Security is recovery plus prevention
The aim is not perfect invulnerability. It is to make compromise less likely, limit blast radius, detect problems early, and recover without panic.
Identity → devices → network → services → data → recovery
Your personal security baseline
| Control | Standard |
|---|---|
| Passwords | Unique, long, manager-generated for every account |
| Sign-in | Passkeys where available; authenticator-app 2FA otherwise |
| Recovery | Backup codes stored offline/securely; recovery contacts reviewed |
| Admin accounts | Separate daily account and admin account where practical |
| Updates | Supported OS, browser, router, phone, and critical services |
| Backups | Encrypted, tested, with an off-site copy |
| Secrets | Never committed, pasted into chat, or stored in public notes |
Identity: the highest-value layer
Your email account, password manager, mobile number, and cloud identity are recovery roots. Secure those before tuning any server.
Password manager operating rules
- One unique random password per service.
- Store TOTP seeds only if you understand the convenience versus single-point-of-failure trade-off; hardware/app separation can be stronger for critical accounts.
- Record account purpose and recovery notes, but never put full recovery answers in ordinary notes.
- Review exposed/reused passwords after any breach notice.
Passkeys and 2FA
Prefer passkeys for supported important accounts. For accounts without passkeys, use an authenticator app or hardware key rather than SMS where possible. SMS is better than no 2FA, but susceptible to number takeover and social engineering.
Keep recovery codes in a protected offline location and verify that Dawn can access the necessary emergency instructions without seeing secrets she does not need.
Devices and browsers
[ ] Screen lock and strong device passcode
[ ] Automatic OS and browser security updates
[ ] Full-disk encryption enabled
[ ] Regular backups
[ ] Only trusted browser extensions
[ ] Separate browser profile for sensitive administration if useful
[ ] Remote-wipe/recovery capability checked for phones/laptops
Treat browser extensions like installed software with broad access. Remove “nice to have” extensions; keep only tools you trust and use.
Network and home lab
Segment by trust, not by brand
A simple model:
| Network | Examples | Policy |
|---|---|---|
| Trusted | personal computers, phones | May access administration endpoints |
| IoT | bulbs, plugs, appliances | Internet only as needed; limited access to trusted LAN |
| Guest | visitors | Internet only |
| Infrastructure | router, AP, NAS/server | Admin access from trusted devices only |
Do not build complex VLANs just because they sound secure. Build a small, documented policy you can troubleshoot.
Remote access
Prefer an identity-aware access layer such as Cloudflare Access, VPN, or a purpose-built remote platform. Do not expose Home Assistant, databases, dashboards, or Docker admin ports directly to the public internet simply for convenience.
Secret handling
Examples of secrets: API tokens, OAuth refresh tokens, SSH private keys, database passwords, Wi-Fi passwords, Home Assistant long-lived tokens, .env files, backup encryption keys.
Rules:
- Keep secrets out of Git via
.gitignoreand sample files such as.env.example. - Use environment variables or secret stores; never hard-code credentials in scripts.
- Rotate a token after accidental exposure; deleting the message is not a rotation.
- Limit each token to the smallest practical permissions and expiry.
Incident response: first 30 minutes
If an account/device/token may be compromised:
- Stop using the suspect device/session for sensitive changes if malware is plausible.
- From a trusted device, change the affected account password and revoke active sessions.
- Rotate exposed tokens/keys; update dependent services deliberately.
- Check recovery email, phone, forwarding rules, OAuth grants, and recent logins.
- Preserve evidence and timestamps before wiping/rebuilding.
- Notify relevant people/financial institutions when risk warrants it.
- Document the incident and close the root cause.
Recovery readiness review
Quarterly, verify:
[ ] Password-manager emergency access / recovery plan
[ ] Backup codes and hardware keys
[ ] Device inventory and encryption status
[ ] Current backups can be restored
[ ] Router/admin credentials are available securely
[ ] Cloudflare/GitHub/email recovery paths still work
[ ] Unused accounts and integrations are removed
The practical rule
Spend effort where a compromise would hurt most: identity, money, household access, private data, and management planes. Security theatre—more prompts, more obscure tools, more complexity—is not the goal.