Google

Improve your security in four easy but rarely implemented steps

Secure computing is very much like exercise and diet: you have to make good choices over time to reap the benefits.

We're already over a month into 2013. I hope you're eating healthy food in reasonable quantities, exercising frequently, and computing securely. Grouping diet, exercise, and secure computing together may strike you as unusual. It isn't.

Diet, exercise, and secure computing are things you must do. Knowing you should exercise is not the same as exercising. Reading that your password should be stronger is not the same as actually making your password stronger. The benefit accrues only with action, not knowledge.

I don't want you to just read this blog post. I want you to act to make your computing experience more secure. One exercise session and one well-balanced meal won't produce health. A one-time improvement in your password won't produce security. Secure computing is very much like exercise and diet: you have to make good choices over time.

Secure computing

Let's start with the obvious: you need to keep your operating system, applications, and security software (e.g., anti-virus) up to date. That said - here are four more things to do to make your online computing experience more secure.

1. Use unique, longer and stronger passwords

You probably use the same password on different websites. Please go eat a candy bar every time you re-use the same password on different sites. This is obviously a bad idea, right? Don't do it. The next time you login with a password you've used on another site, change it. Your password for every site should be unique.

Tools like LastPass can help you create and manage longer, stronger passwords

When you choose a unique password for each site, make your password as long and as random as possible. And no, your name and a number or clever number replacement doesn't count: "Wolber1" or "pa55w0rd" are poor choices. Passwords twelve characters or longer are better than shorter passwords. (Steve Gibson provides a useful method for creating unique passwords called "Off the Grid" on his website. Services like LastPass.com, which I use, also can generate and securely store passwords.)

2. Enable two-factor authentication

(Did you really change all of your passwords? Or are you still reading and not practicing security? Please stop reading now. Go change your passwords to be unique, longer, and stronger; even if you have to resume reading a few weeks from now. This article will be here. Go improve your passwords. Now!)

Your passwords are now longer, stronger, and unique for all systems. Good job.

Now, wherever possible, enable Google's two-step authentication. This means you'll need access to your phone in order to log in to your Google Apps account. (See my article "Secure your Google Account with two-step authentication" for detailed instructions.) You can also enable two-step authentication for access to LastPass, WordPress and Dropbox. Follow Matt Cutt's advice: turn on two-factor authentication everywhere you can.

Use two-step authentication for a month before you move on to the next step.

3. Review your Google Account security settings

Over time, you'll likely use your Google Account to log in to other services. For example, you might have used your Google account to login to Zoho.com services. You should review this list periodically and "de-authorize" any services you no longer use. Go to http://accounts.google.com/settings/security to view these "Connected sites and services".

Review connected sites and services; revoke access if no longer needed

When you review these sites, also review the "application specific passwords" list at the bottom of the page. These are 16-character codes you generate to enable an application to automatically authenticate with your Google Account. Revoke access to applications you no longer use. (Learn more about how to revoke access on Google's support pages.)

I suggest you review the list of connected sites and services every 90-days or so. At a minimum, review this list whenever there's a time change (in the United States), or on the longest and shortest days of the year. You should do a similar review of connected applications for social media sites you use, such as Facebook and Twitter.

(Still reading and not doing? Please, please, please stop. Change your passwords. Use 2-step authentication. And review your Google Account, Facebook and Twitter security settings at least twice a year. Thanks. Now, let's continue.)

4. There's always more you can do

If you've done the above three steps, your account is likely more secure than that of an average computer user. But there's almost always more you can do. For example, you might:

Bottom line

Maintaining security, just like maintaining health; it requires both knowledge and action. Stay on top of Google's latest security news and updates by reading Google's Online Security Blog. Just remember to put the knowledge you gain into action. After all, you can never be too healthy or too secure.

Also read:

About

Andy Wolber helps people understand and leverage technology for social impact. He resides in Ann Arbor, MI with his wife, Liz, and daughter, Katie.

16 comments
PowercutIND
PowercutIND

You just earned x loyalty points from Google. I mean, only Google. What about others? They don't offer 2 step authentication? Was that just an example? Then why shy away from saying "For example..."? I too use LastPass but just realized I have three passwords for the site. Have to delete two. But which two? Sigh! But a nice read overall. Thank you :)

sparent
sparent

Something that works for me is to decide on a passphrase that combines mixed cases, letters and symbols. I use that passphrase as the base for all my passwords. I then append a suffix to uniquely identify the site, say #fb for Facebook. I can easily remember a single passphrase for 90 days, along with the suffixes. This avoids having to resort to a password manager to retain unmemorable passwords. One more tip: If, like me, you switch between different keyboard layouts, make sure to stick to characters that are common to all your layouts.

