The Bitwarden Blog
7 steps to create a secure (and private) profile online
July 26, 2022
Whether due to the unfortunate rise of data breaches, geopolitical conflict, or policy developments with privacy implications, internet users should have the tools to create a secure and private online profile.
In an effort to cut through the noise and keep things straightforward and accessible, here are 7 steps for bolstering your online security. Implementing these measures does not require a ‘technical’ background; rather, it demands a little proactivity that will ultimately pay off in dividends.
Concerned about the privacy of sensitive online searches and how the content of those searches could be used in the future? Suffice it to say, some quick research will reveal that your wariness is warranted.
While we’re on the topic of research: the first step in creating a secure and private profile online is to eschew Google for a private search engine such as DuckDuckGo, Startpage.com, and Qwant. These engines keep search activity anonymous, do not sell your data, and do not track your activity online in order to offer up a dizzying array of ads.
DuckDuckGo, for example, offers a browser extension and mobile application that blocks Google’s (and other engines) trackers across the internet. And, there is a difference between using DuckDuckGo and browsing in ‘Incognito’ mode. According to DuckDuckGo, “Incognito mode mainly just deletes information on your computer and does nothing to stop Google from saving your searches, nor does it stop companies, Internet service providers, or governments from being able to track you across the Internet. By contrast, DuckDuckGo search is completely anonymous and if you add our app[lication] and extension on top, we help keep you private when browsing off of search results.”
In a Bitwarden community survey for Data Privacy Week, ProtonMail was selected as the top privacy-centric email option. What differentiates ProtonMail from Gmail, Outlook, AOL, and Yahoo? Unlike these more popular options, ProtonMail does not profit off its service by selling ads. It does not log information about you and all data stored on its servers is end-to-end encrypted. But, there are some caveats: if you want more than 500 MBs of storage, you will have to pay for the service. Because ProtonMail is so private, the ‘convenience factor’ is also limited. For example, it won’t automatically add events to your calendar since it’s not monitoring your email activity.
A quick note on encryption: encrypted data means it is rendered useless to anyone that does not have the decryption key. ProtonMail will never have access to the decryption key because it stays with you, the user, in the form of your username and password.
Another strong option is Tutanota, an end-to-end encrypted email service. Tutanota is ad-free, open-source, and available on any device.
Using WhatsApp for sensitive searches? Instead, consider messaging alternatives Signal, Threema, Element, and Session.
In a thorough article about WhatsApp versus Signal, The Guardian’s privacy reporter Kate O’Flaherty discusses the drawbacks of WhatsApp and the arguments in favor of Signal. The pro-Signal case in a nutshell: it’s very similar to WhatsApp from a user-friendliness standpoint, but is singularly privacy-focused and does not rely on an advertising-based business model for profit.
- Find out more about Signal
- Find out more about Threema
- Find out more about Element
- Find out more about Session
Security enthusiasts know that creating strong and unique passwords helps isolate and limit the impact of a data breach. Privacy enthusiasts know that applying unique usernames can carry that protection even further.
Bitwarden includes the ability to generate secure usernames and passwords in every plan within the Bitwarden desktop app, web client, and browser extensions. You can find out more in this article about the Bitwarden username generator.
Email aliases, sometimes known as masked or anonymous emails, create a layer of obfuscation and anonymity by using unique addresses that forward to your personal email. These aliases generally have no connection whatsoever to your identity or personal email, giving you an extra dose of protection, in particular privacy. For example, if an online retailer requires your email, you can use an alias. You will still receive coupons and updates, but the retailer will not have your real email address, and cannot use that to match you to any other online information tied to you.
Sadly data breaches still occur too frequently with usernames, emails, and passwords often getting into the wrong hands. Fortunately, many (but not all) websites do provide protection for passwords by saving a hashed value of the password that can be difficult, if not impossible, to reverse. However, that protection does not always apply to email addresses which are more often stored in plain text, allowing others to compile and correlate them in databases on the dark web.
Email aliases help enhance your security and protect your privacy. Hackers cannot learn your real email address from data that may have leaked on the web. Also, if you see that someone else is emailing you to that address you provided to the online retailer, you’ll know your info was sold, and you can disable that alias or create another.
Solutions Bitwarden recommends include SimpleLogin, Anon Addy, and Firefox Relay.
VPN, or Virtual Private Network, is defined by the Electronic Frontier Foundation as:
“a method for connecting your computer securely to the network of an organization on the other side of the Internet. When you connect to a VPN, all of your web browsing data appears to originate from the VPN itself, rather than your own Internet Service Provider (or ISP). Sensitive information could include submissions from contact forms or credit card information.
Using a VPN masks the IP address assigned by your ISP from the sites that you access, adding a layer of privacy. Along with masking your origin IP address, it also encrypts your data while in transit to the site you are accessing.”
In short, VPNs add an extra layer of privacy. While private search engines anonymize your data, they do not prevent your ISP (or any interim ISP if you are traveling) from seeing what sites you visit.
Here’s the catch: there are loads of VPN options on the market. Not all of them are created equal - and they’re not perfect. The article linked above walks through their limitations.
Ultimately, using a VPN is better than no VPN. Services recommended by the Bitwarden community include Mullvad VPN and ProtonVPN.
Admittedly, we’re biased, yet password managers are one of the most simple and fundamental tools available for creating a private and secure profile online.
Like it or not, our online world revolves around passwords. To stay safe from data breaches, you need to create strong and unique passwords for every account, but remembering them all without help gets tricky. Using a password manager lets you easily protect yourself and your data. Bitwarden, for example, generates, stores, and secures user data in an end-to-end encrypted vault.
Prioritize password managers that offer some form of two-factor authentication (2FA) because it helps increase user security for websites and applications. The name refers to requiring users to utilize two separate methods of verifying their identity in order to access an account. A useful definition for 2FA is that logging into a service involves something that you know, such as a password, and something that you have, such as your phone, hardware token, or other authentication code.
A common example is when you log into a website with a username and password, and then receive a text message code for a final validation of your access. The username/password is the first factor, and the text message code received on your phone is the second factor — hence, two factor authentication.
Most implementations share codes that expire within a set timeframe, adding additional protection. Ideally the password management solution enables 2FA for vault access and for individual websites and accounts stored within the password vault.
A few of our favorite third-party authenticators are Authy, Aegis, AndOTP, and RaivoOTP.
- Find out more about Authy
- Find out more about Aegis
- Find out more about AndOTP
- Find out more about Raivo OTP
Of course, if you are using Bitwarden you can bundle two-step login for 3rd party websites with the Bitwarden Authenticator. For more, see this help article on using the Bitwarden Authenticator.
Back to Blog