Tips for protecting your password manager account

This is a great article that applies to any password manager (PM):

7 Tips to Protect Your Bitwarden Account | Bitwarden

If you've implemented a password manager for you or your org, there is more to do!  Here are some additional suggestions that build on the article:

  • Treat as a crown jewel the email account that owns your PM account and all your other cloud accounts.  If baddies can take over that account, they can take over almost all your accounts by doing password resets.
  • You have to properly use a PM to get the value: it's not enough to just have a PM account and store your logins in it.  For starters, for your important accounts, change their passwords to long random strings, and use the PM to autofill your credentials into web login pages; that will make you very resistant to phishing.
  • Two-factor authentication (2FA) is critical for your important accounts, including your PM and email accounts.  Authy is an excellent 2FA authenticator app/service.
  • Backing up your vault is a great idea, but be aware that if you're on a Windows PC, your main drive is not encrypted unless you have enabled BitLocker (or the Device Encryption found on Microsoft Surface-type devices); so you'll need to store your PM vault export somewhere else.

If you or your org haven't yet implemented a PM, it's usually the very first thing to do (along with 2FA) to improve your cybersecurity. Three excellent PM to consider are BitWarden, 1Password, and LastPass.  Check out their business tiers if your org is multi-person.


Buying a new smartphone: security updates

When buying an Android phone, or tablet, you need to pay a lot more attention to the issue of security updates speed and longevity than with an Apple device. 

Most of the articles listed on the first page of the search below are worth reading to understand what manufacturers/phones are the best for security updates.  You want a phone manufacturer that will quickly pass on to you the security updates that Google releases, and will continue to do so for as many years as possible.  When the Android security updates stop getting to your phone, it's good only as a paperweight.


With Apple you have much less to think about, and a phone will always get 4 or 5 years of updates.  Some 5-year old iPhone and iPad models are getting 6 years, which is unusual.  And Apple is even providing occasional security updates to devices on iOS 12 (and above), which way behind the current iOS 15.


My Cyber Security Awareness Month talks at ORL Kelowna

October is Cyber Security Awareness Month and I'm looking forward to speaking twice for the Okanagan Regional Library (ORL) branch in Kelowna.  

My two hour-long online talks will present cybersecurity hygiene, the basic set of security measures that all individuals, families, and businesses should implement (and maintain over time) to reduce their risks from cybersecurity threats: malware (ransomware, viruses, ...), social engineering (phishing, smishing, business email compromise, ...), device theft, loss, or destruction, etc.

The October 14 talk will cover passwords, password managers, and two-factor authentication (2FA) while the October 28 talk will deal with data backup, email and phone security, mobile and computer security, and user awareness training.  Oct. 28 talk will also briefly present some of the additional security measures beyond that multi-person businesses should implement.

These talks are being presented online and free of charge.  You can take part online or in person at ORL Kelowna.  If you're interested, please register here:



Information Security Policies

If your organization is very small, security hygiene measures – which I've written about in detail -- may be all you need for information security.  But as your organization gets larger, the scope of your information security needs necessarily widens and there are more and more controls to put in place (and monitor).

One of the best ways to start down the path to an information security program is to create a suite of information security policies.  Policies, in any domain, essentially state "this is the way we do things here".  If you create an information security policies suite that covers the breadth of controls you need in information security (and privacy) – and if you then implement those policies, as you obviously should – they will drive your entire security (and privacy) program.

It sounds simple but it's best handled with an explicit understanding of your organization's needs in priority order:
  1. generate a list of all the policies required by the organization
  2. prioritize the list
  3. starting from the highest-priority policy and moving down the list, for each policy:
    1. write the policy, review it, and iterate it until it's just good enough quality
    2. prioritize the list of controls described in the policy
    3. implement the high-priority controls in the policy that are not yet already in place (this requires a mini gap analysis)
  4. get the entire suite of policies approved
  5. set up a system to track compliance with the policies
  6. go through all the policies to implement the medium-priority controls in each policy
  7. go through all the policies to implement the remaining (lower-priority) controls in each policy
  8. revisit the suite of policies annually or when business conditions change
I've tried to show above that the steps are not linear, rather the are circular.  So you can start implementing the important policies before you've written all the policies, and you can start implementing a lower priority policy before you've fully implemented a higher-priority policy.  Your goal is to implement the controls in the order that achieves the best risk reduction for the organization.

