managers include (but are not limited to):

Cloud Based

  • Dashlane
  • 1Password


  • Keepass
  • RoboForm
  • Password Safe



Passwords are flawed, and by themselves cannot be considered secure. Multi Factor Authentication is one of the best ways to secure your online accounts. Password managers also help implement good password practices whilst being extremely easy to use. These layers of security are well worth the preliminary setup. As, after setup, 2FA and password managers require very little attention and in some cases, can actually speed up your login process. I hope this was informative and if you have any questions, be sure to ask them in the comments section bellow.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


The Dangers of "The Cloud" - BitTorrent Sync vs Dropbox vs Spideroak


The Dangers of "The Cloud" - BitTorrent Sync vs Dropbox vs Spideroak

Sadly, once you upload a file to a cloud storage service, your rights to the data are significantly diminished. Governments can access any data in cloud storage with often no judicial oversight or warrants. Further, although the company will likely encrypt the data, they will also handle the encryption keys, making it trivially easy for them to analyse your files, like in the case of Google Photos.

If we are to actually have full ownership over our data, we have to use services that operate under what is known as a Zero Knowledge System. That is, a service that does not have access to our data. Therefore, if a government were to want to access the data, they'd actually have to go to a judge to attain the encryption key from you, rather than just accessing the data directly from the company, usually with a gag order.


SpiderOak is a Dropbox competitor, that focuses on data security on privacy. The SypiderOak client is compatible for all major platforms and is similarly priced to Dropbox, with one key advantage. The SpiderOak client encrypts all data before uploading it to SypiderOak's servers. All encryption keys are handled on our devices, and SpiderOak therefore cannot access your files hosted on their servers.

BitTorrent Sync

BitTorrent Sync is a decentralized file synchronization system. Essentially serving the exact same purpose as SpiderOak, Sync removes the central server from the equation. Instead of uploading a file to the cloud and then downloading the file to all devices, BitTorrent Sync sends the files to the devices directly.

BitTorrent Sync uses peer to peer torrenting technology. This allows Sync to update certain parts of a file, without having to redistribute the entire updated file to all nodes on the network. Additionally, files are encrypted in transit using AES 128, whether it's across a local network, or over the internet. The client allows you to select which folders you'd like to synchronize and to what devices, and whether the device can read only or read and write to the folder.

One disadvantage to Sync is you'll have access to your data as long as one node on the network is online and has the files locally stored. For instance, you can run your own Western Digital or Synology NAS server running BitTorrent Sync and leave all your files on it. Whenever you need your data, find and open the respective file on your computer or mobile device. The file will be transferred from the NAS server to your device using P2P. Another hypothetical would be to be running BitTorrent Sync on a laptop and a phone. If the files were to be locally stored on the phone (i.e. camera backup), the laptop can only access the folders stored locally on the phone if the phone is online.

As with other traditional cloud based services, you can selectively sync that you need to save space on mobile devices, accessing them only when needed, under the proviso that another node containing the files are online.

The important difference between BitTorrent Sync and traditional cloud services, is if you are to actually have a backup of your file, you must have the file locally stored between two or more devices. Setting up an offsite backup may also be difficult comparative to traditional cloud services.

Encrypting Your Devices

It should be noted that although your data may be encrypted on SpiderOak's servers or in transit using BitTorrent Sync, that doesn't mean they are encrypted on your devices! For this system of file synchronization to be truly secure, you absolutely should encrypt all your devices that will have access to your data. Otherwise, a person who seizes your laptop will be able to access all your files without even needing a passcode.

Can I use Dropbox, Google Drive, iCloud and OneDrive Securely?

Yes. You can use a program like Veracrypt to encrypt your files manually before uploading them to Dropbox. However, file sharing cannot be done without your intended recipient having the password to decrypt the data. Additionally, they will need Veracrypt (not to mention a basic knowledge encryption) to be able to make the whole thing work. Put simply, I recommend against this practice, as SpiderOak and BitTorrent Sync will likely be far more adaptable.


