How to stay as safe as the best

Not to make you feel bad after all this hard work, but even with everything we’ve done in the previous lessons, you are not un-hackable. If you feel paranoia and fear that you are being specifically targeted (like our friend Edward Snowden) then you need to take far more steps, and even that may not be enough. For instance, Mr. Snowden drapes a pillowcase over his head when entering passwords, in order to avoid them being compromised by spying eyes or cameras.

This lesson is by no means intended to guarantee you are invincible and hack-proof, it’s more of a thought experiment on thinking more like a ‘Snowden’.

Targeted Attacks

If you believe you’re a high value target (journalist, celebrity, high net-worth, powerful, an enemy in the government's eyes like a whistleblower) then hackers are incentivized to push harder (and will invest more resources and money to hack you). For this reason it’s extremely hard to stay safe. You effectively have to be a crypto-nerd techie or hire a specialized security team. Even with all this, if bad people get you in a room, they will get your information.

If you are this sort of target, you have far more to worry about, like kidnapping, physical attack, blackmail, and you also likely have money to pay for protection. This is wayyyy out of scope of this site, so please go hire a professional firm, like Gavin de Becker and Associates, who advise many of the world’s most prominent media figures, corporations, and law enforcement agencies on predicting violence, and also serves regular citizens who are victims of domestic abuse and stalking.

The Easiest Defense — Reduce, Reduce, Reduce

Follow this simple formula:

When posting publicly or entering information online, take a moment to think about what personal information the service actually needs and provide the minimum. Same goes for posting online, how much do you really need to share with everyone on your social media or the public. Some obvious cases of where people provide too much information or overshare:

• providing extra information - birthdates, addresses, school names, children's names, places of work
• photos including private info - think cars with license plates, your home, photos of your children, or even documents with addresses or any identifiable info
• photos with GPS information - most devices attach location information to photos you take, you should learn to remove it yourself before uploading
• locations of your home or work - includes posting workouts that start and end at home. The US government even screwed this one up and gave away the location of a secret military base in Afghanistan. Strava offers a privacy zone feature where you add a bounding box so it won't display the starts and ends of your map publicly but still allows you to share.

Pseudonymity and Doxxing

Using a pseudonym simply means using a fake name. You've probably seen a friend that uses a fake name on their Facebook or Instagram account. This is a good practice because it makes it more difficult for malicious actors to connect your online presence with your real identity (and therefore your real bank account, social insurance number, address and so on).

Doxxing, or being doxxed is when someone has their private information leaked online without their consent, or in the case of someone acting under a pseudonym, having that publicly connected back to their real name.

The strength of your pseudonym is in how difficult it is for someone to doxx you. For social media it is likely good enough to use a fake last name to avoid unwanted people from finding you. The pseudonyms are weak, due to the nature of social media. You are interacting with many friends that know your real identity and could doxx you. This can even happen unintentionally by using your real name when commenting on a photo or a post.

If you are a whistleblower, you will probably want a full pseudonym, that has absolutely no connections back to your real identity. This means a using an identity that nobody you don't absolutely trust knows is one. It means using a different email to sign up, providing distinct information for every part of the signup. It can even extend to adapting your writing style, as their are machine learning algorithms intended to notice patterns in word usage and grammar styles.

Truly Private Browsing with Tor

Sometimes you want to be truly private online. This is very difficult, inconvenient and slow, but in the end possible to achieve.

You may have heard of the Silk Road or the Dark Web, which made Tor (the onion router) famous. Aside from its obvious illegal use cases, there are many legitimate reasons to use this approach for true anonymity online, including avoiding detection by oppressive regimes. Using Tor to browse the internet is sort of like having a VPN on steroids, bouncing your data across several random inter-connected devices in a network around the world to encrypt your data.

Using Tor alone is not enough. You must layer many other techniques such as:

• never accessing the internet from home or work
• obfuscating your information in a way that never ties back to your real identity
• using a VPN over Tor
• using encrypted chat like Signal
• using a Tor-specific operating system like Tails or Whonix

You have to be smarter than a Hollywood spy to do this right. If you do, remember that a single mistake can make all the privacy disappear in a snap. Ross Ulbricht (the former operator of the Silk Road, who went by the pseudonym Dread Pirate Roberts) thought he was smart and careful but was caught when someone discovered his Silk Road username used on an old forum with his real email address. He is now serving double life + 40 years without possibility of parole, for money laundering, computer hacking and conspiracy to traffic narcotics.

This approach is not for the faint of heart, and make sure you have a really good reason or it's honestly not worth all the hype.

Protective Actions

Here are some other protective actions you can take:

Airgapping: This is when you have a computer that is not connected to the internet in any way. If you have a high-value bitcoin wallet, or extremely senstitive documents, you may want to put them on an airgapped device and store them in a safe. Just make sure you have backups (also airgapped) elsewhere.

Erasing data: If you are going into a sensitive area and want to protect your data, you can erase your devices. This would protect you against your devices being read at a border crossing. The downside is the inconvenience of restoring your device on the other side of the border. Also, ensure that whatever method you use to erase your device does a full erase, not one that can be restored.

Mr. Robot

For a really fun dive into the world of hackers I highly recommend the TV show Mr. Robot by Sam Esmail. Beyond the gripping story, beautiful cinematography and fantastic acting, the creators took great pains to make the attacks and protections as realistic as possible.

Useful Resources

To end off, here are some useful links if you'd like to dive deeper.

• How to Talk to Your Family About Digital Security [EFF]
• Encryption and tools to protect against global mass surveillance [Privacy Tools]
• Enterprise Cybersecurity: How to Build a Successful Cyberdefense Program Against Advanced Threats [Book]
• Password Cracking [Computerphile]
• What To Know About Identity Theft [FTC]
• Facts + Statistics: Identity theft and cybercrime [III]
• Extreme Security Measures [Wired Magazine - behind a paywall]
• The Day-In-The-Life of a Hacked Smartphone video [Privoro]
• Anonymity, pseudonymity, and the agency of online identity [FirstMonday]
• The Trend Towards Online Pseudonymity [GlobalSign]

Thank you!

We just wanted to thank you for sticking with us through this long course! Don't forget to go back and do any lessons you skipped. And please let your friends know about us!

Back to the Lesson Plan

In many ways, hacking someone is knowing their human psychology. It's knowing that people are lazy and use the same password for multiple accounts, it's knowing they won't backup their data, it's knowing how to leverage fear to get them to hand over the keys. You can have the best encryption, use a password manager perfectly, and keep multiple separate backups, but if someone phones you and pretends to be the government and you fall for it, all bets are off.