There are several frameworks you could start from in creating your suite of policies, but the most commonly used is the specification ISO/IEC 27002:2013, "Information technology — Security techniques — Code of practice for information security controls", or simply ISO 27002.  This is a spec that you'll have to pay for in order to access in full text.

At a basic level you would create one policy artifact for each of the 14 "meat" (non-introductory) chapters -- effectively policy areas -- of the specification:

5. Information security policies
6. Organization of information security
7. Human resource security
8. Asset management
9. Access control
10. Cryptography
11. Physical and environmental security
12. Operations security
13. Communications security
14. System acquisition, development and maintenance
15. Supplier relationships
16. Information security incident management
17. Information security aspects of business continuity management
18. Compliance

Most chapters cover more than one policy area and the areas in scope for each chapter are not always obvious from the chapter titles; so it's very useful to look at the subheadings and sub-subheadings under each chapter, which you can find here

I recommend you read though this list carefully in order to understand, at a high level, the wide breath of information security policy areas, and to start your thinking on which areas you need to cover. 

There are a few policy areas that need to be added on top of what ISO 27002 provides, the most important being:
  1. Risk Management Policy
  2. Acceptable Use Policy (AUP)
  3. Disaster Recovery Policy  (this is strongly connected with #17 above)
  4. Privacy Policy for external consumption
Each policy area will become one artifact in your suite of policies.  There are different ways to map policy areas to policy documents, such as one-to-one or many-to-one.  It's often best if each artifact is a separate document because this allows you to reissue each one separately, with change control, but some smaller organizations may prefer to have the entire suite in one document for simplicity.

All -- except for two -- of the policy artifacts are written for the purpose of guiding the teams in the organization that are responsible for aspects of security, so their audience is those teams.  These target teams are mainly:
  1. information security
  2. privacy (if present, for the internal privacy policy) 
  3. human resources (for human resources polices, and the AUP)
  4. legal (for privacy policies, human resources policies, and the AUP)
  5. corporate security (if present, for many aspects of physical security)
The two exceptions are:
  1. Acceptable Use Policy (AUP) – the target is employees
  2. Privacy Policy for external consumption – the target is customers
Creating policies can be a fair amount of work and is often therefore put off longer than it should be.  The best way to reduce the effort is to start from a template that covers all policies areas in depth and to then customize it to suit the organization.  Templates can be found on the web or from an information security consultant.

Having information security policies is very important for any organization, but you don't need to try to create them all right way.  Proper prioritization, based on a rough gap and risk assessment, is key to knowing which ones are needed ASAP and which can wait.  It's so much better to have in place the handful -- or even a couple - of policies that will make a real different to your organization's security than to postpone indefinitely the creation of any policies because the project seems overwhelming.

This has been only the briefest of overviews of the important area of information security policies.  There is so much more that could be written but this blog post has to stop somewhere.  If you do a web search you'll find no shortage of information.


Security considerations for buying a new smartphone or tablet

If you're in the market for a new smartphone or tablet, one of your most important criteria should be a long support life of security updates.  When your device stops getting security updates, the longer you continue to use it, the larger the target painted on your back becomes, due to the security vulnerabilities that start accumulating. 

Android versus iOS (iPhone or iPad) is often a personal, quasi-religious choice, but, functionality aside, it's fair to say that iOS is more secure but generally more expensive than Android.

