top of page

RedLab Security Resources
Practical Guidance for Everyone

Security is a community responsibility. These resources are free, practical, and written in plain language. Whether you’re a business owner evaluating your security posture or an individual protecting your personal accounts, start here.

Quick Links

Documents

  • Social Media Best Practices Guide

  • Account Management Guide

  • Phone Security Guide

Password Security Best Practices

Passwords remain the primary way most of us protect our accounts. The good news: modern password guidance has moved away from the complicated rules that made passwords hard to remember and easy to guess. The current federal standard (NIST SP 800-63B, updated August 2025) is straightforward.

What The NIST Standard says:

Use long passwords. Minimum 15 characters for business accounts, 12 for personal. A passphrase like “purple-bicycle-ocean-thunder” is dramatically stronger than a short complex password like P@ssw0rd! and far easier to remember. Length is the single most important factor in password strength.

Do not force complexity rules. Requiring uppercase, lowercase, numbers, and symbols leads to predictable patterns (Password1!, Summer2025!). NIST explicitly recommends against mandatory complexity. Focus on length instead.

Do not rotate passwords on a schedule. Changing passwords every 90 days leads to incremental changes (Password1, Password2, Password3) that attackers predict easily. Only change a password when there is evidence it has been compromised.

Check passwords against known breaches. Any password that appears in a known data breach should be rejected immediately, regardless of how complex it looks. Attackers maintain dictionaries of every breached password ever published.

Using Password Managers: 

A password manager generates, stores, and auto-fills a unique random password for every account you have. You only memorize one master password — the one that unlocks the vault. This eliminates password reuse, which is the number one way accounts are compromised.

  • Bitwarden — bitwarden.com — Open-source. Strong free tier for personal use. Business plans available. Independently audited.

  • 1Password — 1password.com — Excellent interface. Individual and business plans. Travel mode for border crossings.

**RedLab Security recommends using physical security keys for 2FA from Yubico to mitigate risk. At a minimum, authenticator apps should be used over SMS and Email one-time-pins (OTP). 

Reviewing Password Exposure:

RedLab Security recommends Have I Been Pwned (haveibeenpwned.com) for reviewing your posture against known breaches. 

  • Free service maintained by security researcher Troy Hunt. Enter your email address to see if it appears in known data breaches. Also check haveibeenpwned.com/Passwords to see if a specific password has been exposed.

  • If your email appears in a breach, change the password for that account immediately. If you used that same password on other accounts, change all of them. This is why a password manager with unique passwords per account matters.

Two Factor Authentication

Two-factor authentication adds a second verification step when you log in: something you know (your password) plus something you have (your phone, an app, or a physical key). Even if someone steals your password, they cannot access your account without the second factor. Enable 2FA on every account that supports it.

Recommended Methods (Strongest to Weakest)

Hardware security key (YubiKey): Strongest. A small physical device you plug into USB or tap via NFC. Cryptographically bound to each website, so it will not work on a fake login page under any circumstances. Immune to phishing, SIM swapping, and push notification fatigue. The only method that defeats real-time phishing proxy attacks.

  • Recommended: YubiKey 5 NFC (~$50). Works with USB-A, USB-C, and NFC. Buy two — register both, keep one as backup in a safe.

  • Passkeys — Strong. Device-bound credentials using the same FIDO2 standard as hardware keys. Authenticated with biometrics (Face ID, fingerprint) or device PIN. No separate hardware needed. **Not yet universally supported but growing rapidly.

  • Authenticator app (TOTP) — Good. Google Authenticator, Microsoft Authenticator. Free and widely supported. Vulnerable to sophisticated real-time phishing attacks but dramatically better than no 2FA.

  • If you do nothing else after reading this page, install an authenticator app and enable it on your email, banking, and social media accounts today.

SMS text codes: Better than nothing, but weakest. NIST classifies SMS as a “restricted” authenticator. Vulnerable to SIM swapping (an attacker calls your carrier, pretends to be you, and transfers your number to their phone). Use SMS only when no other option is available, and upgrade to an authenticator app or hardware key as soon as possible.

Where to enable 2FA first

Prioritize these accounts in order:

  1. Email (Gmail, Outlook, Yahoo) — Your email is the master key. If an attacker controls your email, they can reset passwords on every other account.

  2. Financial accounts — Bank, credit card, investment, payment apps (Venmo, PayPal, Zelle).

  3. Password manager — Protects the vault that holds every other credential.

  4. Social media — Facebook, Instagram, LinkedIn, X. Account takeovers are common and damaging.

  5. Cloud storage — Google Drive, iCloud, Dropbox. May contain sensitive documents.

  6. Healthcare portals — Your patient portal, insurance portal, pharmacy accounts.

Phone Security

Your phone is likely the most valuable target you carry. It contains your email, your banking apps, your authenticator codes, your contacts, your photos, your location history, and often your health data. Securing it is not optional.

Essential settings

  • Screen lock: Use a 6-digit PIN minimum or biometrics (Face ID / fingerprint). Avoid 4-digit PINs and pattern locks — they are too easily observed or guessed. Set auto-lock to 2 minutes or less. **Be mindful of entering your pin in public places where others may see.

