Minimizing & securing your digital footprint

Related image

As more companies report data breaches, my personal credit card numbers are compromised, and especially as I become more familiar with cybersecurity, I’ve become increasingly preoccupied with where my data is stored and which companies I entrust it to.

Beyond the basics of using password managers and setting unique, strong passwords for every account, I wanted to inventory and document the routines I follow to secure and minimize my digital footprint online.

Principles

First, there are a few philosophies or principles that govern how I consistently manage my accounts, passwords, and data.

  1. Merchants should know as little about me as possible. My relationships with companies online should be purely transactional. Credit cards, shipping addresses, and even email addresses should be supplied in situ from digital wallets where possible, and not duplicated or stored in merchant accounts.
  2. The most secure online account is no account at all. To the extent possible, durable online accounts should only exist where there’s a clear benefit, like a loyalty program I regularly use, or a library of purchased digital goods I’d otherwise lose access to. Otherwise, they should be considered disposable and routinely purged.
  3. Maximum security settings should be without exception. In all cases where I retain a durable online account, I should employ the maximum security options available, including passkeys, two-factor authentication, and unique secure passwords.

In this post, I’ve outlined the routines and best practices for personal digital hygiene that I’ve developed over the years. I run through these processes like a decision tree every few months, disposing of superfluous accounts and revising my security settings as new options become available. Your mileage will vary depending on the accounts and services that are relevant to your life, but hopefully there are some ideas in here that prove helpful to you, as well.

Delete unnecessary accounts

First, I regularly review my inventory of online accounts and delete those that don’t meet the criteria to retain. I ask myself the following questions:

  1. Does this merchant need to remember me? For transactional accounts with online stores, there’s rarely a clear benefit to holding an online account, so you can avoid creating an account in the first place. Guest checkout combined with using a digital wallet like Apple Pay or PayPal can avoid the need for merchants to ever store your personal data in their own systems.
  2. Is there a benefit to my keeping an account active? In some cases, preserving your purchase history, participating in a loyalty program or subscription, or keeping access to a library of digital purchases will warrant keeping an account, but you’ll find that these are few and far between.
  3. Can the account be recreated later? Sometimes, I’m not sure if I’ll need an account in the future, but I err on the side of deleting it until that need comes into focus.

I find that people seldom delete accounts, allowing their usernames and passwords to proliferate and atrophy. This increases the surface area of risk when it comes to compromised accounts or data leaks, so while the true direct risk is small, I prioritize managing each account intentionally.

Consider how much personal information a traditional merchant gets about you when you make a purchase in a brick-and-mortar retail store. You bought a thing and you have a receipt so you can make a return. Why should online merchants know anything more?

How to identify accounts you have

Next is the matter of baselining which online accounts you actually have. There are a few methods to find these.

  1. Password managers. If you’ve been using a password manager, this is an obvious starting point to find accounts you’ve created.
  2. Social login providers. Check for accounts you’ve created with Google,1 Facebook,2 or Apple3 login. You’ll need to decide whether to convert these to standard accounts with an email address and password (or passkey, if available), and if that’s required in order to fully delete the account.4
  3. Emails. The catch-all method to identify companies who have stored your information is to monitor marketing emails you receive, including in the spam or junk folders. Removing yourself from many of these might be as simple as unsubscribing from the email list, but they might also have your email address as part of an online account you registered.

Having done this for years, my iCloud Keychain now serves as a canonical record of accounts I’ve created and that remain outstanding, including both traditional username-and-password accounts, one-time passcodes, and Sign in with Apple accounts.

How to delete online accounts

Many companies make deleting your account a hassle, but thankfully, there are a few ways to get around these dark patterns and ensure your data is removed.

  1. Find it in your account or profile settings. Sign into your account and find the account or profile settings. Most websites and apps put the “delete” option under headings like “manage account” or “security” preference panes.
  2. Download their app. While some companies don’t make a delete account option available on their websites, Apple requires any iOS app that allows for account registration to also allow for account deletion. Download their iOS app and find the delete account settings there.
  3. Review their privacy policy. Next, you can take advantage of privacy legislation like GDPR in Europe and CCPA in California to get access to account and data deletion options. Navigate to their privacy policy and find the “right to delete” section to find instructions.5

Apple requires any iOS app that allows for account registration to also allow for account deletion.

