This post is to serve as a guide for best practices regarding tracker security.

1) Don't use your real name, or primary email anywhere. Don't use an alias that can be easily googled to find your real name or identities you use elsewhere. Don't reveal personally identifiable information about yourself in IRC or on forums.

2) Get a piracy specific gmail account. Most private trackers require a gmail account for registration. For convenience sake, you can set it up to forward any email to your real account for confirmations/notifications.

3) Weigh using a different alias on each tracker/site. The downside is that you don't build as cohesive of a reputation across all sites. The upside is that you are less visible as a target, and if someone is trying to hack your accounts or gains access to one account, they may not know your identity at other sites.

4) Use a different password at every tracker.

4.1) Use a very strong password. Note that strong does not mean gibberish. See this XKCD for context:

https://imgs.xkcd.com/comics/password_strength.png

As can be seen from example above using pass phrase is the best practice, 4 unconnected words will be easy for you to memorize but hard to brute force.

Or either use something like www.diceware.com (offline using dice) or www.makemeapassword.org (online) to generate your passwords. diceware is slightly more secure, but requires manual work. makemeapassword is automatic, and generates passwords that are easier to remember. Longer is better. Using these methods gives you very long, very secure passwords, that are very easy to remember.

4.2) Rotate your passphrase on a schedule. Although the brute force security of these passwords is on the order of thousands/millions of years, other methods such as keyloggers, or over the shoulder, can expose your passphrase, which exposes every site you manage in the password manager.

4.3) For the individual sites you can use a regular "gibberish" password, or another passphrase. (remember, a different password for each site). Ideally, you won't know any of your passwords to individual sites, and will only use the password manager. These passwords are technically less secure, but since most websites will lock you out after X incorrect attempts, the brute force method is impracticable. Also unfortunately many websites have password rules that force you to use these insecure passwords.

5) Consider two factor authentication. It's strongly recommended using 2 factor for gmail (both on your primary account, and your piracy account) If someone gets access to that, they can reset your password at many sites (including your bank, paypal, etc) . 2 factor on individual trackers is less important, especially if you are using passwords as suggested, unless you access trackers a lot from public locations like coffee shops, libraries, school, etc. Then 2factor provides good additional security.

6) Always use SSL. Many trackers let you turn it on as a preference. You can also use a browser plugin to force SSL where enabled.

7) if you are accessing trackers from insecure locations, consider installing a portable version of chrome or another browser on a USB stick to use, or even a portable OS. That can protect you from malicious plugins or malware on the insecure computer. (If someone has a physical keyloger installed, well, you are fucked at that point. Rotate your password)

8) Never share your account or passwords with anyone. If they are worthy of using the tracker give them an invite.

If you don't believe me, listen to Edward Snowden and John Oliver! http://time.com/3815620/edward-snowd...d-john-oliver/