  • Software updates: Install operating system and app updates promptly. Security patches close vulnerabilities that attackers are actively exploiting. Enable automatic updates whenever possible.

  • Encryption: Modern iPhones and Android devices are encrypted by default when a passcode is set. Verify: iPhone — Settings > Face ID & Passcode (if passcode is on, encryption is on). Android — Settings > Security > Encryption.

  • Find My Device: Enable the built-in device locator. iPhone: Settings > [Your Name] > Find My > Find My iPhone. Android: Settings > Security > Find My Device. This allows you to locate, lock, or remotely erase your phone if it’s lost or stolen.

  • App permissions: Review which apps have access to your location, camera, microphone, contacts, and photos. Revoke permissions for apps that don’t need them. Both iOS and Android provide permission dashboards in Settings > Privacy.

SIM protection

Set a SIM PIN: A SIM PIN prevents someone from using your SIM card in another phone. iPhone: Settings > Cellular > SIM PIN. Android: Settings > Security > SIM card lock. The default PIN is usually 1111 or 1234 — change it immediately.

Contact your carrier: Call your mobile carrier and request a port-out PIN or account security freeze. This adds a layer of verification before anyone can transfer your phone number to a new carrier or SIM — the primary defense against SIM swapping attacks.

Major carriers: AT&T, Verizon, and T-Mobile all support port-out PINs and account security PINs. Call customer service or visit a retail location to set this up.

Public WiFi

Public WiFi networks (coffee shops, airports, hotels) are inherently untrusted. Other users on the same network may be able to intercept unencrypted traffic. Use your phone’s cellular data connection for sensitive activities like banking and email. If you must use public WiFi, use a reputable VPN service to encrypt your traffic.

VPN Recommendations

When using a VPN on an untrusted network, RedLab Security recommends the following paid options: 

Social Media & Safe Information Sharing

What you share publicly on social media can be used against you. Attackers routinely mine social media profiles to craft targeted phishing emails, answer security questions, impersonate you to your contacts, and build the personal details needed for social engineering attacks.

What to think about before you post

Location data: Posting real-time locations (check-ins, travel updates, “at the airport!”) tells anyone watching exactly where you are — and where you’re not. Consider sharing travel photos after you return, not while you’re away.

Personal details that answer security questions: Your mother’s maiden name, the street you grew up on, your first pet’s name, the city where you were born, your high school mascot — these are common security questions. If the answers are in your social media history, they are not secret.

Workplace information: Job title, employer, internal tools you use, your work schedule, the names of your coworkers — all useful for an attacker crafting a convincing spear-phishing email that appears to come from someone you work with.

Family details: Children’s names, schools, birthdates, and routines. This information can be used for social engineering (“Hi, I’m calling from [school name] about [child’s name]”) or to impersonate family members.

Practical steps

  • Review your privacy settings on every platform. Set profiles to private/friends-only where possible. Audit who can see your posts, your friends list, and your personal details.

  • Search yourself. Google your name, your email addresses, and your phone number. See what’s publicly visible. Many data broker sites aggregate and publish personal information — you can request removal.

  • Be thoughtful about friend/connection requests from people you don’t know, especially if the profile was recently created or has very few connections. Fake profiles are a common reconnaissance tool.

  • Separate personal and professional identities where practical. Consider whether your business social media accounts need to be linked to your personal profiles.

External Resources

These agencies publish free, authoritative guidance on cybersecurity for individuals, businesses, and critical infrastructure. Bookmark the relevant information to you.

If you believe your personal information has been compromised, your accounts have been accessed without authorization, or you have been the victim of a cybercrime, use the resources below to report it and begin recovery.

Federal reporting

  • FBI Internet Crime Complaint Center (IC3)

    • ic3.gov

    • The FBI’s central hub for reporting internet-enabled crime: phishing, business email compromise, ransomware, identity theft, fraud, and more. File a complaint online. IC3 reviews submissions and routes them to the appropriate law enforcement agency.

  • Federal Trade Commission (FTC) — Report Fraud

    • reportfraud.ftc.gov

    • Report scams, fraud, and unfair business practices to the FTC. Complaints are entered into a database used by law enforcement nationwide.

  • FTC Identity Theft Recovery

    • identitytheft.gov

    • If your identity has been stolen, this site walks you through a personalized recovery plan: placing fraud alerts, filing reports, disputing fraudulent charges, and notifying affected institutions.

  • CISA — Report a Cyber Incident

    • cisa.gov/report

    • Report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency. CISA coordinates federal incident response and can provide technical assistance.

Arizona reporting

  • Arizona Attorney General — Consumer Complaints

    • azag.gov/complaints

    • File complaints about data breaches, identity theft, and consumer fraud with the Arizona AG’s office.

  • Arizona A.R.S. §18-552 Breach Notification

    • azleg.gov/ars/18/00552.htm

    • Arizona’s data breach notification law. Requires notification to affected individuals within 45 days and to the Attorney General if 1,000+ individuals are affected.

