We all perform many actions online on a daily basis which increases the amount of data we leave behind that can be used against us. Securing your identity means being aware of the locations your data lives, being aware of the data's vulnerabilities, and learning how you can begin to implement some very simple changes to ensure your identity remains protected. Here are some great tips, let’s get started.


Good Passphrases are the Best Defense!15

A “passphrase” is a long phrase used as a password, which is stronger than a secular word password. The increased length can allow for a greater number of possibilities, a passphrases made of randomly-chosen words can be both easy to remember and hard for someone else to guess, which is what we want.

Computers are now fast enough to quickly guess passwords shorter than ten or so characters—and sometimes quite a few more. That means short passwords of any kind, even totally random ones like nQ\m=8*x, or !s7e&nUY, or gaG5^bG, may be too weak, especially for settings where an attacker is able to quickly try an unlimited number of guesses. This is not necessarily true for an online account, where the speed and quantity of guesses will be limited, but it could be true in other cases (for instance, if someone gets ahold of your device and is trying to crack its encryption password).1

To learn how to make a good passphrase we are going to follow the wonderfully easy workflow set up by our friends at the Electronic Frontier Foundation:

 Step 1: Roll five dice all at once. Note the faces that come up without looking at the wordlist yet. 
 (On our dice, the EFF logo is equivalent to rolling a one.)

 Step 2: Your results might look like this reading left to right: 4, 3, 4, 6, 3. Write those numbers down.

 Step 3: Open EFF's Long Wordlist [.txt] to find the corresponding word next to 43463.

 Step 4: You will find the word “panoramic.” This is the first word in your passphrase, so write it down.

 Step 5: Repeat steps 1–4 five more times to come up with a total of SIX words.

When you are done, your passphrase may look something like this:

panoramic nectar precut smith banana handclap

Step 6: Come up with your own mnemonic to remember your phrase. It might be a story, scenario, or sentence that you will be able to remember and that can remind you of the particular words you chose, in order. For example:

The panoramic view, as I tasted the nectar of a precut granny smith apple and banana, deserved a handclap.

Once you have made your passphrase please make sure of the following:

KEEP IT SECRET Do not share your passphrase with anyone unless it is absolutely necessary. And, if you must share a passphrase with a friend, family member or colleague, you should change it to a temporary passphrase first, share that one, then change it back when they are done using it. Often, there are alternatives to sharing a passphrase such as creating a separate account for each individual who needs access.

MAKE IT UNIQUE Avoid using the same passphrase for more than one account. That way if one passphrase is compromised hackers won't be able to exploit the rest of your accounts because you used your password for all of your online services. A good way to keep track of many unique and complex passwords is to use a password managers like Keepass X, Last Pass and 1pass.

KEEP IT FRESH Change your passphrase on a regular basis, preferably at least once every three to six months based on your risk assessment. Some people get quite attached to a particular passphrase and never change it. This is a bad idea. The longer you keep one password, the more opportunity others have to figure it out. Also, if someone is able to use your stolen password to access your information and services without you knowing about it, they will continue to do so until you change the password.2


These days we have accounts with a lot of companies. Emails, Social media accounts, online bank accounts and so on. One of the most important things you can do is not use one password for all accounts but generate different passwords for each of your individual accounts.


But hear us out. This is actually a good thing. After all, your bank information is likely linked to many of your accounts, as well as your purchase history, media browsing habits, and a slew of other private information that you’d prefer protected. But if you’re the kind of person who constantly forgets and resets passwords and usernames, or worse, recycles the same password you’ve been using for the past seven years, it’s time for a password management tool. If a hacker discovers your password on a list they can then use it to access every tool in your life!

Passphrase managers actually become invaluable once you take the first step—they are an incredibly powerful improvement to your security, while also being very usable.

Passphrase managers store all your passwords, generate strong ones for you, and in general, the only password you have to remember is the one to open your password manager. So, make it a strong one.3


LastPass saves your passwords and gives you secure access from every computer and mobile device. You only have to remember one password—your LastPass18 master password. Save all your usernames and passwords to LastPass, and it will auto login to your sites and sync your passwords everywhere you need them.

