Creating a strong master password

You always need at least one secure password for your electronics and password manager. This password need to be stored in your head only and not be something that can be found with information on you (not your name, dog name, age, DOB, ...). Two options are available:

Using a passphrase

If you want an easier way to remember your password you can use a passphrase. To use a passphrase as a secure password you will need it to be at least 4 words (6+ prefered). This method is also easier to writte down while keeping it hidden (words on a book for example). You could also add some numbers and special characters in the mix to make it even more secure.

Remembering a randomly generated password

It can be hard at the start but if it's the password to your password manager and that you unlock it multiple times a week you should have no issue remembering it. You can always find a way to write it down encrypted and/or hidden in case of an accident that would make you forget it.

Use a password manager (don't reuse passwords)

In order to confine data breaches to one of your accounts only you need to have different data on each account which means a different password for each account. Because it is impossible to remember a unique and secure password for each website we will use a password manager. The password manager should be the only account that need our strong password we created.

For starters we recommend you use Proton Pass or Bitwarden. If you want your data to stay offline we recommend KeePassXC.

The only issue with password managers is that if your device is compromised then your password manager will be compromised too. Storing your passwords in your memory is the only solution to this issue.

Keep encrypted backups of your password manager

It is important to always keep multiple backups of your important data following at least the 3-2-1 rule: keeping three copies of data, storing them on two different types of media, and ensuring one copy is kept offsite to protect against data loss. Those backups should be kept encrypted for security.

Do not register accounts with real informations

Accounts could be recovered by using social engineering if you use your real information and someone know your info. Consider using fake information whenever possible (please refer to your local laws). If you do not have any inspiration you can use a random person generator like this one.

Do not use 3rd party authentification

If you use a 3rd party authentification like Google or Facebook to log in to a website you are essentially giving them knowledge of the accounts you have, when and from when you access them. This also link your accounts together and create a single point of failure. If one of those accounts is compromised then all of your accounts using the same 3rd party authentification provider will be compromised too.

Do not type your password in public

With the amount of cameras arround, typing your password in public is giving it to the authorities and maybe the security too. You are also at risk of pickpokets watching you type your password before stealing your electronics.

Do not log on a computer you don't control

This one is self explanatory, be vigilant of keyloggers or other forms of RAT's on computers you can't control.

Secure device password

Do not use a 4 digit PIN or a pattern locks, those can easelly be bruteforced depending on your phone or photographed.

Use passkeys

A passkey is based on what you have (while a password is based on what you know) which makes it immune to phishing, data breaches and a certain level of social engineering. It is also easier to use than passwords. The main drawbacks are that you always need at least one device with your passkeys stored to recover an account and that for now passkeys are mostly locked in by their ecosystems.

For now we recommend using a password manager to store passkeys like Proton Pass or Bitwarden.

Do not use Biometrics or Face Unlock on your phone

If your threat model include government entities or physical attacks then you should stop using authentification methods that you can be forced to use. Note that this goes agaisnt the recommendation to not enter a password in public as you will need to if you disable those. One solution is to keep those authentification methods but have a way to turn them off easilly. For Iphone you can hold the side button and one of the volume buttons for about 2 seconds. For android you can use Private Lock so that if your phone is snatched it will detect the sudent movement and disable Biometrics and Face Unlock.

Use an offline password manager

Your online password manager can still leak some metadata about your accounts and use. It can also be accessed from any of your devices it is openned on. If you want to be more secure and have more plausible deniability you should use an offline password manager like KeePassXC. The database given by KeePassXC can then be stored on an encrypted and/or hidden volume.

Chage your passwords every x days

If you think your keystrokes might be surveilled and recorded then you might want to change your passwords every x days in order to kick anyone logged into your accounts.

Changing passwords regularly can also protect from unknown data breaches. We still chose to make it optionnal as it can be a hassle to do and is not always necessary.

Setup a dead man switch

What happen to your accounts if you die? Nothing. This is why you should set up a dead man switch so that your accounts and informations are sent to a trusted contact in case you do not log in for a certain amount of time.

For online password managers there is usually an option to send your account to a trusted contact in case you do not log in for a certain amount of time. For an offline password manager you will have to do some DIY.