What if none of these options work? Maybe the merchant doesn’t have an iOS app, or puts their deletion request behind a consent management provider labyrinth. In these cases, I suggest resetting your password, removing all identifying information from the account (specifically payment details, addresses, and your name), and changing your email address on the account to a disposable one.6 Bid them adieu and wish them luck sending marketing emails into the void.

Secure your durable accounts

For those accounts you choose to retain, securing them is paramount. This entails maximizing the security options at your disposal, which can vary depending on the account provider.

Setting up alternative authentication methods

Accounts limited to authentication via usernames and passwords should be exceedingly rare, and only in cases where that’s the most security afforded by the merchant, website, or app. Even in these cases, a strong and unique password is essential, but you should look to upgrade your account to a more secure option.

  1. Passkeys. If the guidance of Apple, Google, and Microsoft are to be believed, passkeys are the future. For any account that offers passkeys, you should create one using your password manager of choice. You can find your account provider in a registry of passkey-enabled services maintained by 1Password.7
  2. Social sign-in. Depending on the services you use most, it might make sense to register for new accounts or convert existing accounts to a social sign-in provider. These are typically reliant on biometrics to authenticate, or feature the redundancy of two-factor authentication that you can borrow for other online accounts.8
  3. Multi-factor authentication. Finally, it’s imperative you enable MFA in any accounts that offer it. The most secure second methods are passkeys or physical security keys, followed by one-time passcodes stored in an authenticator app or password manager, and then other options like email “magic links” or SMS.9

Creating secure passwords

Using a password manager like 1Password or iCloud Keychain goes without saying, and odds are that anyone reading a post about minimizing and securing their digital footprint already uses one. However, it bears repeating the best practices associated with passwords, and I have a few tips to share.

  1. Good passwords are unknown. In the spirit of 1Password, you should only have a single master password that you’ve memorized, which is reinforced by a second factor. For me, that’s my Apple Account password, which unlocks iCloud Keychain and requires a verification code to re-authenticate on new devices. Beyond that, I simply don’t even know a single other password in my digital life.
  2. Better passwords are unknowable. Safari and Apple platforms provide automatic unique passwords in an xxxxx-yyyyy-zzzzz format, with some accommodations for websites with specific requirements for length or special characters. However, for important accounts like my bank or investment accounts, I like to maximize the length and create even more unguessable passwords using tools like 1Password’s password generator. If a website allows me to create password that’s 128 characters long, I’m going to use every available character.
  3. The best password is no password at all. Finally, if an app or service allows for account creation without a password—whether that’s with a passkey or a social sign-in provider—that’s even better.10

Finally, I reset my passwords on a routine basis. If you sort your list of accounts in a password manager like iCloud Keychain or 1Password chronologically by modified date, you can find your oldest ones and refresh them. In effect, no password in my keychain is older than a year at any given time, meaning that any data that might have been leaked in the interceding time period is stale and unusable within a few months.

Lock down your payment methods

Finally, some recent interludes related to an old credit card number have made me acutely aware of where my payment details are stored, and I’ve updated my routines accordingly.

Finding where your card is stored

I can’t speak for all banks or credit card issuers, but many (including specifically Chase) provide a method to find where your payment methods are stored online. This typically isn’t the card number itself, but instead an association between the merchant and the payment processor. While this has security benefits, it also means that when your card number changes, the merchant is automatically updated with the new information. Some folks like this mechanic, but for me, I like to have greater control.

  1. Find stored cards. For Chase cardholders, you can see a list of merchants who have stored your payment method in the “stored cards” section of the Chase app.
  2. Delete account or remove payment methods. Using this inventory, I sign into each account and remove the associated payment method. In many cases, it’s also appropriate to delete the account based on the criteria outlined above.
  3. Convert to a digital wallet. In cases where I have recurring charges and subscriptions, I like to convert the payment method to a digital wallet like PayPal or Apple Pay instead. See below.

