FAQ

Passwords and Password Managers

[!question] What is a password manager and how is it used?

Passwords are probably the number one target for attacks, whether from governments or other malicious actors. Using a unique and strong password for each service should be as natural as knowing your own name.

Password managers are the essential tool to make this possible:

• In our general article on passwords, we explain what makes a good password.
• In our recommendations for password managers, we discuss the pros and cons of different tools (like KeePassXC and Bitwarden).
• In our guide to KeePassXC, we make it as easy as possible to get started with this great program.

[!question] Can Online Password Managers Be Hacked?

In theory, anything that is accessible online can be “hacked.” The important question is whether this results in any actual harm.

We explored this question through a example scenario and discussed a possible solution!

[!question] How do I encrypt documents?

In our recommendations, we discuss the pros and cons of the two most well-known programs for file encryption:

• VeraCrypt
• Cryptomator

Those two programs can be used to encrypt single files, folders, or even whole devices, but they each have there pros and cons. See our comparison.

TL;DR

• VeraCrypt is perfect for encrypting whole USB drives or even whole Windows Systems. See our instructions for that.
• Cryptomator is perfect for syncing encrypted files to a cloud. See our instructions for that.

[!question] Do Attackers Know How Many Digits a Phone PIN Has If It’s Not Displayed on the Screen?

• As long as you haven’t fallen victim to Shoulder Surfing and your device doesn’t have any vulnerabilities in this area: No :)
• The risk of such vulnerabilities existing and being exploited on your device can be avoided by keeping your updates up to date.

Data

[!question] How Can Data Be Securely Deleted?

We discuss this question in our article on data hygiene.

In it, we try to explain the technical issue using a metaphor and provide a solution.

Internet & Networks

[!question] Can My Use of Less Legal Streaming Sites Be Tracked?

It depends on how the traffic between your device and the website is encrypted:

• Without encryption (http): Yes.
• With transport encryption (https): Only the fact that you visited the site is visible, not necessarily what exactly you are doing there.
• Over TOR: No.
• With VPN: When using a VPN, the VPN provider can see everything that your internet provider would see without a VPN. This includes:
  • Your IP address (which is tied to a mobile or internet contract)
  • Which websites are visited
  • Whether media is being streamed (can be inferred from data usage)

Malware/Virus/Trojan

[!question] Can you get a virus just by clicking on a link?

Yes. Viruses, or malware are commonly distributed through phishing campaigns, where an attacker tries to trick somebody into clicking a malicious (bad) link or document. If you do happen to fall for phishing, it’s still good to know that you’ve installed all security updates, so the malware might not succeed.

[!question] How realistic is it that a phone could actually be used as a listening device?

This can happen if the phone (or another device with a microphone) is infected with malware (virus/trojan). Some devices and operating systems are particularly well protected against this (see GrapheneOS).

[!question] Can I be eavesdropped on through Bluetooth headphones?

Yes, that it possible. Therefore an attacker would highjack the Bluetooth connection between your headphones and the streaming device, e.g. your phone. A lot of widely used headphones are susceptible to such attacks, which was impressively demonstrated at the 39C3 in Hamburg in 2025.

This attack not only enables the attacker to listen to the music you listen to, but also enables them to highjack calls. This in return could be used to e.g. circumvent 2FA authentication through SMS/calls, like shown in the demonstration linked above.

[!question] How important is it, to get out the phones before a meeting?

This question solely comes down to the threat of spyware. Spyware is the virus, that lets attackers access your microphone, camera or anything else on your device. So the answer to the question depends on your own threat model and the attacker that could be targeting you. Because this analysis of your own threat model might be a bit difficult without experience, it is helpful to look at other cases in your country and similar threat models to yours:

• Have their been reported cases of spyware attacks from your government, or the government you fear surveillance from?
• Had those victims had a similar or even less dangerous threat model than yourself?
• Would you finally say, that it could be likely, that you, or your friends in the meeting could be target of an attack with spyware? If so, then keep the phones out. If not, it might be convenient to have your phone with you, to check your calendar, notes, or anything else you might need it for.

This said, you should rather pay attention to other devices, that might be in the room and listening. E.g. “smart” IoT devices often have microphones for speech recognition, or even cameras. This may include Smart TV’s, fridges, washing machines and so on. If you are unsure, simply look for the name of the model, or it’s serial number and do a quick web search. If it is advertised with something that might see or hear something, then unplug it.

[!question] How can I know, whether my anti-virus program doesn’t secretly spy on my itself?

You can’t really know that, because for those programs to work, they have to be implemented very deep inside your operating system with lot’s of privileges. So in theory, those programs are very much capable of controlling the whole system. Besides that, the time for anti-virus programs is quite over now, because todays operating systems have some pretty good self-defense mechanisms themselves. In the earlier days, this wasn’t always the case and even if there are still some flaws in the OS’s, there is actually no need to install additional anti-virus software.

Messenger

[!question] How can different Messengers be compared to each other?

In our recommendations we discuss some pros and cons of some messengers we think are most relevant for an activist context. For a far more detailed comparison there is the well known messenger-matrix on the Kuketz Blog, which is definitely worth a visit. It compares about ~20 different messengers on a variety of metrics.

[!question] Is there still a sort of encrypted communication, that can’t be sniffed on?

Even though surveillance in the “cyber world” is more relevant than ever and state-sponsored spyware is on the rise, we can confidently say: There is, especially today, very good communication encryption, particularly end-to-end encryption.

However, it’s important that it’s used correctly and consistently. In modern cases where communication is successfully intercepted, it’s usually due to user errors, such as:

• Phishing
• not applying updates or faulty/absent encryption implementation (see, for example, EncroChat).

[!question] How secure is Signal?

Signal is one of the most secure digital communication options available. The underlying protocol is the “gold standard” among encryption protocols and is adopted by many other messaging apps.

The only criticism of Signal is that you need a phone number to register, which in most countries must be tied to an ID. However, this is an issue of anonymity, not security.

As long as no attacker has access to your device or your contact’s device, it can be assumed that the communication content via Signal is very well protected!

See also our recommended settings for Signal.

[!question] Can you register a Signal account on a laptop without smartphone?

Yes, signal-cli can register new accounts, but it requires some work with a terminal/console to get it working.