This lesson is more about understanding what it is to be a hacker and make yourself less of a target.

White Hat vs. Black Hat

Not all hackers are bad. On one end, white hat hackers are trying to break into systems to find vulnerabilities, inform the system owners and help make the systems stronger. They can be hired to do penetration tests and security audits, and often work for respectable firms. They contribute to open source projects to remove bugs and add security. On the other end, black hat hackers are in it for financial and personal gain, or just to watch the world burn. In the ethical middle sit gray hat, who may be hacking governments or corporations to leak fraudulent behavior, or stealing from the rich to give to the poor.

Black and white are in a constant battle. Systems can never remain safe because it's far easier to find flaws than to fix them. Some vulnerabilities found years ago remain open and easy ways for black hat hackers to attack people.

Finding a Mark

Most hackers want easy targets, and refer to them as targets of opportunity. The less secure and diligent you are, the more likely you are to become one of these targets. There are many ways hackers can find a target:

• actively looking for a starting place by searching social media, comments and reviews, or other public information
• hacking into other systems that have your information stored in them
• relying on previous hacks that have released private information online, including common passwords
• scanning public Wi-Fi networks
• following you and watching you until you enter your password in their sight
• sending emails or making phone calls with private information to seem real

Social Engineering

Psychological manipulation of people into performing actions or divulging confidential information. Social engineering is a cornerstone of successful attacks, and almost all hacking contains an element of understanding what humans do. The video below shows a hacker successfully social engineering full root access to a company, which is the holy grail of an attacker and basically lets them do anything they want. This hacker is white hat because they had permission and performed the attack for educational purposes at DEF-CON, a hacking and security conference.

Script Kiddies

Not all hacking is hard! The term for someone who isn't particularly skilled at programming but uses software to execute an attack is called a script kiddie, or skiddie or skid. And skids aside, even the most sophisticated hackers tend to use some tools created by others before them. The point is that just like there's sophisticated free software to do your taxes or edit your photos, there sophisticated free software to steal your identity and crack your bank account open. So don't assume the person on the other side is necessarily smart, or that they even have to be.

One of the most famous recent leaks of tools usable by script kiddies was when the hacker group the Shadow Brokers leaked a bunch of hacking tools believed to have been developed by the National Security Agency (NSA) of the United States. These tools are now available to script kiddies wishing to leverage the power of the NSA.

Methods of Hacking

There are many crafty and nefarious ways a hacker can attack. It is good to be aware of these methods.

• malware (including viruses) is software that infects your device to take information or modify the system.
• phishing is one of the most common attacks and is when a hacker impersonates a trusted entity (like your bank or email provider) and asks you to do something (like click a link or enter information) that will give them information or access to your systems.
• zero day vulnerabilities are security flaws unknown to the software creator, but known to a hacker that uses a zero-day exploit to take advantage of it. open vulnerabilities can be known by the software creator, but may have not been fixed yet or can be present in un-updated older versions of the software.
• wifi spoofing is setting up fake networks, usually in public places, and harvesting information and access when people connect to them.
• keyloggers are a form of malware that monitor every key you type and therefore can collect your passwords.
• brute force attacks are where a hacker simply tries every combination of password to access an account. They also frequently use a list of the most commonly used passwords. Brute force attacks are not effectively against long generated passwords from a password manager
• denial of service (DoS) and distributed denial-of-service (DDoS ) attacks use one (DoS) or many (DDoS) machines to overwhelm a website or other system with requests and therefore making it unavailable for normal usage.

Real-Life Attacks

To make this real, here is a list of real life stories about some of the largest and scariest successful attacks.

Scary Attacks

• Stuxnet was an extremely sophisticated attack that was found spread through many of the programmable systems controlling global infrastructure from dams to telephone networks to nuclear power plants back in 2010. It was determined in the end that the specific target was Iran, where Stuxnet spun the nuclear centrifuges too quickly, damaging them. It is speculated that Israel and the United States were involved in developing and executing this attack.
• Baby monitor attacks hit their peak back in 2015 as an especially nefarious attack of opportunity. As cheap and remote accessible baby monitors became popular many had less-than-ideal security. Parents who didn't change the default settings of their baby monitors unwittingly streamed live imagery of their baby online for anyone to access. Changing the default password is important on any network connected device.
• Heartbleed was a zero-day vulnerability in OpenSSL which is used for secure communication, and allowed an attacker to read through the encryption. It led to hundreds of social insurance numbers being stolen from Canadians among other breaches.
• Spectre and Meltdown both attack vulnerabilities right at the processor level, and in the worst case can allow full takeover of machines.
• KRACK stands for Key Reinstallation Attack and is targetted at WiFi security. If successful, it can break through the encryption on WiFi and allow an attacker to read all traffic on the network.

Famous Leaks

• Edward Snowden is the most famous recent leaker. He stole information from the National Security Agency of the US. Among many other things, it exposed the PRISM surveillance program where the US government was taking private information from US internet companies. Edward Snowden is extremely controversial, and whether you think he is a traitor or a hero, he is a respected speaker on security and privacy techniques.
• WikiLeaks is a controversial organization that leaks confidential information stolen by hackers with an outward stated goal of exposing corruption. There is much speculation that it is actually an arm of Russian intelligence. Regardless, their leaks have exposed unprecedented information to the public. These leaks include Vault 7, 2016 Democratic National Committee emails claimed to have been hacked by Guccifer 2.0, and documents behind the Trans-Pacific Partnership Agreement during its negotiation.
• The Panama Papers were the result of an email hack on a law firm Mossack Fonseca in Panama. These papers exposed the depth and breadth of shady off-shore banking of many world leaders.
• Sony Pictures was attacked in 2014. Confidential emails and other corporate information was leaked. It is suspected that North Korea was behind the attack, and the attack took over two months to execute. When they finished the hackers executed scripts to erase Sony's computer infrastructure.

Phew! Although there was a lot of scary stuff in this lesson, you should nevertheless feel more prepared to not be taken by hackers.

"To know your enemy, you must become your enemy."
- Sun Tzu, Art of War

Proceed to Bonus Lesson: Snowden-Level Security

Back to the Lesson Plan

Backups you say? Sounds like something you know you should be doing, but aren’t. Naughty, naughty. All those priceless photos, music, notes, even business documents are at risk. You should be backing up and protecting anything that would bring a tear to your eye if you were to lose it. The term for managing and protecting all your information is digital asset management (DAM).