For Android:

This is a great article to help you understand security updates by brand for Android:

8 Best Android Phones (Unlocked, Cheap): Our 2021 Picks | WIRED

Look especially at the number of years of security updates provided, since when the security updates end, your phone or tablet becomes only a good paperweight.  Brands that license Android from Google usually have a shorter support life than Google has for its own devices (Nexus brand).

N.B. The number of years of security updates is from when the device is released to the market, not from when you buy it!  So you have to find the release date for a device you're looking at.  You could do a web search for the brand and model of the device combined with "release date".

For iOS: 

Apple does a better job of providing security updates, so an iOS device will almost always get 4 or 5 years of security updates.  And this year, some 5-year-old iOS devices are getting an extra year of support, for a total of 6 years, but that's unusual.


My next talk, kind of: July 21 (AMA)

I've done lots of talks, both in-person and online, on various cybersecurity / information security subjects such as passwords and password managers, two-factor authentication (2FA)/MFA, backup and storage, device and network hardening, secure internet use, privacy, and user security/privacy awareness.

But this session is different: the entire purpose is to answer your questions. You'll be able to ask me your questions in the multi-way videoconference.

For SMBs in the Okanagan, this is your chance to ask any questions you have about cybersecurity as well as information security generally.

Details and registration here: 


Almost free cloud backup

If you're sold on having a full cloud backup of all your data -- and you should be -- but you find the cloud backup services I suggested a bit pricey, there might be an "almost free" option you could use.  It depends, though, on your having access to a lot of space on a cloud storage service like Google Drive, OneDrive, Drobox, iCloud Drive, etc.  You might have this already, say, if you subscribe to Microsoft 365.

This solution will give you as much retention as you want of old file versions and deleted files, and will let you do point-in-time restores.

Here are the pieces of the solution:

  1. A Sync.com Free plan account, which gives you 5 GB for free (and more if you refer other people to the service).
  2. A cloud storage services (as noted above) with enough space for your entire backup. (You'll actually need somewhat more space given the versioning.)
  3. The SyncBackSE backup software, about CAD $62 one-time

Here is what you do:

  1. Divide your files logically -- in your head -- into two piles: Sensitive and Non-Sensitive.
    • Sensitive files are ones that you think need end-to-end encryption (E2EE).
    • Non-Sensitive files are ones that don't need E2EE.
  2. Then separate your files physically -- on your drive -- so that each high-level folder (say, the top level folders under your Documents folder or your Photos folder) contains either Sensitive files or Non-Sensitive files but not both.
    • Sensitive files are limited to the 5 GB or 6 GB or whatever in your Sync.com plan.
    • Non-Sensitive files are limited to whatever you have in your cloud storage plan.
  3. Buy SyncBackSE software (see above).
  4. Configure SyncBackSE to automatically and daily do this:
    • Back up all Sensitive folders to the Sync.com folder, using Versioning
    • Back up all Non-Sensitive folders to the OneDrive folder, using Versioning
If you want to get a bit fancier, you could use SyncBackSE's AES encryption abilities to encrypt files before writing them to the Non-Sensitive cloud storage. Then you don't really need Sync.com.

If you use this referral link to sign up for Sync.com, you'll get an extra 1 GB of storage.  (I will too, but I have no need for any more space.)


World Backup Day, and suggestions

Today is World Backup Day.  A CBC story.

Data backup is really important so here are a few suggestions:

  1. Ensure that all your important data is backed up to at least one and ideally to two different "places", at least one of which is in the cloud.
  2. For files that live on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  3. If you have files that live in the cloud, you need at least one backup too, which could be on your computer or an external drive.
  4. Manual backup can work if you're diligent, but automated regular backup is much better.
  5. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least, say, a year, supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and only back up files you place in the single fixed folder.
  6. For sensitive data consider using a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  7. For local backups (e.g., to external drives) you probably want to ensure that the data is encrypted.  (But then also ensure that your computer's drive is encrypted.  Windows 10 Home doesn't do that and Windows 10 Pro doesn't do it by default; if an someone steals your computer they'll get all your data.)
  8. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos, is automatically backed up to the cloud.


