As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):
- Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)
Here is a nice article with some e-mail forwarding providers to get you started
- Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.
Some passvault suggestions:
- Passbolt (self hosted)
- Bitwarden (self hosted and hosted options)
- Vaultwarden (unlocked self hosted alternative to bitwarden)
These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.
You could add keepassxc as an option for those who don’t want a hosted service at all. You can still exchange the storage file with other computers if you have to (via USB stick, mail, nextcloud etc)
Speaking of which, stuff that frequently comes up in privacy related forums:
Differentiate between your professional accounts (it has your real name attached) and your non-professional ones (you use it to discuss pooping methods for example). Don’t mix them up. I know many will say “so what if people in the fediverse know where I live and how I poop, I got nothing to hide” a lot, but that’s how people got doxxed or swatted.
Even if you don’t feel the need to, it’s good to sit down and identify the potential threats given certain problems. Do you recycle passwords for email and social media accounts? What about banking? If a malicious coworker or an immature family member got access to your social media profile and posted reputation-damaging content, how bad can things get? Identify the outcomes you can mitigate or must prevent, and plan accordingly.
There is no “100%” when it comes to privacy. It’s a process, not an “all-or-nothing” switch. Beginners often ask if “program X and Y will protect me 100%”, and the answer usually boils down to “there isn’t a single magic pill”.
Privacy ≠ Security ≠ Anonymity. A VPN subscription can secure your connection (content secret in transit), but does not make you anonymous (sender known to middle node). You could leave an anonymous message (sender unknown) on a public forum, but the message itself isn’t private (content not secret). And so on.
Encryption is a useful tool, but don’t fall for the “military grade encryption” speech. They often mean “we just slapped whatever shit it came up with”, nothing extraordinary.
There are many more but I will stop for now. No, I am not in Guantanamo.
Great points all around!
Also, do not post personal information here ever. Once you posted a comment, there are no guarantee you can fully delete them later. If you post a personal information, there is a chance that it might still up in some instance somewhere even if you attempt to delete it. Some instance might not receive the activitypub push about the deletion due to federation issue/lags, getting blocked from the original instance, bugs or random internet connection issues. Use other channel if you need to share personal info to fellow lemmings so you can be sure to purge them if needed later (e.g a link to pastebin, discord, etc)
I wouldn’t say don’t post personal information at all. But rather don’t post information that you’re not comfortable with everyone knowing, while being identified and never being able to delete it.
IMO it’s best to assume that if you post enough online, someone dedicated enough will be able to identify you, especially people who already know you in real life. It’s difficult to post without revealing small details about yourself that can be combined to piece together who you are. Eg, you might never say where you work, but your city, field, an offhand comment about a coworker, a mention of a conference, and such might let someone narrow it down. Similarly, you might never mention what city you’re in, but it might be narrowed down from mentions of things like traffic, weather, events near you, remarks of things being close by, etc. And that’s not even getting into devious things like trying to trick someone into clicking a link to a domain you control so that you can get their IP.
I’m of the opinion you should generally act as if you’re talking to people face to face with a name tag saying your full name and address. I think that approach also just plain makes the internet a better place. Anonymity seems to make a lot of people more comfortable being aggressive assholes.
I say “generally” because there’s plenty of valid reasons to want to post things you would want to post things that you’d never say if identified. But in that case, you should strongly consider using an absolutely minimal throwaway account, while being extremely careful with details. And even then, you should at least consider that you might still get identified. In particular, I think a lot of users of throwaways only consider strangers not being able to identify them. Sometimes that’s all you care about, but your family, friends, and coworkers are going to have a lot easier time identifying you.
You could also use an instance that doesn’t require email for signups. Like fmhy or lemmynsfw.
It’s not very open-sourcey, but Apple include a email forwarding service called Hide My Email in their iCloud+ plans. So, you may already have access to that service.
I like and use anonaddy.com. Unlimited free aliases.
Nice, I didn’t know of them, thanks for sharing!
I totally agree with using strong unique password manager generated passwords for every server (as everyone should do for every service they use regardless) but my email has been leaked so many times by so many breaches I’m not sure I really care about that part at this point…
Removed by mod
The throwaway email providers I personally use are:
- If I want to receive ongoing messages and have the ability to reset passwords etc: DuckDuckGo
- If I don’t care what happens after the first email: Yopmail
DDG is great, I’ve been using it for a while now, but I recently learned that I can also send mails from my main account as a @duck.com address and now I’m in love.
deleted by creator
Don’t do this.
Just use a good, random, password generator with decent settings.