Credit and financial

Freeze your credit — Contact all three bureaus to place a security freeze, which prevents anyone from opening new accounts in your name. Free, fast, and the single most effective step after a data breach involving your personal information.

  • Equifax: equifax.com/personal/credit-report-services/credit-freeze/ or call 1-800-349-9960

  • Experian: experian.com/freeze or call 1-888-397-3742

  • TransUnion: transunion.com/credit-freeze or call 1-888-909-8872

A credit freeze does not affect your credit score and can be temporarily lifted when you need to apply for credit. It is the strongest protection against identity theft.

CISA (Cybersecurity and Infrastructure Security Agency)

  • CISA Cybersecurity Resources

    • cisa.gov/cybersecurity

    • The lead federal agency for cybersecurity. Publishes alerts, advisories, best practices, and free tools for organizations of all sizes.

  • CISA Secure Our World

    • cisa.gov/secure-our-world

    • Public awareness campaign with plain-language guidance on passwords, MFA, software updates, and phishing recognition. Excellent starting point for individuals.

  • CISA Known Exploited Vulnerabilities Catalog

    • cisa.gov/known-exploited-vulnerabilities-catalog

    • Maintained list of vulnerabilities that are being actively exploited. Critical for IT teams to prioritize patching.

  • CISA Shields Up

    • cisa.gov/shields-up

    • Heightened threat guidance and protective actions for organizations during periods of elevated cyber risk.

NIST (National Institute of Standards and Technology)

  • NIST Small Business Cybersecurity

    • nist.gov/cybersecurity/small-and-medium-size-business-resources

    • Resources specifically designed for small businesses, including the Small Business Cybersecurity Corner and practical implementation guides.

NSA (National Security Agency)

  • NSA Cybersecurity Advisories and Guidance

    • nsa.gov/cybersecurity-guidance

    • Technical advisories, hardening guides, and best practices from the NSA’s Cybersecurity Directorate. Covers network infrastructure, cloud security, mobile device hardening, and identity protection.

  • NSA — Mobile Device Best Practices

    • media.defense.gov (search “NSA mobile device best practices”)

    • One-page reference for securing smartphones. Covers Bluetooth, WiFi, app permissions, and physical security. Print it and keep it near your desk.

FBI

  • FBI Internet Crime Complaint Center (IC3)

    • ic3.gov

    • Central reporting portal for all internet-enabled crimes. Also publishes the annual Internet Crime Report with statistics on reported losses by crime type.

  • FBI Cyber Division — Scams and Safety

    • fbi.gov/how-can-we-help-you/scams-and-safety

    • Educational resources on current scams, fraud schemes, and how to protect yourself. Updated regularly with new threat information.

  • InfraGard

    • infragard.org

    • The FBI’s public-private partnership for critical infrastructure protection and threat intelligence sharing. RedLab Security participates in InfraGard to maintain awareness of threats targeting Arizona businesses.

HHS (Department of Health and Human Services)

  • HHS HIPAA Security Rule Guidance

    • hhs.gov/hipaa/for-professionals/security

    • Official guidance on the HIPAA Security Rule for healthcare organizations. Includes implementation specifications, audit protocols, and enforcement actions.

  • HHS Breach Portal (Wall of Shame)

    • ocrportal.hhs.gov/ocr/breach/breach_report.jsf

    • Public database of healthcare data breaches affecting 500 or more individuals. Searchable by organization, state, and breach type. A sobering resource for understanding the frequency and impact of healthcare breaches.

FTC (Federal Trade Commission)

  • FTC Safeguards Rule

    • ftc.gov/legal-library/browse/rules/safeguards-rule

    • The FTC’s data security requirements for financial institutions, including tax preparers, accountants, and other businesses handling financial data. Updated requirements effective June 2023.

  • FTC Start with Security Guide

    • ftc.gov/business-guidance/resources/start-security-guide-business

    • Practical security guidance for businesses of all sizes. Ten lessons drawn from FTC enforcement actions.

Free Security Verification Tools

These tools help you verify your security posture and check for common vulnerabilities. All are free and require no installation.

  • Have I Been Pwned

    • haveibeenpwned.com

    • Check if your email or phone number appears in known data breaches.

  • Have I Been Pwned — Passwords

    • haveibeenpwned.com/Passwords

    • Check if a specific password appears in known breach databases. Uses a k-anonymity model that protects your password during the check.

  • MXToolbox

    • mxtoolbox.com

    • Verify your domain’s email authentication (SPF, DKIM, DMARC), check blacklists, and diagnose email delivery issues. Essential for confirming your email security is properly configured.

  • SSL Labs Server Test

    • ssllabs.com/ssltest

    • Test your website’s SSL/TLS configuration. Grades your certificate, protocol support, and cipher configuration. A grade lower than A indicates configuration issues.

  • 2FA Directory

    • 2fa.directory

    • Searchable database of websites and whether they support two-factor authentication, and which methods each site accepts.

  • Security Headers

    • securityheaders.com

    • Scan your website for the presence and configuration of HTTP security headers (CSP, HSTS, X-Frame-Options, etc.).

bottom of page