For us, good security comes from layers and discipline. That said, there is no such thing as perfect security, we simply lower the risk to acceptable levels. We want to thwart the nosy and the lazy petty thief — if a pro or a government is after us, we need to hire a consultant. The mantra is basically: Protect the port, protect the channel, protect the handshake, protect the content, protect the protections and don’t be lazy. I have avoided jargon as much as possible.
PROTECT THE PORT — We don’t use public machines for anything identifiable to us. We expect them to have been compromised. When using our own machine, we sit with our back to a wall; we stay aware of who is around us. We don’t leave our machine unattended, ever–ever. We have a good firewall and malware suite loaded and in use — ours stops traffic when it encounters a dubious security situation and requires us to explicitly allow the traffic to continue. We password protect the computer and set the sleep/lockdown time to as short as we can stand. We have a screen privacy cover that narrows the in-focus field of view for crowded hotspots.
PROTECT THE CHANNEL — We use WPA security where available and pick our spots for that availability — but we realize a poorly managed WPA environment may provide false comfort, WPA keys/passwords can be compromised by rank amateurs in less than 100 hours. Fake WIFI free hotspots will use WPA to add legitimacy. We pick a spot that changes WPA keys/passwords daily if possible (very rare). If they don’t, we assume we are running wide open. For this reason, we use a Virtual Private Network (VPN). While VPN services’ credentials are hard to find, so is evidence any cruiser has been compromised by a well-known, well advertised service. [We are aware that some countries, even democracies, block VPN usage.] We use tethering from a cell phone for the small slice of content we really need to protect if a VPN is too troublesome. We use smartphone banking/etc. apps if they work where we are — they usually come with loss protections.
PROTECT THE HANDSHAKE — We use “h.t.t.p.s://” for everything we can. The encryption used by https will foil the intrusive amateur. We make sure the address bar of our browser highlights the connection type with color or a pop up. Many services will shift you seamlessly to http if https traffic bogs down. At least one blogging service we have seen does this. If we lose https when we need it, we shut off the connection immediately. We set our firewall to “block traffic when https connection is lost.” When we use a laptop with a built-in WIFI capability, we keep the link manager on the desktop so we can hit disconnect immediately. We prefer to use WIFI cards or USB cables where we can yank the connection, because the software switches are often slower.
PROTECT THE CONTENT — Obviously, for transactions with banks etc, we are stuck with their security framework — we use every protection they offer/recommend, our ability to recover lost assets may depend on proving we did. For emails and such, if we don’t want people to see it, we encrypt it. We use 256AES and put the content that matters in an encrypted attachment. The best encryption app is the one our correspondents will use. When sending encrypted content to an infrequent correspondent, we use a self-extracting encryption app (it will create an encrypted file “yourcontent.exe”) and send the password via SMS or SMS to email, or better yet we make that arrangement ahead of time. An “end-around” we have used for friends and family with limited computer tolerance is to post what would be email content to a (different) blog via a service using https, we password protect the post, and send them the changeable portion of the permalink to the post (they already have the fixed portion and the password). Also, an aside, there are email services with very sophisticated compression schemes that offer some encryption-like protection against casual snooping. But a criminal who has signed up for that service, has the de-compression key…
PROTECT THE PROTECTIONS — We lock up our computer when it’s not being used. With physical access, I can crack a laptop with a well crafted eight character password in about as many minutes (The software to do this can be downloaded from multiple sources.) We password protect our computer. We password protect our passwords. We put them in password “vault” protected by a master password and a digital key. We keep the key on several thumb drives. We require both the master password and the key to access the other passwords. We create serious passwords of 24-32 or more characters of near random content. We put a serious master password on the browser. So far, I don’t know of any browser that effectively integrates security keys without a browser “extension” from essentially uncredentialed providers. We do not trust browser extensions that provide “improved security.”
“It’s a jungle out there kiddies,” but you aren’t up against the fastest lions, you just have to make sure you aren’t the slowest gazelle.