The benefit of LastPass is that it is super easy to use across all your platforms. The problem is that its ease of use comes with the caveat that LastPass is a corporation and your information is in their cloud. So balance its ease with your vulnerability and make your decisions for its use based on that. In general Last Pass is better then no Password Manager so please consider it.4


KeePassX19 Password Safe is another free, open source, lightweight, and easy-to-use password manager for Windows, Linux, and Mac OS X, with ports for Android, iPhone/iPad and other mobile devices. You can download it for PC’s or Mac’s here.

The benefits of KeePassX is that it is open source and is part of constellation of applications built by developers to support software independence. The challenges with KeePassX is the interface is confusing for beginners and there is not an easy way to sync KeePassX between your phone and your computer. That said, if you are willing to do a little work KeePassX can be one of your safest and most important autonomously implement password management solutions you could use.5


Like other password managers, 1Password enables you to sync your passwords across all of your devices using the same password vault. It is available for iOS, macOS, Android, and Windows.

When you first download the app from the App Store, you have to create an account. Same situation, one password will unlock all of your other passwords. It's all you need to unlock your confidential world on both desktop and mobile. So make it good, and don't forget it.

That will bring you into a dashboard where all your login information is stored. Here you can view and manage all the current user names and passwords you've saved.

The secret to easily managing Logins is in a browser extension. You can get one for Chrome, Safari, Firefox or Opera.

Every time you're on a website where you need to input login information, you click this handy extension and tell it to fill in the information for you. The extension knows what site you're on and automatically fills in the blank fields.

The extension is also a hub for your whole password experience. In the drop down that opens, you can copy and paste passwords, view login information, and make complicated and hard-to-guess new passwords for all the sites you use.

Now there is no need to remember any passwords, just the one that gets you into the 1Password app.

The 1Password app has its own built-in browser that can take advantage of saved passwords, credit card information and more, but with the addition of Extensions in iOS 8, MobileSafari can use this information as well.

If on a page with a login or other input field, simply tap the Share icon, then the iPassword icon. The app will ask for your master password, then it will fill in the requested information, just as it does on the Mac.

Apps also exist for Androids that work similarly. We recommend you sync your data across devices on a secure wi-fi network.6


Google's Gmail is one of the most used web email apps in the world. This section helps us learn how to secure Gmail and how to identify if you are currently vulnerable. First, let's see whether your account has already been compromised.

To check for signs of a hack, look at the bottom right hand side. It will tell you when the last activity on your account took place. Make sure the dates and times align with your use.
Additionally, you can click on “Details” below to view a list of all the activity on your account.

To set your account security for gmail and your google accounts in general, click on your profile picture on the top of your gmail screen and click on “My Account”
You will be taken to a master settings page. Here you can make sure your basic settings are set to protect you. Fists, do an overall security check by clicking on “Get Started” under the “Security Check Up” option.


Check that your recovery phone or email are accurate and up-to-date. This will be useful in case you lose your passwords and entry into your account or if suspicious activity is detected on your account and Google wants to alert you.

Next, you can check that any recent changes made to the account settings were in fact made by you from a location you recognize.

Check that the devices from which you access your account look normal.

Check that the apps you have allowed access to your gmail account are there as you specified. We strongly recommend you do not allow access to random apps that are less secure as they can compromise your security and gather data about you.

Lastly, check your 2-step verification settings and make sure you have your backup codes. To see more on this, see page 90


Now, back in your accounts page you can also perform a Privacy Check up.

Click on it and choose settings that minimize your exposure to the Internet in general
For example, uncheck the following suggestions so that only people you give your phone number to can contact you.

To do this you need to toggle the “Opt Out”, switch to the “OFF” position.

We recommend you get an IBA Opt Out Extension for your Google Chrome. This tells Google, you have opted out of being tracked for ads throughout your browser experience.

To install this go to Chrome → Windows → Extensions. Scroll to the bottom of the page and click on “Get more Extensions”. Search for Google Opt out and Install.


Because passwords can be phished, guessed, cracked, or acquired in other ways (like Keyloggers), you may want to consider adding another barrier to your accounts through two-factor authentication.

Also known as two-step verification, multi-factor authentication and commonly abbreviated as 2FA adds an extra step to your basic login procedure. Typical logins use single factor authentication: you only need to enter your username and password to gain access to your most frequented accounts, say Gmail or Facebook.

When you enable 2FA, it asks for two factors of authentication. This additional factor can be code or even physical dongle or device that is connected to your computer. The code is typically sent to you via mobile phone or email.