For an excellent and exhaustive book on the topic, read The DAM Book. Although targeted at photographers, it is useful reference for anyone and covers the topic in far greater detail than we'll cover here.

Data Losses Happen

Computers are imperfect. Disk drives fail or become corrupt. Laptops and phones get stolen. Website databases crash. There's even ransomware attacks where attackers will encrypt your data and force you to pay for the keys to unlock it. And I truly hope this never happens to you, but homes burn down and flood.

Everyone has at least one drive failure of some sort or another or two at some point in their lives.

The reality is you spent so much time collecting all this information, and it would be a shame to lose it all for not taking some basic precautions. The good news is it's possible to get your data truly safe and protected. If you do it right, it will make managing it much easier.

What to Protect?

Different things are important to different people. To some their music collection is worth more to them than their photos, to others it's their writing or digital art projects. Here are some ideas on things you should be thinking about protecting.

• photos, videos, music and art
• documents and writing
• code, software licenses and other projects
• business and tax documents
• identity documents
• chats and emails

Get Protected

I'm not going to lie, getting a handle on data is a large and intimidating process. Having done this many times and helped friends, I'm presenting a proven, simple, efficient and effective approach.

1. Survey

Start by figuring out what you need to protect. What disk drives and devices do you have data on? What online services have your stories, your music, your photos that aren't stored anywhere else? Write it all down, and note the rough sizes of things as you go. This will give you a good sense of how big your problem is.

I use the free tools Grand Perspective for Mac OS and WinDirStat for Windows to help visualize my data, you can point at a folder then hover over chunks of storage and see what's taking up the most space.

The goal of this step should be to make a single temporary backup of everything you come across, before organizing. This is because the moment you start moving data around you risk losing it. This backup will eventually be deleted, but it is insurance in case of a problem later on.

I like to do this step with a random external drive. You could even borrow a friends' because it will only be temporary. If you have an extra computer in the household you could use that.

2. Organize

This is the most time-intensive part of the process. It's all about de-cluttering, de-scattering, reducing and organizing your data. Make sure you have the time and the will to get this step done. Doing half the job will only create future problems.

• go through all your information, get it centralized in one spot - this includes pulling data off those old memory cards and USB keys
• export from services you don't use anymore, and import to new services or save on your drive - in Lesson 3 you wrote down all the accounts you use, so refer to that list for reminders
• delete anything you no longer want, including duplicates of information
• organize it nicely, however your brain will have the best chance of finding it in the future when you need it
• note which drives and devices you've pulled data off so you can delete them later

Remember, if you screw anything up, you have that backup you made in step 1!

3. Backup - At Least Two Copies of Everything

Now that you have everything in one spot, you can make your first total backup. The easiest and quickest way to back up your data is to simply plug in a USB key or an external drive. Make sure the drive is big enough, and has space for new data you will be adding over the next few years. For now, this is amazing and if you are overwhelmed you can stop here.

External drives can be plugged into a laptop and come in a large range of size, speed and ruggedness for travel.

4. Maintain

The best digital asset management system is the one you maintain, so make sure whatever system you decide on it's one you'll actually follow. Set yourself regular reminders to update backups, and automate as much of the process as you can.

Part of maintenance is to regularly test your backups to make sure they still work. Wouldn't want to find out your backup drive failed after your primary drive fails, would you?

If you've done this correctly, everything should have a home. Keep putting new data in its proper place, and stay on top of protecting your data.

Solid State vs. Hard Disk Drives

When choosing hard drives for backups it is important to understand the two main types of disks. A traditional hard disk drive (HDD), also known as a spinning disk drive, has moving parts and uses a needle on an arm to read and write data off quickly rotating metal plates.

A modern solid state drive (SSD) has no moving parts. In general, they are better; being smaller, more reliable, faster, quieter and using less energy. On the downside they are typically more expensive, especially for larger storage.

Wherever you can afford it, use solid state!

Advanced Protection Techniques

Network Attached Storage (NAS)

Network attached stored is simply when external drives are connected to your network that your computer can connect to without plugging in. At their simplest they just have one drive, but multi-drive options are common and can have additional features like redundancy management built in.

RAID (Redundant Array of Inexpensive Disks) is a common infrastructure technology that allows for spreading data across multiple drives with redundancy and data-recovery options. Depending on what you are trying to achieve, RAID can be extremely difficult to manage, so this is only for technical users! There are also non-RAID approaches and proprietary choices like Drobo.

Cloud Storage

Storing your data in the cloud just means using drives that are hosted in data centers and that you connect to through the internet. The most common and easy-to-use storage services are Dropbox, Box, Google Drive, Microsoft OneDrive or Apple iCloud.

These services are costly and not feasible for large storage beyond about 2TB, so should be reserved for the most important and immediate data.

Many of the backup services allow rollbacks within the service for an extra charge. This is so that if you delete or overwrite something in your cloud storage, you can bring it back at a later date. To me this gives people a false sense of confidence. Better to build a system that doesn't rely on restoring deleted files.

Archiving vs. Backups

I personally have way too much data to store on my laptop and in cloud backups without breaking the bank in monthly fees. If this is the case for you, once you have too much data you can archive the data onto external drives, and then you can delete the data from your primary device and cloud storage. This will free up space and save money.

In general, archives should be for data that you rarely need access to as it is less convenient to attach to. It should also be as organized as possible before you archive it in the first place.

By nature, archives are not the same as backups since you are removing the original data. Archives need to be backed up! Since the whole point of the archive was to avoid the costly cloud, they will typically just use another external drive.

Off-Site & Off-Line

Regardless of whether a backup or an archive, data should be protected with extra backups at a different location (off-site) and disconnected from the internet (off-line).

Off-line backups are completely disconnected from computer and the internet and sit powered off when they're not being updated. This protects against accidental deletion, electrical shock, and remote attacks like ransomware. On-line data means data that is actively connected to a computer or the internet. This could include the data on your devices or in a cloud storage account.

Off-site backups are especially important for archives. If there's a large electrical surge in your building, or a flood or a fire, or someone breaks in, you could lose all of the data in your home at once, including backups. Store it at a trusted friends' house or in a safety deposit box and regularly update the data. Remember, encrypting backups is always a good idea!