andrew232006
andrew232006

I can partially understand the need for these lengthy, randomized password when there is a risk of brute force. But now that almost every site will lock user accounts after a few attempts there is virtually no risk of that. Most passwords are phished not cracked these days. In most cases all I need is something that no one will guess and that I don't have to write down somewhere(creating a risk of it being discovered) like "89LampSnowBat"

JCitizen
JCitizen

I had not got around to lengthening the password strength, and that was a good reminder! Thanks Andy (and Mark)!

dcwhitworth
dcwhitworth

Technically sound advice, but really who is going to do all this ? "You should use a unique password for every site you log into" - watch users' eyes glaze over as they discard your advice as hopelessly impractical "I'm not doing all that", "I can't even remember the passwords I already have", "Have you any idea how many websites I use ?" Yes you can use password security systems but many users baulk at adopting *more* technology if they don't have to.

KristiMetz
KristiMetz

"Long, strong" passwords as a way to secure accounts is not very feasible for most people. It's incredibly time consuming to come up with a different password for each account. It also gives you a single point of failure for all of your security - a password app. I realize there's not much of an alternative, but I don't think it's realistic for everyone to come up with lengthy, hard to type and hard to remember passwords, have a different one for each site, etc.

NickP2012
NickP2012

I'm still a student in the IT world and only been in the field for a year i would like to know from other what is a good anti-virus software? Thanks

jonc2011
jonc2011

I use strong unique passwords for any site that could cost me anything if hacked, like bank access (c 10 characters from 96 char set). For sites that no sane person would want to hack, like tech blogs, I use a simple common password. And what is the point of changing passwords? If a password is sniffed, your bank account will be cleaned out before you realise it. The only other issue is if your computer is stolen. Then there is a chance that someone will try a brute force attack. So (hopefully) this risk can be minimised by bios and logon passwords. Also if my computer was stolen, I would notify the bank immediately and change passwords. A password safe is handy particularly if it requires approval to copy a password/user name to the clipboard. I hope people will respond to this and prove me wrong.

Mark W. Kaelin
Mark W. Kaelin

What security practices do you consider essential for most Google users? What did Andy miss that you think is important?

JCitizen
JCitizen

I've fallen just once for a good phishing email that looked just like my PayPal usual drivel; but when I went to the fake site, LastPass would not recognize it, and of course that prompted me to look closely at the URL and discover, much to my embarrassment what I had done. I've never seen as convincing an email since; but I still look at headers once and a while even on the legit ones.

JCitizen
JCitizen

A good tactic is to scare the pants off the client then follow up with a good remote desktop session showing them how easy LastPass (or whatever password manager you employ) is to configure and use. I've got many a former clueless user interested in LastPass, and now they feel naked without it!

JCitizen
JCitizen

A good start is to do more than just an anti-virus. I used to recommend either/or Comodo Personal Firewall or On-Line Armor - but they both seem so bloated I can barely get either one to operated now. So I've been evaluating PC-Tools free firewall from Major Geeks, and am pretty impressed so far. As far as anti-virus, you can't go wrong with the free Avast solution; but when it comes to anti-malware, you better just pay up; because that is where the real threats are now. MBAM has a cheap $24 lifetime license that is well worth it! On XP machines Avast will report it as a root-kit, but not to worry - that is because MBAM has become more resistant to malware and exhibits root kit like behavior for its kernel level activities. With those three to start you out on the road to a truly blended defense you can't lose. It wouldn't hurt to put WinPatrol on there as well, because it watches the start up folder pretty well, and it is free too. The new thing I'm playing with is EMET, because java exploits have become such a bad problem now(thanks to Oracle) that I have two configurations for that now. Enter into the EMET console the exe files that java uses - there are three of them - and use parental controls for Vista/Win7 to lock down the programs you have already installed on restricted accounts. I don't enable the site filter, just the applications. For starters it is better to accept the recommended system settings for your operating system on EMET. So a lot of what you do in INFOSEC is hardening of the operating system, but using tools like Secunia PSI and File Hippo Update Checker will get you even farther. I assume you already know NOT to operate as an administrator account in your daily work. This advice is just the tip of the iceberg in computing security - so keep that in mind. Reading up on Michael Kassner's articles will help you a lot! :D

herrstiefel
herrstiefel

I try to have strong passwords for everything, including tech blogs. The simple reason is that it reinforces behavior and develops positive habits. For sites like this, I would rather no one has the ability to make me look like a fool by hacking my account and posting something stupid; I can handle that well enough on my own. +1 to password safes. I am a heavy KeePass user and have always been happy with both the storage and password generation systems.

JCitizen
JCitizen

the cool charts being in that article Michael! I had to re-read it! :) Still very prescient!