A common example of two-factor authentication is a bank debit card. In order to use the card at a store or an ATM, you need (1) the card itself and (2) the personal identification number(PIN) or code that goes with the card. To use the card to shop or withdraw money, you need both the physical card and the PIN.

As mentioned earlier, most digital platforms use single factor authentication by default but given the amount of personal data present on digital platforms today, and the extent to which this data has been weaponized, almost all online platforms now offer two-factor authentication. With two-factor authentication in place, if someone hacks your password, they will still need your phone or Security Key to gain access to your account.

Most people still only have their passwords to protect their accounts. Once two-factor authentication is set up, signing into your account will work a little differently. Rather than logging in with just your username and password, you will be required to enter an additional code that will be sent to you via text message, voice call, email or mobile app.

Many users find 2FA cumbersome because it adds an extra step to the login process. This additional layer of protection does goes a long way in protecting your data from bad actors so it is up to you to make the best decision on 2FA across different platforms based on your situation and your needs.

The following section contains tutorials for how to implement two-factor authentication on different online platforms. We’ve tried to cover the most commonly used platforms, and also platforms which have been previously been sites for hacking and doxxing. For platforms that are not covered below, you can implement 2FA by going to You’ll find tutorials for almost every platform you can think of and some you would even be surprised by.

Pro tips

  • Now that Two-factor authentication(Also known as Two-factor verification, Two-factor authorization, Multi-factor authentication) is common across most platforms, instructions on how to set it up can be found in the Help sections of the platforms themselves.
  • It is common for platforms to keep changing their interface everytime the software is updated. This means that there may be minor changes to how you can navigate the platform. The instructions on platform Help pages are typically up to date with respect to these changes so they serve as good resources for anyone looking to make changes to their accounts and settings.
  • Have your password handy. You’ll be asked to reenter your password at the start of the process so make sure you have it before you begin.
  • Before you begin, make sure your current phone number is registered on the platform. If not, take some time out to change it.


2FA can protect your account from being hacked or stolen but bear in mind that setting up 2FA requires that you provide personal information, like your phone number, other email addresses etc, that will make these accounts increasingly traceable to you. Additionally, text messaging and voice calls can also be vulnerable to attack, depending on the risk category of the user.

This is very difficult to do but it if a bad actor was intent on getting into your one of your accounts and they have access to highly skilled hackers and resources, they can work around the 2FA set-up to do so. Scammers have been known to use social engineering to get your phone company to reactivate a new SIM card with your phone number, and then use this phone number to receive the pin or code with which they can gain access private accounts. SIM swapping, as it is commonly known, is also used in phishing scams. Similar risks exist when you set-up 2FA using an alternate email id. Additionally, it is also possible to intercept phone communication but this requires a lot of power and resources and is therefore more likely to be a State surveillance tactic rather than a scam.

In the context of these risks, we recommend users or accounts with higher risk profiles to use apps like Authy, Google Authenticator or Duo for an added layer of protection. These apps are not tied to the SIM card. Instead, the verification takes place through an encrypted channel between the app and the platform. This helps to protect your accounts any SIM card or phone related vulnerabilities. We recommend Authy because it supports more apps. The Authy website provides detailed guides on how to set-up 2FA for various platforms. You can access them here:


Because passwords can be phished, guessed, cracked, or acquired in other ways (like Keyloggers), you may want to consider adding another barrier to your accounts through two-factor authentication.

2FA as it's commonly abbreviated, adds an extra step to your basic log-in procedure. On your frequently visited accounts you typically enter your username and password once, and then you're done. This is categorized as a single factor of authentication. When you enable 2FA, it asks for two factors of authentication.20 This factor can be code or even a physical dongle connected to your device.

A common example of two-factor authentication is a bank card: the card itself is the physical item and the personal identification number (PIN) is the data that goes with it. Including those two elements makes it more difficult for someone to access the user’s bank account because they would have to have the physical item in their possession and also know the PIN.21

Almost all online accounts and platforms not offer two-factor authentication. You can learn more and slowly implement 2FA by going to You’ll find tutorials for almost every platform you can think of and some you would even be surprised by. In either case you can never go wrong with 2FA so add it when you can!