Browser extensions for privacy and security

This New York Times article lists my favorite three browser extensions for security and privacy:

Tools to Protect Your Digital Privacy

They are:

  1. uBlock Origin
  2. Privacy Badger, and
  3. HTTPS Everywhere.

There is one additional benefit of uBlock Origin not mentioned in the article, namely that advertising can contain or lead you to malware, aka, malvertising. 


How to follow blogs

Chances are that you've run across at least a few blogs or news websites that you find interesting -- maybe even this blog!  You'd love to read their new posts but you know you'll never remember to check the websites regularly.  What do to?

It's pretty easy, actually.  Use either of these services to subscribe to your favorite sites:

NewsBlur, my favorite, has a very nice free tier.

Using them is straightforward: you subscribe to the feeds to you want to follow, then you only have to remember to go to the NewsBlur or Feedly website every few days or so.  They will show you in one place any new content from the sites you follow.

Subscribing to a website/blog's feed is usually simple.  For NewsBlur, click the "+" icon in the bottom left and paste in the website URL.  For example, for this blog, you would paste this:


Alternatively, you can paste the URL of the feed into NewsBlur -- and you'll have to do this if the website URL doesn't work, or if there are multiple feeds and the wrong one gets chosen.  You can often find the feed URL by viewing the page source of the website's main page and searching for "rss" or "atom".  For this blog, for instance, the feed URL is:


For websites that have multiple feeds, it's best to use the feed URL.  Websites with more than one feed will usually provide a page listing all the feeds.  Find the one you want, copy its URL, and paste it into NewsBlur.

One way to simplify the above is to install a browser extension that partially automates the proess.  The best I've found is this one: 

RSS Subscription Extension (by Google) - Chrome Web Store

How does this newsreader magic work?  It makes use of the RSS or Atom feeds that most (but not all) blogs and many other websites publish in parallel with their regular web (html) content.

Once you have subscribed to your favorite blogs and other sites and get in the habit of regularly checking your newsreader, you won't ever want to give it up.

March 24 talk to Kelowna Chamber of Commerce

My previous blog post has been published in a condensed form on the Kelowna Chamber of Commerce news feed: Blog: How to Address Ransomware, Phishing, & Business Email Compromise.

And I'll speaking on related topics as part of the Chamber's Business Smarts series on March 24.  See here for more information and registration: Business Smarts WEBINAR - Cybersecurity.


Update 2021-04-07: You can find a video recording of my March 24 Kelowna Chamber talk here:


How to address ransomware, phishing, and BEC

You’ve almost certainly heard of ransomware, phishing, and business email compromise as they are all over the news today.  You probably have a general idea of what they are – enough to be worried -- but how well do you understand the risks they create and how to protect your organization? 

Attackers are looking for the biggest payouts for the lowest effort and risk, and this drives the ever-changing prevalence of threats.  Ransomware is a dominant threat today because it's easier for attackers to commercialize compared to phishing.  Business email compromise is increasing because it can yield bigger payouts for attackers.  This post will discuss the threats of ransomware, phishing, business email compromise, and another one you may not have heard of, a server-side attack.  We'll then dig into what you can do about them.

Four threats

Let's start with the simplest threat, phishing to steal credentials.  Phishing is mostly delivered through email – but there are subtypes for SMS, etc. – and this type of phishing generally aims to fool the recipient into giving up their account credentials – userid and password -- using a fake login page for a cloud service. Using the stolen credentials, the attacker can obviously perform an account takeover of the cloud service account in question, but they will also likely be able to use credential stuffing to take over other accounts owned by that userid.  Credential stuffing means trying the userid/password combination on hundreds of different cloud services, and it works because most people use the same password for many of their accounts.  In other words, most users don't use a unique password per account, as they should. 