Note that while cloud storage technically counts as off-site it is definitely not off-line. That is, if a file is deleted or overwritten on your local machine, that will also happen in your cloud storage. And if an attacker gets into your cloud storage and deletes it or encrypts it, it is effectively destroyed.

This is admittedly too much for some people, but my off-site backups have been the only thing protecting me against me losing valuable memories on several occasions.

Your Memories are Much Safer!

Good work. You have gone through the painful and huge effort to get everything nicely organized in one spot and backed up. As we have seen, the holy grail backup strategy:

• is complete and protects all your important data
• has multiple and redundant backups
• regularly updated
• includes at least one off-site and off-line backups
• is encrypted

As a bonus, once you've achieved this you can do fun new projects. That box of old photos you never went through? Now you can scan them, add them to your photo collection, edit them and post them. Same goes for old videos, letters, and anything you want to keep if the original were to be destroyed.

Reflection on Imperfection

Backup strategies are never perfect. Several years ago, I went into Dropbox one day and noticed that many of my photos prior to 2014 were simply gone. I looked everywhere and worked with Dropbox support to no avail. My best guess is that the files had been deleted by a bug or simply by accident during a cleanup and I hadn't noticed in time for Dropbox to be able to restore them. I had thought I was good at backups. But I didn't have a full off-site and off-line backup for these particular files so they were lost forever. Thankfully this is the only loss of data I've ever had but it goes to show even technical people can lose things.

Congratulations! Getting your data in order is a step so many people never achieve, and putting these practices in place now will serve you for the long term.

Proceed to Lesson 6: Think Like A Hacker

Back to the Lesson Plan

The average user is most vulnerable when they're browsing the internet. It is too easy to make decisions that can compromise your security and provide attackers valuable advantages. Let's make better decisions together.

Secure Browsing with https://

Websites start with either http:// or https://. If the 's' is missing, your traffic is unencrypted and open to attackers! This could be because the website forgot to implement https, didn't have time, didn't care about security, or simply made a mistake. Never submit information to a site that doesn't have https. You can also protect yourself further by installing HTTPS Everywhere, a browser extension that attempts to use https even on sites that were setup for http. Note that it makes an attempt but doesn't work on every single website.

Accessing the Internet

WiFi at Home

Most people just set up their WiFi at home without a password, or leave it with the default. This is dangerous and exposes your WiFi to be logged into from anyone. They can redirect traffic to their own devices and collect your personal information. Malicious actors will drive down streets looking for vulnerable WiFi networks.

Your router is the device with antennae you got from your internet provider, and is where you can protect yourself.

The default passwords to access routers are often published online, and most of them are just admin or password, so it is very easy to guess your way into a router that hasn't been properly secured. Take these steps right now:

• Change the username and password you use to log onto your WiFi (absolute minimum)
• Change the admin or root password that accesses and modifies your router settings
• Add a separate guest account with a different username and password
• Ensure the device is using at least WPA2 encryption (not WEP or WPA)
• Add the passwords above to your password manager you set up in Lesson 3

The bonus is you can now choose a fun usernames like wutangwifi and passwords like ghostdogsamurai and you're being way more secure. Way easier than the random string of characters that came with your router you have to dig out every time someone needs WiFi, right?

To do everything above, you just need to log into the router. You can do this from your phone or laptop, and it should only take a few minutes. The information you need will be printed on the side of the router. If not, just google the 'model number' and 'change passwords' into Google to find a guide.

WiFi in Public Places

When accessing public WiFi networks you are only as secure as the people who set up the network made you. It's also more dangerous because there will be many more people already in the same network. Think of the places cafés & coffee shops, libraries, restaurants, anywhere you may log into private accounts or enter information. The most classic one is logging in to check your banking information at a coffee shop.

Some things that attackers can do:

• if there is unencrypted traffic (such as http) they can access the actual information being entered like credit card numbers or usernames and passwords - be especially diligent that sites use https in public
• see what sites you access (like which email or bank) to make guesses and start more advanced identity attacks
• in some cases they could directly access your machine - this is far more difficult though

To protect yourself you should make use of a VPN, which we'll get into a bit below.

VPNs (Virtual Private Networks)

A VPN can be thought of as a network of computers used to connect to remote sites. The VPN secures your internet connection to ensure that most (but not all) data you’re sending and receiving is encrypted and safe from attackers.

There are many VPN providers to choose from. Most cost money but there are some free. A popular and easy-to-use free choice is TunnelBear. A popular paid choice is ExpressVPN. Do your own research. There are many considerations like the level of security and encryption, how many logs are kept on users, and how likely those logs will be handed over to the authorities if they suspect illegal usage.

VPNs can provide nice advantages beyond security, like watching that Netflix show that's blocked in the country you're on vacation in. Note however that content providers are working to block this sort of usage so there's no guarantee the VPN will work. The use of VPNs was also one of the key security tools used to help journalists and dissidents during the Arab Spring anonymously communicate.

VPNs are not a perfect tool and have flaws. You should still always use a VPN when entering or viewing private information on public networks.

KRACK WiFi Vulnerability

Unfortunately, a major vulnerability was found in WiFi WPA2 encryption back in 2016 called KRACK (Key Reinstallation Attack). This is a serious vulnerability and means even wpa2 protections we set above can be bypassed, allowing attackers to intercept sent and received data. Ultimately all router providers must update their software to protect against these attacks, but you can protect yourself by keeping your devices updated like we learned in Lesson 2. Advanced users may want to google their 'router model KRACK protection' to see if there are settings they can opt for more security.

Blocking Trackers and Ads

There are many entities that want your private information online. The most common one is advertisers. The reason Google is valued at more than $1.5 trillion and Facebook over $850 billion is that they have an amazingly high quality product for their primary customer; no, not you the user, but advertisers. Others like insurance providers also want your data so they can guess risks about you and charge higher premiums. You can do a lot to protect yourself against advertisers.

• One, you can remove ads from your life by using ad blockers. This also makes the internet way less stressful and overwhelming of a place to be.
• Two, you can reduce the amount of information they can collect through your browser by using tracking protections.

Ad Blockers

Add an ad blocker to have a much cleaner and crisper experience online, and avoid being manipulated by advertisers. Some can even block ads in youtube videos. Two popular choices that I use are Adblock Plus (also has a mobile browser app, note this is unrelated to the similarly named AdBlock) and uBlock Origin (which is optimized for high performance, note this is unrelated to uBlock.org).