NOTE: We will cover two factor authorization for Twitter and Facebook in the social networking section that follows.7

Most people only have—their password—to protect their account. With 2-Step Verification, if someone hacks your password, they will still need your phone or Security Key to get in.

If turned on, signing in to your account will work a little differently:

Whenever you sign-in to Google, you'll enter your password as usual.
You will be asked for something else. Then, a code will be sent to your phone via text, voice call, or our mobile app.
To set up 2FA on your gmail account, go to your profile pic/icon on the top right and click on “My Account.”, click on Sign in and Security. Then click to turn 2FA on.

Google will ask you for your phone number to send you the verification codes. Once you enter the phone number, you will receive a text with the secret code.

In the page that follows, enter the code you received via text

It's a good idea to set up backup codes to access your account when you don't have your phone at hand. When you click on backup codes, a list of codes comes up. Save these codes somewhere for future use.

That’s it! Your 2FA has been set up!

If you set up 2-Step Verification using SMS text message or Voice call and also want to be able to generate codes using an Android, iPhone, or Blackberry, you can use the Google Authenticator app to receive codes even if you don’t have an Internet connection or mobile service. Go to this link, to set it up.

WARNING: 2FA can really protect your account from being hacked or stolen but bear in mind that setting up 2FA requires that you provide personal information, like your phone number, other email addresses etc, that will make these accounts increasingly traceable to you. In addition, many users find 2FA cumbersome because every time they login, it's a 2-step process. All factors considered, it is up to you to make the best decision on 2FA based on your situation and your needs.


During our trainings, we’ve come across a few cases where information from the organization’s personnel pages has been used to better target specific individuals.

For instance, consider a scenario where your financial manager can receive an email from the Executive Director requesting an urgent fund transfer to a new account. This could happen when the ED is travelling, possibly out of the country, making it more difficult to reach them and verify the email.

Alternately, your operations manager receives an from the Executive Director requesting a file containing the names and contact details of your board members. While this may not seem like highly sensitive information, it can potentially be used to doxx and harass your board.

It’s worth it to be extra careful with such requests. We advise you to look for signs of phishing in the email or any links that may be in it, double check with your Director or colleague from whom the email was sent, and lastly encrypt any sensitive files you are sharing. To learn how to use PGP to encrypt files, check out out the Encryption section.

When an attacker sends an email or link that looks innocent, but is actually malicious, it’s called phishing. Phishing attacks are a common way that users get infected with malware (“Malicious Software”)—programs that hide on your computer and can be used to remotely control it, steal information, or spy on you.22

The vast majority of malware is criminal, aimed at obtaining banking information or login credentials for email or social media accounts. But malware is also used by state actors. State intelligence agencies use malware to carry out covert actions against other states’ computer systems, such as Flame and Stuxnet. States and state-supporting actors also use malware to spy on activists, journalists, and dissidents.23


The message contains a mismatched URL, or a misleading domain name.8

The message is coming from your friend, but doesn’t sound like your friend

The message asks for personal information like banking information

You are asked to send money to cover expenses


The best way to protect yourself from phishing attacks is to never click on any links or open any attachments sent to your email: this is unrealistic for most people. So here are some ways to deal.

Be alert. If something about a website doesn’t feel right to you, it may not be:

  • Check with the friend/family/bank/organization, over phone or another channel, to see if they actually did send you the files that were sent to you.

  • If you have to frequently send and receive files for work consider sending the files through secure servers like Google Drive or Dropbox.

Antivirus software are programs that help protect your computer against most viruses, malware, worms, Trojan horses, and other unwanted invaders that can make your computer “sick” by performing malicious acts, such as deleting files, accessing personal data, or using your computer to attack other computers. We recommend that you use anti-virus software on your computer and on your messages. Note, installed software will not be useful if you do not update it regularly! Updates, keep the anti-virus on the lookout for the latest types of threats online.

We recommend Malwarebytes, Anti-Malware, Kaspersky labs and SOPHOS security, along with Windows Defender. These platforms are popular and used by many which keeps them efficient and more up-to-date than others.

TIPS: Another tool that is useful to know of is VirusTotal is a free online service that analyzes files and URL's enabling the identification of viruses, games, and other kinds of malicious content detected by antivirus engines and website scanners. Any user can select a file from their PC or email using their browser and send it to VirusTotal. However, it is important to note that VirusTotal is not a substitute for any antivirus/security software installed since it only scans individual files/URL's on demand.