Once the attacker takes over one or more accounts, they can make money by many different means, including stealing data from the accounts then reselling the data (e.g., for credit card data) or threatening its disclosure.  (By the way, if personal information is accessed in any way, in most jurisdictions this is a privacy data breach and must be reported to the privacy authority.)

There is a related threat, a server-side attack, that involves an attacker stealing credentials from the cloud service itself instead of its users.  The attacker will break into a cloud service and steal the "passwords file", which contains the userid and the associated, obfuscated (salted and hashed) password for each of the cloud service's users.  The attacker will then perform a cracking operation to de-obfuscate the passwords, and will generally be successful for those users that haven't used a strong password. 

What makes a password "strong"?  It's sufficient length, sufficient randomness, and sufficient character types complexity (the mix of uppercase, lowercase, digits, and symbols).  "Sufficient" is a fuzzy and moving target, but if a password isn't a bare minimum of 12 characters long, doesn't look random, or doesn't use at least three types of characters, it may not be strong enough to resist cracking.  Once passwords are cracked, there are same risks as for phishing, such as account takeover and credential stuffing.

Business email compromise (BEC) requires the most effort for the attacker.  In a typical compromise, the attacker will get access (through one of a variety of means) to an email account for an organization head or financial head and will monitor the email traffic for a while.  Once the attacker understands the organization's financial processes and which employees are involve with financial transfers, they will send a fake email (from a fake account, often with a similar-looking domain name) to an employee requesting a wire transfer to some outside destination.  If the deception is not detected in time, the attacker will receive the transfer.

The last, and probably most important, threat we'll discuss is ransomware.  This is a type of malware usually delivered through phishing emails (but not the credentials-stealing kind), and it is rapidly surpassing other types of malware and phishing because of its ease of monetization.

For email-based ransomware (and other malware), a user will typically be fooled into executing a file attached to an email or to clicking on a link in an email and downloading a file, resulting in a compromise of their device by the attacker's malware (i.e., malicious software).  Ransomware encrypts the infected computer's files in place and then demands a ransom payment to provide the decryption key; and the ransomware will typically try to spread to other computers in the organization.  If the organization decides to pay the ransom (it's a complex decision) and is very lucky, the key will work; otherwise the data is irretrievably destroyed. 

Increasingly, though, ransomware does more than encryption: it will send a copy of the victim's data to the attacker's server before encrypting it, and the attacker will additionally (and maybe on more than one occasion) threaten to publicly release the data if the ransom is not paid.  Whereas a data backup is a good recovery mechanism for ransomware's encryption, there really is no way to mitigate a public release of data, which makes victims more willing to pay.  (Note that both cases would generally be considered privacy data breaches if personal data is involved.)


If we analyze the four threats in detail and look at how to mitigate the resulting risks – i.e., prevent them, reduce their effect, or recover from them -- it turns out that we need two different sets of mitigations, aka security controls:

  • controls that address the primary risks of account takeover and credential stuffing, and financial loss for BEC – let's call this Type 1; and
  • controls that address the primary risks of device compromise (by malware) and destruction of data – we'll call this Type 2.

Mapping these risks to the four threats above:

  • Type 1 controls are for credentials-stealing phishing, business email compromise, and credentials-stealing server-side attacks; and
  • Type 2 controls are for malware and ransomware.

Both types are also mitigating a variety of secondary risks, including financial loss and theft or exposure of data.

The controls

So what are these two amazing sets of security controls?  They are for the most part the basic set of security controls that security professionals call "security hygiene" – fundamental security controls that every organization should implement as a matter of course before getting into anything fancier. 

The Type 1 controls are focused mainly on protecting credentials:

  • user security awareness training;
  • the proper use of passwords: mainly ensuring they are strong and unique;
  • the use of a password manager: as the best way of properly managing passwords;
  • the proper use of the password manager, including using it to autofill login pages: whereas a user can be phished by a fake login page, a password manager will notice the fake page's incorrect domain name and will refuse to autofill the credentials into that page;
  • use of two-factor authentication (2FA)/multi-factor authentication (MFA): as a second line of defense on an account in case the account's password is compromised; and
  • for BEC in particular, setting up a proper verification process for financial transactions, such as through the use of out-of-band verification like a phone call or walking over to talk to the sender: to catch fraudulent requests.

