Thursday, October 4, 2012

Unoriginal title for a post about general PC security (Part 1)

First, let me preface this by stating that I am not an expert in online security.  I'm not a hacker, I'm not a cryptologist.  I'm a web programmer who tends to view security from the POV of an end user.

Okay, with that said, here we go....

I've bought this $500+ piece of machinery, but you're asking me to understand how it works?

The sad fact of the matter is that many people who own computers are still largely computer illiterate.  Some are afraid to break/screw things up with their new appliance, and others are simply not interested in learning more than how to send email, visit YouTube, and do some basic office work.  The problem is that seemingly innocuous online activity can lead to a host of problems.  Addressing them isn't difficult, but it requires a bit of effort.  Just like a car needs regular maintenance to keep it on the road, a computer needs regular maintenance to keep it running and your information safe.

It's important to note, at this juncture, that there's no such thing as 100% secure.  Cyber security is always a game of catch up.  The various hackers, malware authors, and other black hat individuals and organizations out there will always have an advantage because, in a lot of cases, threats can't be addressed until an exploit has been abused.  The best we can do is engage in behavior to mitigate risk, and be prepared if an attack does happen.

What do you mean 'P@ssW0rd' isn't a good password?

Let's start with passwords.  If you do anything online, you're all but certain to have one.  A good password is long (the longer the better), contains a bunch of different characters (letters, numbers, punctuation), and isn't based on a dictionary word, or common phrases.  They should also be unique for each account (more on this in a minute).

The problem is that long passwords not based on a memorable pattern and filled with a variety of characters are hard to remember.  They're also a pain to type.  So, what people generally do is create a short, easy to remember password and then use that for just about everything.  If an online account is compromised, who cares?  It's just an account to Fluffy Birds or something unimportant, right?

Wrong.  If login info is compromised (and many times they're compromised without one knowing about it at all), then every account that uses that info is compromised.  That could mean your bank.  Your social media accounts with all the personal information about you and your family.  Your life could be laid bare for those who wish to do you harm.

So, what can be done?  I'm a huge fan of password manager software.  This software is essentially a database of all your passwords.  Even better, most come with a password generator, giving you a high entropy password at the click of a button that you can use for any account.  The password manager itself can be protected with a password, and some even allow you to use a separate key file as a second form of authentication.

The general workflow is:

Sign up for a new online account
Open the password manager
Generate a new password with the password manager
See if the site/system will take it*
If yes, you're registered, if not, keep generating new passwords until one sticks

To log into a site that requires a password, simply open the manager, and copy/paste the password into the password field.

*The unfortunate reality is that many sites put ridiculous limits on what they accept for passwords.  Microsoft, for example, limits passwords to just 16 characters, while EA prohibits certain special characters from being used.  These restrictions are completely artificial, and really only serve to negatively affect how secure your login information actually is.

I use and recommend KeePass.  It's free, it's easy to use, and it's available on just about every operating system one would want.  I use it on my iPad, laptop, and desktop, and with it, I can hit all the important attributes of a good password:

Not based on a dictionary word
Character variety
Unique to each account

Okay, cool, now what?

I'll talk about browsing, but in a new post to keep things readable.

No comments:

Post a Comment