Show your passcodes some love

The Digital Security Digest, by Freedom of the Press Foundation (FPF), is a weekly newsletter with security tips that keep you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Digital security tools we love

Cellphones are having a moment. Recent writing, including our own, makes the case that capturing footage is often the most effective way to hold power to account. While it is critical to document evidence, it is equally important to consider your safety — and that of your personal data — when choosing to record. (Therein lies the paradox.)

There’s plenty you can do to set your phone up so that it can serve as a powerful tool for reporting while also maintaining your privacy. If you can, try to use a secondary device. No matter what you bring, though, we recommend fine tuning settings, removing anything sensitive, and keeping operating systems updated. Protecting it all, of course, is the humble passcode.

Let’s take a moment to appreciate all that passcodes (and passwords) do for us by sending this week’s Valentines to these heroic credentials and their natural home, the password manager.

Well-written passwords

It’s likely you’ve been advised to set strong passwords on your computer more times than you can count, and here’s why: When full disk encryption is enabled on your device, passwords are the key that decrypts its data, allowing you to read it as you’re doing now. (Action item: Check to make sure encryption is enabled on your computer. On macOS, turn on FDE in FileVault. On Windows Pro edition, enable FDE with BitLocker. If you don’t have Pro, Enterprise, or Education editions, consider getting one of them, or use VeraCrypt.) In some good news, encryption is enabled by default on most modern mobile phones. All you have to do is make sure your passcode is unique (meaning you only use it to access one device), random, and long. You will earn our undying respect if you opt for a nice, long passcode that mixes letters and numbers.

Password managers

Creating and remembering unique passwords for every single account would probably be my superpower, if I got to choose. But as a mere mortal, I’m very glad that password managers exist. Here’s why:

• Password managers create unique, random, and long passwords. This means you won’t need to use something you have to remember and reuse. Pro tip: Use the “memorable password” feature to write passwords to important accounts in order to avoid getting locked out.
• Password managers also encrypt any other sensitive information you store in them in such a way that only you have the ability to read it.
• Passwords managers can store all sorts of things. In addition to storing account credentials, for example, one can also store the URL of the account in question, vastly reducing the odds of entering credentials in places they don’t belong. Utilize the password manager’s browser extension or follow the link from your password manager to be 100% sure you’re using your credentials in the right place.
• If you use cloud-based password managers like BitWarden or 1Password, you can download the app on your phone or your computer, and/or set up the extension in your browser. This keeps your passwords handy while avoiding using browser-based password managers that leave your credential security wholly up to the password (or passcode) to your device.

If you use BitWarden, that’s great. It’s free! Consider setting up a second factor — that handy way of verifying your identity a second time — for maximum security.

In the news

Sources tell us that journalists’ Signal accounts are being targeted with phishing campaigns from accounts purporting to be “Signal Support.” This attack involves the receipt of a real Signal SMS verification code that, if shared, allows the attacker to register your number on a device they control. We haven’t seen any reporting that indicates how widespread this is, though we do have a few tips to help you from falling for this. First, note that Signal will never contact you this way. If you see a message like this, feel free to ignore it or, better yet, block the sender. Next, turn on Signal’s registration lock, or PIN. This helps you recover your account if you ever lose or switch devices and should never be shared. For more easy-to-follow tips on staying safe within Signal groups, check out this newly released article from my colleague, Dr. Martin Shelton.

Updates from our team

• We’re hearing from many journalists on what they can do to protect themselves in light of last month’s raid on a reporter’s home. We’ve collated our thoughts in our latest advice column on getting ahead of device snatchers.
• If you’re planning to attend CactusCon this weekend, say hello to David Huerta, one of our senior digital security trainers.
• Join members of our team online on Tuesday, Feb. 10, at 12:00 p.m. EST for “Journalist safety in the US: Protecting data and devices,” a roundtable discussion presented by the U.S. Journalist Assistance Network. In the meantime, check out this set of resources with best practices for journalists in the U.S. to protect their data and devices.

For Valentine’s Day in 2025, we worked with friends from Calyx Institute to create a set of shareable digital security-themed Valentines. Download them and/or find them on Signal to share with your loved ones.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Thank you for reading, and stay safe,
Davis

–

Davis Erin Anderson
Senior Digital Security Trainer

Freedom of the Press Foundation