The Type 2 controls are targeted mainly at spam and malware:

  • user security awareness training;
  • the use of an email anti-spam/malware filter: to stop phishing emails before they reach users; and
  • security hardening of devices, especially computers, by locking down operating system (OS) security-related settings and the use of antimalware ("antivirus") and anti-ransomware software or, for larger organizations, endpoint protection software/services: to prevent malware from successfully running if a user falls for it;
  • the use of data backup, to a cloud backup service or a local backup drive, or ideally to both: to recover from the destruction of data by ransomware.

User security awareness training is listed first for both type of controls because it's usually the most important control that organizations can put in place.  Properly trained employees could forestall many risks even in the absence of many technical security controls (such as password managers, 2FA, spam filters, hardening, antimalware, etc.) – but conversely, the best technical security controls can be bypassed or rendered ineffective by unaware employees. 

All organizations should properly train their employees on security (and privacy) risks – starting as soon as possible and then at least annually.  They should also choose the right mix of technical security controls to fit their organization, risk tolerance, and budget.  Every single organization, though, should have all the Type 1 and Type 2 security controls listed above as a minimum.

For more

This has been only a brief introduction to some common cybersecurity threats that most organization face, and to how to start addressing them.  If you want to learn more – and I strongly encourage you to do so – there is no shortage of information available.  Most everything you might want to know is on the Internet, so you can do a web search for any of the terms in this post.  You can also read some of my other blog posts; see my blog map for an index of useful posts. 


Password manager comparison: LastPass vs. Bitwarden

The March 16, 2021 severe change to LastPass Free (see here) shakes up the password manager choices a bit.

Both LastPass and Bitwarden have multiple tiers, and, of course, the functionality doesn't exactly line up between the similarly-named tiers.  The table below should help you decide which tier of which password manager meets your needs.   I haven't shown LastPass Free because the new limitation make the Free tier essentially unusable for the vast majority of users.

Unless you badly want a free service and think you'll stay there a long time, I suggest looking only at the Premium and Family(ies) tiers.  The main deciding factor between the two Premium tiers is probably the differences in the sharing features.

Update 2023-01: LastPass had a big data breach in 2022, and appears to no longer be a good choice.


LastPass Premium

LastPass Families

Bitwarden Free

Bitwarden Premium

Bitwarden Family


USD $36

USD $48


USD $10

USD $40

Ease of use


Not as good

Not as good

File attachments

1 GB

0 GB

1 GB


Individual items: Unlimited sharing with any number of users

Folders: 1, with any number of users

Individual items: Unlimited sharing with any number of users

Folders: 1, with any numbers of users; unlimited within family

Folders: 1, with only 1 other user

Folders: 1, with only 1 other user

Folders: unlimited within family

Vault security check-up




2FA for itself




Authenticator feature





Emergency Access




Account recovery

Powerful (e.g., locally-stored OTPs)



Replacement for LastPass Free password manager

Starting March 16, LastPass's Free plan password manager will be essentially unusable; see here for more details.  Only users that don't have a computer (i.e., have only phones and/or tablets) will find this new limitation of LastPass Free acceptable; everyone else will need to move to something else.

I have recommended LastPass Free for years but that's not going to work now.  If you're looking for a free replacement for LastPass Free, and you care about security and privacy, Bitwarden Free looks like the best bet.  If you search you'll find a huge number of glowing reviews on the web.  It's not too hard to export your vault from LastPass and import it to Bitwarden.

However, if you're happy with LastPass, consider staying with it and upgrading to LastPass Premium, for USD $36 a year.  In addition to more powerful sharing, 1 GB of file storage (instead of 50 MB), more 2FA options, and tech support, you'll get the feature that I recommend everyone make use of: Emergency Access.