Note: Confusingly, Adblock Plus is unrelated to the similarly named AdBlock and uBlock Origin is unrelated to uBlock.

Go ahead and install one or more ad blockers on your browser and also mobile device. Note that running ad blocking can slow down your machine a bit so if this is a problem try out a different one. There are many choices, check out this Tom's Guide article to help decide which one you want to use.

Protections Against Trackers

Beyond just blocking ads there are browser extensions that can prevent companies from tracking your browsing online. The most common method trackers use are cookies, basically little text files a website stores on your machine. Now companies use sneakier web beacons like Facebook Pixel, a little invisible pixel that loads on sites without you knowing but allows Facebook to know you went there, even if you're not logged in to Facebook.

These attacks can be blocked by browser extensions like Ghostery and Disconnect (which also has an iOS app). Add one now!

Proceed to Lesson 5: Don’t Lose Your Memories

Back to the Lesson Plan

Authentication is the process of confirming you really are the person that should be let into an account. The common way online is with a username and password. But remembering long, strong, unique passwords for every single site? Come on, that’s insane!! Fear not, enter password managers. By the end of this lesson, you’ll be up and running with a password manager, 2-factor and backup codes, and will no longer have to remember a pile of annoying and weak passwords.

This lesson is longer than the previous ones. The big payoff is no longer needing to remember passwords makes life way more convenient!

Concepts

Password Managers

So what is a password manager? It’s an encrypted vault of all your other passwords. But what does that mean? You take one (really, really strong) master password, and use that password to encrypt (garble) all your other passwords. That way, even if your password vault is stolen, nobody will be able to read any of your passwords without your master password.

Secondly (and arguably more important) password managers make life online more convenient and easy. They can:

• make random, long, strong passwords for you so you don’t have to spend brainpower
• log you into your accounts with a the click of a button without even having to type in the website
• auto-complete forms for you like credit card info and addresses.

Trust me, once you’ve got one set up it is so worth it for these reasons alone. The added security becomes just a mega bonus.

What makes a good master password?

It should be obvious that your master password should be by far the strongest password you’ve ever made. Quick review of what makes one strong:

• REALLY long (not kidding, I’m talking at LEAST 25 characters)
• easy and fast to enter (on both phones and computers)
• not just dictionary words (either throw in a fake word that means something only to you, something in a different language, or break words in half with numbers)

The Computerphile video below is a much deeper look at how a hacker could break your password. Many of the discussion points are covered in this post so watching isn't required.

2-Factor and Backup Codes

As we learned in Lesson 1, 2-factor (or multi-factor) authentication makes it so that you need your password (1st factor) AND a one-time random code (2nd factor) to get into your account. This lesson is a really nice and efficient time to turn on 2-factor for every account that allows it, since you’ll have to log into all your accounts anyways.

When setting up 2-factor, most sites also offer you the chance to download backup codes. These can be thought of as one-time-use 2-factor codes, and are designed for when you can’t get your 2-factor code another way. This could be when you’re travelling and can’t receive a text message code, or if you’ve just lost your phone and need to get into the accounts to set up 2-factor on your new phone, or if you’re logging into a public machine one time.

Where will you store these codes? You can write a few backup codes down for travel, or give them to a friend or family member to help you in case you ever get locked out. Each backup code can only be used once, so if you ever use them all up, you have to generate new ones from inside your account security settings. Since a password manager can also be used to store backup codes, this lesson will be a good time to generate them.

Emergency Recovery

A password manager makes it harder to get into your stuff when you lose or can’t access your devices. This is by design, but it’s still worth thinking about ahead of time in the tiny chance you need to recover your password manager in an emergency.

What if you’re travelling and you lose ALL of your devices at once (think about a theft, or lost baggage, a fire, water damage), what steps would you do to get back into your email or your bank account, or to send a message to your family that you’re safe, or anything else of importance? Less stressfully, what if you need to login to someone else’s device where you don’t want to install your password manager (say to log into a shared Netflix family account, or to log into a PlayStation that can’t install a password manager)?

If you need to get into any accounts without your password manager, those passwords should NOT be generated by the password manager. Instead use the techniques in Lesson 1 to make long, unique and easy to remember passwords. Still store them in your password manager, but also store them in your brain. Even for these easier-to-remember passwords, if the account has 2-factor authentication, you may also need to have your backup codes to get past the 2-factor step. In this case you could have them written down somewhere safe, and keep them with you (hidden) when you travel.

Technical Note: Some services may ONLY offer 2-factor authentication using text messages (that is, no authenticator app or backup codes). This means you must be able to receive text messages while travelling to be able to get into your account, or else you have to turn off 2-factor before you leave. Of course, this comes with its own risks.

The point of this thought experiment is to make sure you understand how to get back into your password vault. In the case of BitWarden, which is covered in this lesson, your password vault is stored in their cloud and doesn’t require 2-factor by default, so as long as you have internet and your master password, you can get in. But others may have set up a vault locally, or in Dropbox, or have set up 2-factor for their password manager. All of these offer more security, but this security also make it harder to get in, so make sure you have the information to do it in an emergency.

Now that we’ve covered all the basic concepts, let’s get going!

Become an Authentication Ninja

You’ll need to carve off a big chunk of focused time for this lesson. Depending on how many accounts you have it could take a whole evening. But it’s like ripping off a bandaid; once it’s done it’s done forever. No spring cleaning on this one.

I recommend doing this one-time setup on a laptop, not a phone, as it would be significantly harder without a full keyboard and larger screen.

BitWarden — Password Manager of Choice

This lesson will focus on the password manager BitWarden. It is free, secure and easy to use, so is my go-to when getting people started. It has highly trusted security, their code is completely open-source so the public can review it to ensure it is safe, they get third party audits of their technology, and are recommended by the very hard to please privacytools.io.

BitWarden (like any cloud-based password manager) stores your garbled up passwords in their cloud, but they NEVER need to even see your master password. This means your passwords will not be compromised even if they have a security breach and hackers download your password vault.

The side-effect of Bitwarden not knowing your master password is that if you ever forget it, you will have to delete your account and manually reset ALL of your passwords, so DON’T FORGET IT! See more details on how this works for BitWarden here.

My lesson builds off components of the BitWarden help centre. Much greater detail can be found there if you get stuck.

I do NOT have a relationship with BitWarden. In fact, I used to recommend LastPass until they removed key features from their free plan. You can see that previous guide archived here.

