Security is recovery plus prevention

The aim is not perfect invulnerability. It is to make compromise less likely, limit blast radius, detect problems early, and recover without panic.

Identity → devices → network → services → data → recovery

Your personal security baseline

ControlStandard
PasswordsUnique, long, manager-generated for every account
Sign-inPasskeys where available; authenticator-app 2FA otherwise
RecoveryBackup codes stored offline/securely; recovery contacts reviewed
Admin accountsSeparate daily account and admin account where practical
UpdatesSupported OS, browser, router, phone, and critical services
BackupsEncrypted, tested, with an off-site copy
SecretsNever committed, pasted into chat, or stored in public notes

Identity: the highest-value layer

Your email account, password manager, mobile number, and cloud identity are recovery roots. Secure those before tuning any server.

Password manager operating rules

  • One unique random password per service.
  • Store TOTP seeds only if you understand the convenience versus single-point-of-failure trade-off; hardware/app separation can be stronger for critical accounts.
  • Record account purpose and recovery notes, but never put full recovery answers in ordinary notes.
  • Review exposed/reused passwords after any breach notice.

Passkeys and 2FA

Prefer passkeys for supported important accounts. For accounts without passkeys, use an authenticator app or hardware key rather than SMS where possible. SMS is better than no 2FA, but susceptible to number takeover and social engineering.

Keep recovery codes in a protected offline location and verify that Dawn can access the necessary emergency instructions without seeing secrets she does not need.

Devices and browsers

[ ] Screen lock and strong device passcode
[ ] Automatic OS and browser security updates
[ ] Full-disk encryption enabled
[ ] Regular backups
[ ] Only trusted browser extensions
[ ] Separate browser profile for sensitive administration if useful
[ ] Remote-wipe/recovery capability checked for phones/laptops

Treat browser extensions like installed software with broad access. Remove “nice to have” extensions; keep only tools you trust and use.

Network and home lab

Segment by trust, not by brand

A simple model:

NetworkExamplesPolicy
Trustedpersonal computers, phonesMay access administration endpoints
IoTbulbs, plugs, appliancesInternet only as needed; limited access to trusted LAN
GuestvisitorsInternet only
Infrastructurerouter, AP, NAS/serverAdmin access from trusted devices only

Do not build complex VLANs just because they sound secure. Build a small, documented policy you can troubleshoot.

Remote access

Prefer an identity-aware access layer such as Cloudflare Access, VPN, or a purpose-built remote platform. Do not expose Home Assistant, databases, dashboards, or Docker admin ports directly to the public internet simply for convenience.

Secret handling

Examples of secrets: API tokens, OAuth refresh tokens, SSH private keys, database passwords, Wi-Fi passwords, Home Assistant long-lived tokens, .env files, backup encryption keys.

Rules:

  • Keep secrets out of Git via .gitignore and sample files such as .env.example.
  • Use environment variables or secret stores; never hard-code credentials in scripts.
  • Rotate a token after accidental exposure; deleting the message is not a rotation.
  • Limit each token to the smallest practical permissions and expiry.

Incident response: first 30 minutes

If an account/device/token may be compromised:

  1. Stop using the suspect device/session for sensitive changes if malware is plausible.
  2. From a trusted device, change the affected account password and revoke active sessions.
  3. Rotate exposed tokens/keys; update dependent services deliberately.
  4. Check recovery email, phone, forwarding rules, OAuth grants, and recent logins.
  5. Preserve evidence and timestamps before wiping/rebuilding.
  6. Notify relevant people/financial institutions when risk warrants it.
  7. Document the incident and close the root cause.

Recovery readiness review

Quarterly, verify:

[ ] Password-manager emergency access / recovery plan
[ ] Backup codes and hardware keys
[ ] Device inventory and encryption status
[ ] Current backups can be restored
[ ] Router/admin credentials are available securely
[ ] Cloudflare/GitHub/email recovery paths still work
[ ] Unused accounts and integrations are removed

The practical rule

Spend effort where a compromise would hurt most: identity, money, household access, private data, and management planes. Security theatre—more prompts, more obscure tools, more complexity—is not the goal.