Bitwarden Premium, USD $10/year, also has an Emergency Access feature.

It doesn't matter which you use -- LastPass or Bitwarden or something else -- but it's essential that you use a password manager, and use it properly.  See my blog post on this


Update 2023-01: LastPass had a big data breach in 2022, and appears to no longer be a good choice.

Update 2021-03-16: If you're part of a family or have a small group of like-minded friends, the LastPass Families or Bitwarden Families plans can save you a lot of money.


Winter hiking equipment

If you're going to be hiking in the winter -- in a place with snow like British Columbia -- you really need good traction devices.  For general-purpose hiking, microspikes are definitely the way to go.

You can't go wrong with these two models, both of while I use all the time:

1. Hillsound Trail Crampon


REI has them but also check out https://www.google.com/shopping

2. Kahtoola MICROspikes Footwear Traction


MEC has them

The Hillsound have 1/2" spikes while the Kahtoola have 3/8" spikes.  If I had to pick one, it would be the Hillsound.

In the Okanagan winter hiking is usually on a mixture of snow, ice, and dirt and rocks.  I happily used Yaktrax Pro in Vancouver for years but as I soon as I moved to the Okanagan they failed, because the rubber was quickly ground down by the dirt and rocks.  In retrospect, microspikes would have been better than Yaktrax in Vancouver too.


Local backup for professionals and organizations

My previous post talked about backup in general and cloud backup in particular.  I promised that my next post would finish by covering local backup.  Here it is.

First, the "why".  Recall that my previous post recommended you start by backing up your data files to the cloud.  Assuming that you're doing this, why would you also want to back up locally, that is to an external drive of some kind in the same room or building as your computer?

There are several excellent reasons:

  1. You need a second backup because one is not enough.  As mentioned in my previous post, a key tenet of information security is defense in depth. When applied to backup, this means having at least two backups of your data, in case something goes wrong with one of them.  You should start with a cloud backup, so you second backup should be a local backup.
  2. With a local backup you have the flexibility to set your own retention policy.  Your cloud backup may keep deleted files and old file versions for, say, only six months or a year, but with a local backup you can easily keep them for several years or even forever if you have a large enough external drive.
  3. Your local backup could be an external drive sitting by your desk, but you have other options too.  You could use a small portable drive or a flash drive and store it most of the time in your fire safe, or you could have two drives and swap them weekly or monthly between being attached to your computer and being in the fire safe, hidden in your home, or in a safety deposit box.  The sky's the limit on the possibilities.
  4. A very secure cloud backup is at least $100 a month -- every month, forever -- but a nice external drive can be purchased for $200 and will last for many years.  You can't dispense entirely with the cloud backup, but if you're price conscious you can use a less expensive (and less secure) cloud backup if you also have a local backup that you take care of well.
  5. If you need to restore a lot of data from your backup – perhaps your entire computer's worth – a local restore will likely be a lot faster than a cloud restore.  And a large cloud restore might use up enough of your monthly ISP data budget to cost you money, whereas a local restore is always going to be free.
  6. Finally, backing up locally offers a type of backup that is usually not done for a cloud backup: a system image backup.  A data backup, or files backup, includes just a user's files, but a system image backup is a backup of a computer's entire main drive, including the user's files, application software and settings, and the operating system.  Due to its size, it's usually not practical to transfer a system image backup to the cloud – but it's very easy to store it on a local drive.  Having a system image backup is not essential, but it's a much faster way to recover from a major computer failure.  Without a system image backup, recovery means reinstalling the OS and all applications, configuring (including hardening) the OS, configuring all applications, and restoring the user's data; whereas with a system image backup, it's a single restore operation that does everything in one step.


In my previous post I listed three backup-specific requirements: sufficient confidentiality, sufficiently long retention, and support for point-in-time restore.  These of course apply to local backups too, and you may want to reread that part of my previous post before continuing on here.  Local backup software typically provides sufficient retention and a point-in-time restore, but confidentiality needs more discussion.