Feel free to check out other popular password managers, like Keeper, DashLane & 1Password. Whatever you choose, make sure you understand the pricing model and that it has trusted security (namely they never require you to send them your master password).

Getting Set Up

BitWarden setup is easy. Just go to their site and click the Get Started button in the top right. This will get you set up with a new account and your password Vault.

The password to this account is your master password, so remember to make it crazy strong!! If someone is helping you with this lesson, you should change your master password once it’s all done. You should be the only person that knows your master password, even loved ones don’t count. Go ahead and set up your account now. Once set up you'll have to click the verification link in your email too.

If you plan to fully complete this lesson right now, you may want to make your master password shorter for now, get set up, and then make it strong. But DON’T leave it weak!!! DO THIS AT YOUR OWN RISK!!

Download Browser Extension

From the download page, add your browser extension of choice. This will allow BitWarden to save and retrieve passwords as you need. Once installed you'll see a gray Vault icon to the right of your address bar. Click it and log in with your email and master password and it will turn blue.

Saving A Password to the Vault

Now that you’re all set up, just pick any account you already have and go to the login page. Fill in your username and password and log in. BitWarden will pop up with a banner offering to save your password. Click Yes and the website, username and password will be saved to your vault.

Generate a Stronger Password

Now that you’re logged into that account, go ahead and change the password. On the change password page, instead of thinking of a new password, click the Vault button in your browser bar then click the Generator button (with the two arrows in a cirlce) to use the password generator.

I recommend cranking the Length to at least 30 characters, and keeping all the options checked. Some sites have ‘maximum length’ passwords (shame on them!) and restrict special characters, so in these cases you’ll just have to change the settings to work on that site. One you're ready click Copy Password. Use your brand-new, strong, unique password to reset the password for the site you're on. BitWarden should notice and offer to update your password in the Vault. If it doesn't, search the Vault for the password and update it on your own with the password you just copied.

You can also quickly generate a password with your most recent settings by right-clicking anywhere in your browser and selecting BitWarden > Generate Password (copied)

Save Backup Codes

Since you’re in your account settings anyways, you should generate backup codes if they are offered and save them in BitWarden. Simply edit the site and copy your backup codes into the Custom Fields section as a "hidden field". Remember they are one time use so if you ever use one you should erase it here to avoid confusion later.

Security Question Answers

You can also use Custom Fields to save the answers to the security questions that some sites enforce like "What was your mother's maiden name?" And don't use your real mother's maiden name as that is easy for hackers to figure out! Simply generate another password and store that.

Turn on 2-factor authentication (2fa) for this site

This is also a good time to turn on 2fa with text messages if you haven't already. Do this for all accounts it's offered on, but especially sensitive ones like email, banking and work accounts.

Now Rip that Bandaid Off!

This is where we start the real big task. You now need to find ALL your accounts, and use BitWarden to generate new passwords, which will be stored in your password vault. It can be really daunting to try to remember all of the accounts you have online, so here are some tricks:

• look in the Keychain app on your Mac: this app collects many of the username and passwords you use on your laptop
• browser saved passwords: many internet browsers save your passwords (links for Chrome, Safari, Firefox)
• search your email: search for emails with a subject with ‘Welcome’ in them, or search the word ‘password’ in your email, which will give you a pretty good list of many of the sites you’ve signed up for

If you’ve forgotten any passwords, that’s ok, you’ll just have to request a password reset.

For each account, rinse and repeat the following:

1. Log in to the account and add it to BitWarden
2. Update the password with a strong, generated one
   (the only exception is your master recovery email, which you should leave as the one you made in Lesson 1, which may be good to leave as a passphrase you can remember in case you ever need to access it while unable to access BitWarden)
3. Turn on 2-factor authentication (if available)
4. Copy your backup codes into the ‘Custom Fields’ of the site

(four hours later) Phew!!! That wasn’t too bad was it?

Set up 2fa on BitWarden [But With Warning]

The final recommended step is to add 2fa on BitWarden itself.  With 2fa even if someone gets your master password you will still be protected. BitWarden has ALL your passwords, so I recommend you take this step, however there is a very important warning below you must understand before proceeding. Read it several times.

WARNING: If you set up 2fa, then lose your 2-factor device in the future, you must provide your recovery code to be able to regain access to BitWarden. Since BitWarden does not store your master password or your recovery code, they cannot help you unlock your account otherwise. This is by design, for your safety. More information is here.

Ok, if you understand that and promise to protect the recovery code, go ahead and set up 2fa. The recovery code should look like this:

You must save and store this code outside BitWarden and never lose it. Do not even think of turning on 2fa if you think you may lose this code. More info on the recovery code is here.

Welcome to a New and Better World

Now whenever you go to a site, if you’re logged into BitWarden, your info will be automatically entered. If not, the shortcut key is ctrl+shift+L (Windows) and cmd+shift+L (Mac) for autofill.

Nice! If you want to go to a site, instead of typing it into your browser, search it in your Vault, click it, and it will navigate to the site and log you in. Sweet! Whenever you want to sign up for a new site, add it in BitWarden, use the Generator, and start from day one with a strong password. Awesome!

If a site doesn’t autofill properly for whatever reason, you can click the Vault and manually copy/paste the information into the login page. It also just might be that the site didn’t save enough information, so you can edit the entry in the Vault to fix it.

Using BitWarden on Mobile Devices

Now that you’re all setup on your laptop, download the BitWarden app for your mobile device. Download the app, and simply log in with the same email and master password. Everything will then sync, that easy.

BitWarden works slightly differently on each device, so I recommend skimming their guides for Android and iOS. It's worth going through the extra steps to make sure Autofill is working properly for your convenience.

Security Clean Up

Remember when we used the list of saved passwords in Chrome or another browser to find out what accounts we had? That’s a REALLY BAD place to store passwords. So let’s go back in there, and turn off the feature that even offers to save passwords (we’re better than that now). Also, delete all the ones it’s saved from our old life pre-BitWarden. This includes text files or Excel sheets you had with all your passwords stored before.

Bonus BitWarden Features

BitWarden has plenty of other features you may be interested in:

• Other Items: BitWarden can store more than just logins. It also stores Cards, Identities and Secure Notes, and is more secure than storing them in your browser. You could even store your driver's license, passport and medical documents safely.
• Auto-Fill Cards & Identities: BitWarden is a secure and convenient way of auto-filling credit card information, addresses and other form information to auto-fill it when you need it online.
• 2-factor via Authenticator: BitWarden can generate 2fa codes for your sites so you don't need to receive text messages. This is a bit more advanced, so follow their guide carefully.
• BitWarden Send: Can be used to send information to anybody securely.

