Secure computing is very much like exercise and diet: you have to make good choices over time to reap the benefits.
We're already over a month into 2013. I hope you're eating healthy food in reasonable quantities, exercising frequently, and computing securely. Grouping diet, exercise, and secure computing together may strike you as unusual. It isn't.
Diet, exercise, and secure computing are things you must do. Knowing you should exercise is not the same as exercising. Reading that your password should be stronger is not the same as actually making your password stronger. The benefit accrues only with action, not knowledge.
I don't want you to just read this blog post. I want you to act to make your computing experience more secure. One exercise session and one well-balanced meal won't produce health. A one-time improvement in your password won't produce security. Secure computing is very much like exercise and diet: you have to make good choices over time.
Let's start with the obvious: you need to keep your operating system, applications, and security software (e.g., anti-virus) up to date. That said - here are four more things to do to make your online computing experience more secure.
1. Use unique, longer and stronger passwords
You probably use the same password on different websites. Please go eat a candy bar every time you re-use the same password on different sites. This is obviously a bad idea, right? Don't do it. The next time you login with a password you've used on another site, change it. Your password for every site should be unique.
Tools like LastPass can help you create and manage longer, stronger passwords
When you choose a unique password for each site, make your password as long and as random as possible. And no, your name and a number or clever number replacement doesn't count: "Wolber1" or "pa55w0rd" are poor choices. Passwords twelve characters or longer are better than shorter passwords. (Steve Gibson provides a useful method for creating unique passwords called "Off the Grid" on his website. Services like LastPass.com, which I use, also can generate and securely store passwords.)
2. Enable two-factor authentication
(Did you really change all of your passwords? Or are you still reading and not practicing security? Please stop reading now. Go change your passwords to be unique, longer, and stronger; even if you have to resume reading a few weeks from now. This article will be here. Go improve your passwords. Now!)
Your passwords are now longer, stronger, and unique for all systems. Good job.
Now, wherever possible, enable Google's two-step authentication. This means you'll need access to your phone in order to log in to your Google Apps account. (See my article "Secure your Google Account with two-step authentication" for detailed instructions.) You can also enable two-step authentication for access to LastPass, WordPress and Dropbox. Follow Matt Cutt's advice: turn on two-factor authentication everywhere you can.
Use two-step authentication for a month before you move on to the next step.
3. Review your Google Account security settingsOver time, you'll likely use your Google Account to log in to other services. For example, you might have used your Google account to login to Zoho.com services. You should review this list periodically and "de-authorize" any services you no longer use. Go to http://accounts.google.com/settings/security to view these "Connected sites and services".
Review connected sites and services; revoke access if no longer needed
When you review these sites, also review the "application specific passwords" list at the bottom of the page. These are 16-character codes you generate to enable an application to automatically authenticate with your Google Account. Revoke access to applications you no longer use. (Learn more about how to revoke access on Google's support pages.)
I suggest you review the list of connected sites and services every 90-days or so. At a minimum, review this list whenever there's a time change (in the United States), or on the longest and shortest days of the year. You should do a similar review of connected applications for social media sites you use, such as Facebook and Twitter.
(Still reading and not doing? Please, please, please stop. Change your passwords. Use 2-step authentication. And review your Google Account, Facebook and Twitter security settings at least twice a year. Thanks. Now, let's continue.)
4. There's always more you can do
If you've done the above three steps, your account is likely more secure than that of an average computer user. But there's almost always more you can do. For example, you might:
- Review your Gmail Settings to make sure you're not forwarding email to addresses you've forgotten about,
- Review your Gmail delegation settings to make sure you're not delegating email access unintentionally, or
- Choose to use Chrome to take advantage of the browser's modern security scheme.
Maintaining security, just like maintaining health; it requires both knowledge and action. Stay on top of Google's latest security news and updates by reading Google's Online Security Blog. Just remember to put the knowledge you gain into action. After all, you can never be too healthy or too secure.