As more people flock over to the fediverse from reddit, twitter and other centralised proprietary networks it is important that you keep your e-mail and other important accounts safe from hijacking attempts. Since anyone can simply spin up an instance and host users and communities it is important that you don’t divulge your internet personal details to anyone as these can be harvested by the instance owner and by any instance you erroneously try to login to or simply the instance could be hacked and the user data harvasted. With this in mind here are some suggestions for good OPSEC (Operation Security):
- Don’t use your main e-mail address. Either create a new one or better sign up for an e-mail forwarding service and set-up forwarding addresses for each instance you sign up to. Since these are throw away addresses, if it gets leaked you can just delete the address and create a new one without compromising your main e-mail address. (Bonus: this can also be used to use unique addresses for traditional web services and make it easy to know how and from where an address got leaked)
Here is a nice article with some e-mail forwarding providers to get you started
- Use a password manager and generate strong and unique passwords for any and all instances and services you use, this way you won’t divulge a password used on another account to the instance owner, or if the address used (especially if you used your main e-mail address)/got leaked your account will still be safe from hijacking by attempting to use password dictionaries to guess the password.
Some passvault suggestions:
- Passbolt (self hosted)
- Bitwarden (self hosted and hosted options)
- Vaultwarden (unlocked self hosted alternative to bitwarden)
These are my main security suggestions for all you new and existing lemmings. Feel free to suggest other security considerations to have and other services beyond those mentioned. Stay safe and have fun posting and commenting.
I wouldn’t say don’t post personal information at all. But rather don’t post information that you’re not comfortable with everyone knowing, while being identified and never being able to delete it.
IMO it’s best to assume that if you post enough online, someone dedicated enough will be able to identify you, especially people who already know you in real life. It’s difficult to post without revealing small details about yourself that can be combined to piece together who you are. Eg, you might never say where you work, but your city, field, an offhand comment about a coworker, a mention of a conference, and such might let someone narrow it down. Similarly, you might never mention what city you’re in, but it might be narrowed down from mentions of things like traffic, weather, events near you, remarks of things being close by, etc. And that’s not even getting into devious things like trying to trick someone into clicking a link to a domain you control so that you can get their IP.
I’m of the opinion you should generally act as if you’re talking to people face to face with a name tag saying your full name and address. I think that approach also just plain makes the internet a better place. Anonymity seems to make a lot of people more comfortable being aggressive assholes.
I say “generally” because there’s plenty of valid reasons to want to post things you would want to post things that you’d never say if identified. But in that case, you should strongly consider using an absolutely minimal throwaway account, while being extremely careful with details. And even then, you should at least consider that you might still get identified. In particular, I think a lot of users of throwaways only consider strangers not being able to identify them. Sometimes that’s all you care about, but your family, friends, and coworkers are going to have a lot easier time identifying you.