Everyday in the news, we hear about big corporations or websites getting hacked and being the bearers of bad news to their users informing them that their personal information has been stolen by hackers. These data breaches can include your name, passwords, government ID number, email address, date of birth, mother’s maiden name, or any other piece of data you hand over to a website. Data from these breaches are posted on the Internet for hackers of all types to see. These data leaks are often the source of bigger political hacks that can compromise movements.

One way to check to see when and where your data has been compromised is by using which is a service that catalogs data breaches as well as pastes (a type of publishing that is often used tech nerds and hackers). Be sure to change your passwords on these sites if you come up on a search.


It is important to know where your personal data is online. By searching your information on the list of sites we have collected you can find and clear your presence on public data lists.

NOTE: While this is a painful and often shocking process for some, starting now can help reduce your footprint on the net.

This can be crucial for when Trolls, stalkers, and worse try to bully our folks for speaking out, a common strategy they use is Doxxing. In Doxxing your personal information including addresses, phone numbers, work information and family members are exposed on public platforms so that it opens you up to physical harassment and intimidation offline.

We want to stop tactics that might open up you and your loved ones to attacks. Limiting data is a crucial harm reduction strategy in a time when we are increasingly being seen as the target.

Find out what data you might be leaking to Google

Google can collect information on you to send you “personalized ads”. This means that you may get ads that relate to your recent emails. For example, if you wrote to your mom about difficulties you were having with your health, Google may start showing you ads for relevant pharmaceuticals. We strongly recommend you turn this service off and protect your daily information.

To be safe, we should assume that any information we put out there is available to corporations and third-parties even though it may not be visible to us,. For instance, it was recently discovered that turning off Google’s location settings only changes what we, the users, can see on our pages. Google continued to collect location data from it’s users using app activity. The only difference was that the information was now not displayed.

The way to prevent Google from doing this is to go through your settings and turn off ‘Web and App Activity”. As long as this feature is turned on, Google will continue to store your time-stamped location data. Alternately, you can also go into MyActivity and manually delete entries.

Curate the data you make public on Facebook

Your Facebook ‘About’ page contains an overview of information and content that you’ve added to your profile since you signed up for Facebook. This includes information about your hometown, education, family and relationships and political views. Links to Edit the information and control who can access this information can be found in the About section itself, the privacy settings for each item can be changed individually, making it fairly easy to customize.

Apart from social media platforms, people search websites like Spokeo and aggregate information from online and offline sources into a searchable database, making it easy for people to look up your private information(Including current and pas addresses and phone numbers) for a small subscription fee.

Please check yourself out and begin your data reduction journey with a visit to these sites:

Spokeo (to remove listing: (to remove listing:

INTELIUS (to remove listing:

Whitepages (to remove listing:

Finally, there is a more comprehensive list at Trollbusters at this link


Facial recognition is a technology which can identify or verify a person using a digital image or video. It part of a larger system of ‘biometric’ identification methods that include fingerprinting and retina scans and can be used to uniquely distinguish one individual from another.

Facial recognition has become fairly commonplace. Apple’s Face ID is great example of how we use facial recognition in our daily lives. For more information on using Face ID to lock and open your phone, refer to the passwords portion in our ‘Secure your device’ section of this curriculum. Google Photos and Facebook has been using facial recognition to identify and tag different people in your photostream. Amazon's Rekognition was being marketed specifically for government surveillance, leading to protests by civil rights and anti-immigration groups, and their own employees.

As activists and organizers, we are often the targets of surveillance so it is useful to be aware of how facial recognition can be used against us, and if need be, how we can find ways to work around it’s capabilities to protect our identities. Facial recognition is becoming increasingly popular as a surveillance technology all around the globe. Critics of facial recognition have said that the technology, especially used in the context of government surveillance and law enforcement, can adversely affect minorities and threaten freedom of expression since it’s uses can range from surveilling families at borders and identifying and maintaining a database of individuals at protests. Here are some ways we can minimize surveillance using facial recognition. To learn more about how to opt-out of facial recognition on social media, refer to our 'Secure your social media' section.

NOTE: Other ways people work around facial recognition surveillance is by using masks and “anti-face” make-up. This is especially useful while travelling or participating in protests.

1. &






7. &

8. &