Now that we’re at the end, make your master password strong (if you had made a weak one to get through this). Also, if you have a security deposit box or a safe, it may be a place to store a printed version of your master password and recovery code if you feel you may ever forget it.

Congratulations! You are now an Authentication Ninja.

A reminder one more time, if you made your master password weak to get through this lesson, or if anyone else still knows it, RIGHT NOW is the time to make it strong, unique, and only known by you.

Proceed to Lesson 4: Play Safer Online!

Back to the Lesson Plan

Your devices are your connection to the internet and the world. They’re also an easy way for hackers to gain access to your accounts. This is another quick lesson. Everything here applies to ALL your devices; your laptops, your phones, your tablets.

Passcode Locks

It should be obvious, but all your devices should be locked with a passcode. This prevents a random person from just picking up your phone and going straight into any accounts that are attached to it. Most people have their primary email synced with their phone, which as we know is a gateway to all your other accounts.

Do a mental check. Is every device you own protected by a passcode or password? Are they decently long? 6 digits or characters is decent. If not, go set one right now.

Note that for some accounts (like your bank app) you can choose to add an extra passcode. This way if someone gets past your main phone passcode, they can’t get into your bank afterwards.

Remote Lock and Wipe

Most devices have a feature to remotely access them. This means if they are lost you can find their location, de-activate them and erase information if need be.

• Google / Android
• Apple / iPhone
• Microsoft / Windows

Make sure that all your devices are visible in the various remote access services, and understand how to use them in case something goes missing.

Keep Updated!

This is a major PSA. Keep all your devices up to date! The latest updates for each operating system are most often to cover up security flaws. Hackers know about these flaws and will use them to get into your system.

There is a common belief that updates will slow down your device. In reality, updates are more likely to make your device faster. You are also better off clearing up space and uninstalling apps to speed up a device.

There is also a strange belief the updates bring bugs. They are actually intended to fix bugs, and the thought that they may introduce a new bug should be outweighed by the fact that they likely fix one or more real (and possibly serious) security holes.

Clarity note: You do not have to upgrade to the latest version of an operating system (iOS 7 vs 8 vs 10). It is more important to have the latest updates for each version. For instance, you can still run iOS 7, but make sure to have the latest iOS 7 updates.

Privacy and Security Settings

Every device has a variety of privacy and security settings. It is worth going into those settings and making sure they make sense to your gut. Yes, it makes sense that Uber needs access to your location, but does that finance app really need access to your microphone and camera? If in doubt, turn off all the access for each program, and when you go to use it, the app will prompt when it needs to use each part of your phone.

Malware and Viruses

Basic steps are necessary to protect against malware (malicious software). The most known form of malware are viruses, which replicate and spread across computers and through networks. There are many other types of malware including adware, spyware, botnets, Trojans, worms, rootkits and ransomware. All of them are designed to do something to you against your will, whether it be steal your data or money, crash or corrupt your computer, or even use your device for illegal activities.

Software to protect against malware is referred to as anti-malware or anti-virus software. All computers should have basic protective software running. Software that comes with your computer are Windows Defender Antivirus and Mac XProtect. Make sure these are turned on on your devices in your system settings. They offer basic levels of protection, but are not quite enough.

For extra anti-malware protection, I recommend installing a third party anti-virus. There are many free and paid choices. Excellent free choices are Kaspersky Security Cloud Free (Windows, Android, iOS) and Bitdefender Antivirus Free (Windows, Mac, Android). So go ahead and install an anti-malware or anti-virus of choice on all your devices.

Note: Free is usually not really free, so beware of the risk of anti-virus companies selling your data. Best to understand their model and look for freemium, where the free services are simply a way to market and sell their paid plans.

Encryption

When a device is not encrypted, it is shockingly easy for an attacker to get around your device password and access your data, simply by setting up a secret admin account. I have personally used this to help friends access their data when they've forgotten their device password, which shocks them into using encryption. Encryption will protect your data unless you have the password, even if an attacker accesses your machine remotely or physically steals it from you.

For convenience, encryption is usually done with the same password you use to log into your machine, so make sure it's a strong password, protect it, and don't lose it!

On Mac, use FileVault to encrypt your machine, and can offer to store your encryption key in iCloud. On Windows, turn on encryption in Settings.

Warning: If you encrypt your device and then lose the encryption key, your data will be lost with no way to retrieve it. So you may want to wait until after we have set up backups in Lesson 5 to protect against this.

Good work, your devices are now protected!

This was a quick lesson, but you have done A LOT to prevent attacks or stop them quickly.

Proceed to Lesson 3: Passwords Be Gone!

Back to the Lesson Plan

Do you have 10 minutes right now? Follow this quick lesson and you’ll be way safer at the end of it.

This lesson is all about improving your security significantly with one action: making a strong, unique and easy to remember password with 2-factor authentication for your primary email.

Why?

Your primary email is the one you use to sign up for other online accounts. If a hacker gets into this email they can easily request password resets for ALL your other accounts tied to this email (including your bank, your Facebook, your Dropbox and so on). They can reset the passwords for every site extremely quickly using scripts, and so this is the easiest hacking path to theft of your assets and your identity.

This is your most important account to protect.

What is a Strong, Unique and Easy to Remember password?

To begin, this web comic teaches us length is the main thing behind password strength. Note this comic is old and 1,000 guesses/second is really low these days, now it’s more like a billion or a trillion guesses/second.

Passwords like this are called passphrases. Hackers know about this method too, so they’ll feed in common dictionaries to try to crack passphrases faster than shown in the comic. To protect against this, take it one step further, and throw a number into the middle of one word, or include a fake word that won’t be in a dictionary, maybe from an inside joke. So “correctsmorsiebatterystapl9e” would be much harder to crack and still quite easy to remember, especially if you called horses “smorsies” as a kid (cute!).

Your email may also enforce capitals, numbers and symbols. To get by this, you could always add in a capital, number and symbol to every password in the same place. Let’s say I always make the 2nd character capital, the 2nd last a 9, and then toss a # symbol at the end.

I’m sitting in a coffee shop right now, with a sign that says “A neon sign for Uncle Billy” on the wall.