For a local backup, confidentiality means encrypting the external drive, and this can be done by the backup software and/or the operating system.  All backup software provides encryption, but encryption in the backup software that comes with many backup drives may not be sufficiently well implemented and secure.  If your computer's OS has the ability to encrypt external drives, use it; in this case you don't need to use the encryption feature of the backup software.  

If your OS can't encrypt external drives, you're probably on Windows 10 Home, in which case your computer's main drive is not encrypted either.  This is a bad situation and you should upgrade to Windows 10 Pro, which will give you the BitLocker feature.  BitLocker gives you the ability to encrypt not only your computer's main drive but also any external drive, such as the one you're going to use for backup.  

If for some reason you decide not to use the OS to encrypt your backup drive, you have four choices:

  1. don't encrypt the backup drive – not a good idea unless the data is not sensitive
  2. use the encryption built into the backup software that came with your backup drive – easy but not recommended, as discussed above
  3. use the encryption built into third-party backup software – a good choice, see below
  4. use quality third-party encryption software like VeraCrypt to encrypt the backup drive – a great choice

Whether you're using the OS, third-party software, or your backup software to encrypt the drive, make sure you store the encryption password in your password manager

Backup software

What backup software to use?  Let's talk about data backup first.  You can use the backup feature built into your computer's OS or you can use third-party software.  Here are some good choices:

  • Windows 10 File History – Don't use the older "Backup and Restore (Windows 7)" feature
  • macOS Time Machine – If you have a Mac
  • CrashPlan – It's a (great) cloud backup service, but it also allows backup up to a local drive.
  • Macrium Reflect Home Edition – It's primarily (great) system image backup software, but it also supports backing up just data files.
  • SyncBackSE – It's pure backup software that works very nicely.  You need the SE version (not the Free version) in order to get the critical Versioning feature.

CrashPlan, Reflect, and SyncBackSE will all do a good job of encrypting your backup, if you so configure them.

You could also use the backup software, if any, that comes with your external drive to perform your backup.  It's generally best, though, as discussed above, if you don't use the software's encryption capabilities.

For system image backup, here are some good choices:

  • On Windows, there is no good system image backup feature built in. (Don't use "Backup and Restore (Windows 7)": it's old and crotchety and even Microsoft recommends using third-party system image backup software instead.  Definitely don't try it if you use BitLocker.)
  • macOS Time Machine – If you have a Mac
  • Macrium Reflect Home Edition – Very nice software that supports BitLocker well
  • Acronis True Image – People seem to like it, but I recommend you stay away from it if you use BitLocker.

Backup drives

Finally, we get to the bottom level of the stack: the backup drive hardware.  You have many choices, including desktop backup drives, portable backup drives, and flash drives.  Desktop and portable drives used to always be hard disk drives (HDDs) but solid-state drives (SSDs) are now starting to appear at reasonable prices.  Flash drives, which are essentially small and slow SSDs, are now available for reasonable prices up to 512 GB, and would be useful if you want to hide your backup drive.

You should obviously buy a drive that has an interface that your computer supports.  USB is the most common, but pay attention to the physical connector and the USB version number.

Speed is not that important for a backup drive but size does matter.  You can never have enough backup storage, and right now the sweet spot seems to be about 8 TB for HDDs, which are currently the best choice for most people.

WD (Western Digital) and Seagate are respected brand names in HDDs.

Parting words

As mentioned above you absolutely should have more than one backup because things always go wrong.  My last post suggested that you add backups in this order: (1) a cloud backup, (2) a local backup, (3) a second cloud backup, and (4) a second local backup.  How far down the list you go depends on how important your data is and how paranoid you are.

A final recommendation: make sure you occasionally do a test restore of all your backups, both local and cloud.  Otherwise you might discover – just when you need it the most -- that your fail-safe has failed and can't be restored from.