Upgrading to digital payment wallets

In principle, I don’t believe any online merchant should have persistent access to my payment details, and I like to manage my payment methods independently of where they’re used in digital wallets like Apple Pay and PayPal.

There are many benefits to this, but first among them is that my credit card numbers or personal account numbers aren’t subject to the security practices of every company I transact with. The ideal scenario is a single point-in-time transaction without storing payment or shipping details, like using Apple Pay on a Shopify website, and a fallback for recurring payments is an association with a payment wallet like PayPal.

  1. Single-use transactions. Apple Pay is my preferred method for express checkout online, as it’s accepted on most Shopify websites and other e-commerce platforms, and can transmit transactional details like shipping address and email in one fell swoop.
  2. Recurring transactions and subscriptions. I try to subscribe to online services via my Apple Account so that my subscriptions are managed in one place on the App Store, but this isn’t always possible. Failing that, if the merchant accepts Apple Pay, I look to see if they use the “preauthorized merchants” feature, which collects recurring payments into a section of the Wallet app for iOS under Account Details.11
  3. Credit card numbers. As a last resort, you’ll probably need to enter your credit card number somewhere. In these cases, there are options for rotating or “burner” card numbers that can provide some security and privacy benefits, but these are a bit too cumbersome for my tastes (which is saying something, considering the rest of this post).12

TL;DR

All told, I invest a lot of mental energy into securing and monitoring my online accounts, but your habits likely don’t demand this same level of scrutiny. If you take away nothing else, here are a few key tips that I’d recommend to anyone, no matter their security posture:

  1. Use a password manager and create unique passwords
  2. Sign up for Have I Been Pwned? to monitor compromised data
  3. Review where your payment information is stored

That’s it! I’ll update this post over time as patterns or best practices change, but feel free to reach out if you have any suggestions or enhancements.

  1. For accounts created with your Google account, you can find and manage them on the Google Accounts website under the Third-Party Websites section. 

  2. For accounts created with your Facebook account, you can find and manage them in the Meta accounts center

  3. For accounts created with your Apple Account, you can find them either in the Settings app on iOS, iPadOS, or macOS under the Apple Account heading in the Sign in with Apple section, or on the Apple Account website. 

  4. Sometimes, disassociating the social login provider from the online account doesn’t actually delete the account, it just removes the association but leaves your email address registered, often without a password. Verify that you’ve deleted the account fully with the merchant or website before considering it sorted. 

  5. Some of these policies provide simple links or email addresses to request account deletion, but most of them nowadays link out to a consent management provider like OneTrust to fill out a form. These forms look to verify that you’re living in the state where the right to delete online accounts applies, so select California if you’re afforded the option. 

  6. iCloud+ provides a method for single-use addresses that forward to your primary inbox called “Hide my Email,” and these can be immediately disabled to lock off that zombie account forever. 

  7. Even in cases where you do upgrade to a passkey, many account providers consider it a secondary sign-in option and retain your password as well. In these cases, it’s important to still set a secure password, even if you intend to use a passkey to sign in. 

  8. I personally use Sign in with Apple quite a bit, but Google accounts are equally useful for this purpose, especially if you’re using these for your password manager in iCloud or Chrome, as well. 

  9. I tend to avoid SMS codes wherever possible, unless as a last resort. Regardless, any second factor is better than none. 

  10. Microsoft allows you to disable the password altogether and only sign in with passkeys, for example, and you can upgrade existing accounts retroactively. I imagine other accounts will follow suit in coming years as passkeys grow in adoption. 

  11. PayPal also provides these benefits with its stored accounts feature, which allows for bidirectional disassociation when the time comes—so rather than unsubscribing on the merchant’s website, I can sever the connection right from PayPal and stop payments immediately. 

  12. Apple Card provides an Advanced Fraud Protection feature to rotate your card’s security code on a regular basis, and I believe many card issuers do the same.