An effectively impossible to crack but easy to remember password would be “aNeonsignforunclebill9y#”. If your email doesn’t enforce these rules, “aneonsignforunclebilly” would be also extremely strong (at least for now, before every written phrase is in a hacker database). So just pick a phrase that means something to only you, add a number, capital, symbol if you want and go change your primary email password, RIGHT NOW.

I’ll wait.

Ok, done? Good.

Now, what is 2-Factor Authentication?

What do people mean when they say 2-factor? All it means is that you need your password (1st factor) and a one-time random code (2nd factor) to get into your account. This one-time code is usually sent by text message to your phone. This means that if a hacker in another country gets your password, they also need your text messages to get in.

Major email providers have the option to turn on two-factor. Usually you just log in, find ‘Security’ in the settings of the account, and find 2-factor authentication and turn it on. Then you’ll receive a code by text, enter it to confirm it’s you and boom, you’re done.

Here are links to get set up for various services:

• Google/Gmail: https://www.google.com/landing/2step/
• Microsoft/Hotmail/Live/Outlook: https://support.microsoft.com/en-ca/help/12408/microsoft-account-about-two-step-verification
• Apple/iCloud: https://support.apple.com/en-ca/HT204915
• Yahoo: https://help.yahoo.com/kb/SLN5013.html
• Others: https://authy.com/guides/

Go and log into your primary email and set up 2-factor authentication, RIGHT NOW. Done? Great!

That’s it!

You are WAY safer now that you’ve done this. I of course still recommend going through my entire lesson plan, but you should pat yourself on the back for taking at least this action.

Proceed to Lesson 2: Protect your Devices

Back to the Lesson Plan

I am even more of an efficiency nerd than a security nerd and do NOT want to add complexity or intrusion to your day. I believe security can be convenient. Hop in below and start getting more secure right now.

Lesson 1: 10-minute Quick Win

Lesson 2: Protect your Devices

Lesson 3: Passwords Be Gone!

Lesson 4: Play Safer Online

Lesson 5: Don’t Lose Your Memories

Lesson 6: Think Like a Hacker

Bonus: Snowden-Level Security

Score Card

This scorecard will give you an idea of where you’re at. You can download it, print it and fill it out. If you don’t understand something, give yourself a zero.

Fear mongering warning: Working in technology, I am thinking about security risks all the time. Thankfully, this is not a mental burden on all of us, but I do care passionately. Trust me, the risks are real!

If these lessons look hard, fear not, just grab a techie that you trust (very important!!), and get them to go through the lessons with you.

This lesson plan is my attempt at balancing pretty great security with something that people will actually do. I will try to continuously make this better, so feedback is appreciated!

Get started right now with Lesson 1: 10-minute Quick Win!

The most common response to talking about security and privacy is 'why should I care?' This post will answer that question for you. If at any point you throw up your arms and are like ‘ok, I’m scared already, and just want to start feeling safer!’ feel free to jump ahead to the lesson plan and get started.

The Scary Stuff (What Can Happen)

When a hacker compromises your password, they can lock you out of your own account, and do any of the following:

• Steal your money! — this is way easier than you think
• See and delete everything you care about — your messages, your photos, your documents, your memories
• Use your identity to send emails, sign up for services including loans, and use your private information to hijack others including your loved ones
• Get into your other accounts with the information from one account
• Encrypt (garble) your data and hold you hostage to have it decrypted (ungarbled)

All of the evil deeds above can be run by hackers with scripts, which are just like mini downloadable apps. This makes it extremely fast and easy to hack many people at the same time with the click of a button.

Common Fallacies

I find it can be easy to justify why you don’t need to think about security. Here are the most common ways people convince themselves they’re ok:

• “There’s nobody looking for me!” — WRONG: Hackers attack indiscriminately, usually by first coming across your information in a compromised online account you have and then using that to get into other accounts.
• “I have nothing to hide, so I’m not a target” — WRONG: Even if you have nothing to hide, your private information (banking info, private convos, private documents) can be used to build up a false identity, steal your assets and create a world of nightmares that could cost thousands and stick with you your entire life.
• “I don’t use my computer or phone for that much” — WRONG: Unless you don’t use the internet and have zero accounts with any private information, you are a target.
• “I have anti-virus, so I’m ok” — WRONG: Viruses are only one of many methods to hack you. There are social engineering tricks based on human psychology, phishing, security failures of systems you use and fraudulent companies to be worried about, just to name several.
• “My bank locks out after 3 failed attempts, so I’m ok!” — WRONG: Hackers don’t tend to use the website itself to crack your password, they crack passwords offline and only try them once they know they are correct.

Those Devious Hackers (How It Happens)

Today’s world is getting more connected, and with that comes a whole bunch of ways attackers can compromise your life. How do hackers actually get at your data?

• Human Psychology — hackers know how we make our passwords
• Security vulnerabilities — engineers accidentally leave flaws in programs like the iPhone software, your web browser, the WiFi network you’re on, etc. Hackers exploit these.
• Phishing attacks — trickster emails or sites that try to look legitimate to get you to enter your information
• Malware / Viruses — programs that run on your computer or phone and scrape up information including passwords
• Brute Force attacks — scripts that run on lists of passwords from hacked websites to break everyone’s passwords; how easy this is depends on how much attention each site puts into security

Listen to this 6-minute snippet from the “Slack Variety Pack” podcast for a story about how passwords get stolen and some general tips.

At an absolute minimum you need to:

• Have strong passwords
• Be careful opening files or apps downloaded from the internet
• Be careful browsing and clicking on links while browsing
• Be careful clicking on links from emails, even from loved ones

OMG my security is TERRIBLE (What now??)

You should be sufficiently scared and sweating by now. But fear not, I promise it isn’t very hard to get to a much better place. And don’t feel bad, this is a normal feeling!

The chart above visualizes what you’re feeling right now, having just realized your perception of your own security was WAY higher than your actual security. We can fix that together. And as a bonus, the more you do, the easier to handle internet life will be!

Have no fear, let's jump into the lessons and get safer right now!

Fear mongering warning: Working in technology, I am thinking about security risks all the time. Thankfully, this is not a mental burden on all of us, but I do care passionately. Trust me, the risks are real!

If these lessons look hard, fear not, just grab a techie that you trust (very important!!), and get them to go through the lessons with you.

This lesson plan is my attempt at balancing pretty great security with something that people will actually do. I will try to continuously make this better, so feedback is appreciated!