Varying away from that just to ‘change the kind of password’ is only going to reduce your security.
You want as many random bits of information as possible in the password. That’s it.
deleted by creator
That’s like saying that only using high security locks with various security pins in them to protect your house is a bad idea, and you should throw in some secured with padlocks too just to change things up.
And if some of them are shitty masterlocks, well, you’re changing things up.
That’s really not how security works.
Yes, pass phrases can have large amounts of entropy attached. But unless you are picking your pass phrases truly randomly, with a large dictionary, and using unique pass phrases per site, and the sites are not silently truncating the password input (such as bcrypt which truncates to 72 bytes), you are not actually getting that large amount of entropy.
Where as a 16 character password that randomly uses the ASCII printable range, excluding spaces, gives you 93^16 possible combinations. That’s 31313180170800116587336013460801 passwords.
Or, very roughly, 104.6 bits of entropy. (104.6265409777285022441578006899739 bits of entropy if you want to be downright absurd about it.)
Knowing that you’re doing that simply doesn’t help the attacker in any meaningful way.
Bumping that to 20 characters gives you over 130 bits of entropy, or 2342388736625917052139104541473924426001 possible combinations.
This is quite simply not a viable attack surface.
Where as saying ‘use pass phrases for some things’ means that it is quite likely that some of your pass phrases are going to be much less secure than this.
But let’s give the same numbers for properly generated random passphrases.
The xkcdpass utility can help us here.
Even picking entirely randomly, out of a large word list of 7227 words, a 6 word pass phrase only gives roughly 76 bits of entropy.
Going up to 8 words gives us roughly 102 bits of entropy, that helps a ton… Except that some of those passphrases are going to be longer than 72 bytes. So you’re almost certainly losing bits of entropy.
That best case still gives you fewer bits of entropy than a 20 character randomly generated password. Unless you’re trying to memorize your password, there are no benefits to alternating between randomly generated passwords with good generation settings and passphrases.
And if you’re trying to memorize your passwords, you are definitely doing it wrong.
Caution: The following requires that you have “Keychain” and “iCloud Mail” activated for your Apple ID, and are running iOS 15+, iPadOS 15+, and macOS Monterey+ on the applicable devices.
For macOS / iOS / iPadOS users you can use “Hide My Email” (aka “Sign in with Apple”) to have a randomly generated e-mail address used for sign-ups. Then you can have Keychain generate a random, strong, passcode for you to use on that particular website.
Note: If you see just an “e-mail” field on the sign-up page, and when you click in it you see a drop-down menu of your current Apple e-mail addresses, just scroll to the bottom of that list to get to “Hide My E-mail”.
After you’ve completed a sign-up on a website (not just federated, but any website) Apple will e-mail you the new e-mail address you generated and for which website is was used on. Store that in a safe place to easily keep track of what’s being used where. (You can also find them here: System > Apple ID > Hide My E-mail > Options…)
All of the above, the randomly generated e-mail addresses and passcodes for the websites, are automatically synced through iCloud to all of your devices signed into the account used to create them.
Note: The “Sign in with Apple” button is a bit weird. When you’ve used it on a website, then later go back and are asked to sign-in to your account, you’ll see the same “Sign in with Apple” button you saw originally. There’s no visual indicator on the page that you’ve used this feature before. It’s not until you select the button that the next screen will show you the e-mail address that was generated.
This is a good explanation of the feature for use with Lemmy.
I’m gonna be an annoying pedant for a second though and say that “hide my email” and “sign in with apple” are two different and unique features, though they both act as an email relay.
The former just creates a semi-random email address for you that forwards to your email. This address will end in “@icloud.com,” making it indistinguishable from any other iCloud email address (other than the ridiculous address you get).
The latter is an authentication system that allows you to sign up for services that support it with your apple account. The service doesn’t get your password directly of course, when you click the “sign in with apple” button it will redirect you to an apple sign in, typically faceID or touchID, and when you sign in successfully (or are already signed in to Apple) it will redirect back to the service with a token that says “this person is cool.”
Importantly for this conversation though, you can optionally send the service your real email or a generated email address as a relay, but the generated email is not the same as the email generated by “Hide my email,” instead it’s a clearly random series of characters and ends in “@privaterelay.appleid.com”.
In the end they have roughly the same purpose for your email, but the important bit here is that on Lemmy, only “hide my email” will be useful. There are no Lemmy instances that support “sign in with Apple” (yet).
Okay, I’ll stop being a pedant now. Sorry for being annoying there.
Thank you for the excellent clarification.