SpiderOak is by far the simpler and more traditional file synchronization solution that I recommend to most people. BitTorrent Sync is a revolutionary idea that requires more setup, technical knowledge and upfront cost. However, once you have a network in place, BitTorrent Sync has no monthly fees and no file size limits. Furthre, BitTorrent Sync boasts far quicker speeds when used between devices on the same network, as the file can be transferred over the local network instead of over the internet. I personally use both, the free 2GB that SpiderOak offers and a NAS server configuration with BitTorrent Sync, which is my main file synchronization service. Dropbox, iCloud, Google Drive, OneDrive and others are great services and should not be dismissed if you aren't hosting sensitive information on them. However, just know what privacy and security you give up for using these services.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content:


How to Securely Erase/Format Your Hard Drive - Mac OS X El Capitan


How to Securely Erase/Format Your Hard Drive - Mac OS X El Capitan

Apple has made a number of changes to disk utility in OS X El Capitan. One of these changes is you can no longer securely erase your disk. I ran into this problem recently when I was selling my Macbook Pro Retina. Happily, you can still securely erase your hard disk using Terminal commands. This is a guide as to how to sell your Mac and securely erase your hard disk so you know the next owner cannot access your data.

Pro Tip - FireFault

If you would like to make your data harder to recover, I'd enable Firefault under system preferences. This encrypts the data before you'll be erasing, making your data more difficult to recover.

Booting into Recovery

To start, boot your Mac into recovery. To do this, hold the Command + R + Power keys. Next, Press Utilities in the upper toolbar and then click Terminal.

Why Secure Erase?

There is one option you need to know when securely wiping your drive, and that is how many times for the computer to write over the disk with data. When you erase your drive but don't do it securely (for instance by using Disk Utility), you are essentially tearing the table of contents out of a book. All the information is still there, but it cannot easily be found. Any knowledgeable person can recover the data using specialised software, that simply looks at the entire drive for data and bypasses the table of contents. We can fix this by writing over the data, hence the existing data no longer exists and cannot be recovered. This is particularly useful when selling your Mac, as you don't want the next owner of your computer to be able to access your data! Here are the terminal commands you need to know and what they do:

Terminal Code Commands & Explanations

Overwrite disk with 0's:

diskutil secureErase 1 /dev/disk0

Overwrite disk with random 0's and 1's:

diskutil secureErase 2 /dev/disk0

Overwrite disk with random 0's and 1's 7 times:

diskutil secureErase 3 /dev/disk0

Overwrite disk with random 0's and 1's 35 times:

diskutil secureErase 4 /dev/disk0

Overwrite disk with random 0's and 1's 35 times using a different algorithm:

diskutil secureErase 5 /dev/disk0


disk0 refers to the disk you are formatting. Most of the time this will be disk0. If you run into issues however, you can go to disk utility from recovery, select your main hard disk and press info. Here, you can find your drives designation (disk#).
Note erasing the drive will not erase the recovery partition you are currently accessing. The reason why it overwrites the disk with either zeros or ones is computers operate using binary code (zeros or ones).

The thing that makes these commands different is the numbers listed after "secureErase" (yes, Terminal is case sensitive). The number determines the level of overwriting (the more overwrites, the harder to recover, and the longer it takes to erase). I generally would do 1 or 2, a whole disk overwrite with either random numbers or just zeros. Keep in mind if your Mac has an SSD, writing huge amounts of data to the disk may decrease its lifespan.

Once done, your disk will be "uninitialised." Erase the drive in disk utility, and that will partition the drive to install OS X onto.

Hope this helps you sell your Mac! Don't forget the FireFault encryption tip!

Update: Apple also has taken RAID functionality out of Disk Utility as of OS X El Capitan. Additionally, you can't side load the old, superior version of disk utility from a previous version of OS X.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content: