Discussion on:
View:
Show:
What security practices do you consider essential for most Google users? What did Andy miss that you think is important?
I use strong unique passwords for any site that could cost me anything if hacked, like bank access (c 10 characters from 96 char set). For sites that no sane person would want to hack, like tech blogs, I use a simple common password.
And what is the point of changing passwords? If a password is sniffed, your bank account will be cleaned out before you realise it. The only other issue is if your computer is stolen. Then there is a chance that someone will try a brute force attack. So (hopefully) this risk can be minimised by bios and logon passwords. Also if my computer was stolen, I would notify the bank immediately and change passwords. A password safe is handy particularly if it requires approval to copy a password/user name to the clipboard. I hope people will respond to this and prove me wrong.
And what is the point of changing passwords? If a password is sniffed, your bank account will be cleaned out before you realise it. The only other issue is if your computer is stolen. Then there is a chance that someone will try a brute force attack. So (hopefully) this risk can be minimised by bios and logon passwords. Also if my computer was stolen, I would notify the bank immediately and change passwords. A password safe is handy particularly if it requires approval to copy a password/user name to the clipboard. I hope people will respond to this and prove me wrong.
I try to have strong passwords for everything, including tech blogs. The simple reason is that it reinforces behavior and develops positive habits. For sites like this, I would rather no one has the ability to make me look like a fool by hacking my account and posting something stupid; I can handle that well enough on my own.
+1 to password safes. I am a heavy KeePass user and have always been happy with both the storage and password generation systems.
+1 to password safes. I am a heavy KeePass user and have always been happy with both the storage and password generation systems.
I have written about this exact thing: "Are users right in rejecting security advice?"
http://www.techrepublic.com/blog/security/are-users-right-in-rejecting-security-advice/3275
http://www.techrepublic.com/blog/security/are-users-right-in-rejecting-security-advice/3275
the cool charts being in that article Michael! I had to re-read it! 
Still very prescient!
Still very prescient!
I'm still a student in the IT world and only been in the field for a year i would like to know from other what is a good anti-virus software? Thanks
A good start is to do more than just an anti-virus. I used to recommend either/or Comodo Personal Firewall or On-Line Armor - but they both seem so bloated I can barely get either one to operated now. So I've been evaluating PC-Tools free firewall from Major Geeks, and am pretty impressed so far.
As far as anti-virus, you can't go wrong with the free Avast solution; but when it comes to anti-malware, you better just pay up; because that is where the real threats are now. MBAM has a cheap $24 lifetime license that is well worth it! On XP machines Avast will report it as a root-kit, but not to worry - that is because MBAM has become more resistant to malware and exhibits root kit like behavior for its kernel level activities.
With those three to start you out on the road to a truly blended defense you can't lose. It wouldn't hurt to put WinPatrol on there as well, because it watches the start up folder pretty well, and it is free too.
The new thing I'm playing with is EMET, because java exploits have become such a bad problem now(thanks to Oracle) that I have two configurations for that now. Enter into the EMET console the exe files that java uses - there are three of them - and use parental controls for Vista/Win7 to lock down the programs you have already installed on restricted accounts. I don't enable the site filter, just the applications. For starters it is better to accept the recommended system settings for your operating system on EMET.
So a lot of what you do in INFOSEC is hardening of the operating system, but using tools like Secunia PSI and File Hippo Update Checker will get you even farther. I assume you already know NOT to operate as an administrator account in your daily work.
This advice is just the tip of the iceberg in computing security - so keep that in mind. Reading up on Michael Kassner's articles will help you a lot!
As far as anti-virus, you can't go wrong with the free Avast solution; but when it comes to anti-malware, you better just pay up; because that is where the real threats are now. MBAM has a cheap $24 lifetime license that is well worth it! On XP machines Avast will report it as a root-kit, but not to worry - that is because MBAM has become more resistant to malware and exhibits root kit like behavior for its kernel level activities.
With those three to start you out on the road to a truly blended defense you can't lose. It wouldn't hurt to put WinPatrol on there as well, because it watches the start up folder pretty well, and it is free too.
The new thing I'm playing with is EMET, because java exploits have become such a bad problem now(thanks to Oracle) that I have two configurations for that now. Enter into the EMET console the exe files that java uses - there are three of them - and use parental controls for Vista/Win7 to lock down the programs you have already installed on restricted accounts. I don't enable the site filter, just the applications. For starters it is better to accept the recommended system settings for your operating system on EMET.
So a lot of what you do in INFOSEC is hardening of the operating system, but using tools like Secunia PSI and File Hippo Update Checker will get you even farther. I assume you already know NOT to operate as an administrator account in your daily work.
This advice is just the tip of the iceberg in computing security - so keep that in mind. Reading up on Michael Kassner's articles will help you a lot!
"Long, strong" passwords as a way to secure accounts is not very feasible for most people. It's incredibly time consuming to come up with a different password for each account. It also gives you a single point of failure for all of your security - a password app.
I realize there's not much of an alternative, but I don't think it's realistic for everyone to come up with lengthy, hard to type and hard to remember passwords, have a different one for each site, etc.
I realize there's not much of an alternative, but I don't think it's realistic for everyone to come up with lengthy, hard to type and hard to remember passwords, have a different one for each site, etc.
Technically sound advice, but really who is going to do all this ?
"You should use a unique password for every site you log into" - watch users' eyes glaze over as they discard your advice as hopelessly impractical "I'm not doing all that", "I can't even remember the passwords I already have", "Have you any idea how many websites I use ?"
Yes you can use password security systems but many users baulk at adopting *more* technology if they don't have to.
"You should use a unique password for every site you log into" - watch users' eyes glaze over as they discard your advice as hopelessly impractical "I'm not doing all that", "I can't even remember the passwords I already have", "Have you any idea how many websites I use ?"
Yes you can use password security systems but many users baulk at adopting *more* technology if they don't have to.
A good tactic is to scare the pants off the client then follow up with a good remote desktop session showing them how easy LastPass (or whatever password manager you employ) is to configure and use. I've got many a former clueless user interested in LastPass, and now they feel naked without it!
I had not got around to lengthening the password strength, and that was a good reminder! Thanks Andy (and Mark)!
I can partially understand the need for these lengthy, randomized password when there is a risk of brute force. But now that almost every site will lock user accounts after a few attempts there is virtually no risk of that. Most passwords are phished not cracked these days. In most cases all I need is something that no one will guess and that I don't have to write down somewhere(creating a risk of it being discovered) like "89LampSnowBat"
I've fallen just once for a good phishing email that looked just like my PayPal usual drivel; but when I went to the fake site, LastPass would not recognize it, and of course that prompted me to look closely at the URL and discover, much to my embarrassment what I had done. I've never seen as convincing an email since; but I still look at headers once and a while even on the legit ones.
Something that works for me is to decide on a passphrase that combines mixed cases, letters and symbols. I use that passphrase as the base for all my passwords. I then append a suffix to uniquely identify the site, say #fb for Facebook.
I can easily remember a single passphrase for 90 days, along with the suffixes. This avoids having to resort to a password manager to retain unmemorable passwords.
One more tip: If, like me, you switch between different keyboard layouts, make sure to stick to characters that are common to all your layouts.
I can easily remember a single passphrase for 90 days, along with the suffixes. This avoids having to resort to a password manager to retain unmemorable passwords.
One more tip: If, like me, you switch between different keyboard layouts, make sure to stick to characters that are common to all your layouts.
You just earned x loyalty points from Google. I mean, only Google. What about others? They don't offer 2 step authentication? Was that just an example? Then why shy away from saying "For example..."?
I too use LastPass but just realized I have three passwords for the site. Have to delete two. But which two? Sigh! But a nice read overall. Thank you
I too use LastPass but just realized I have three passwords for the site. Have to delete two. But which two? Sigh! But a nice read overall. Thank you
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
