What amateurs can learn from security pros about staying safe online

[MichaelB]

ARS Technica has an interesting article on online security, here, titled "What amateurs can learn from security pros about staying safe online", which references a paper (here) that compares safety practices of security experts with non-experts (the rest of us).

The top five practices of experts: install SW updates, use unique passwords, use two factor authentication, use strong passwords, use a password manager. The top five practices of the "non-experts" use antivirus SW, use strong passwords, change passwords frequently, only visit websites they know, don't share personal information.

This hits home to me because I intentionally avoid installing SW updates, First, because I want a stable operating platform, and second, because over time updated SW demands more system resource, which leads to the need to upgrade sooner. From the paper, though, I can see the value in staying current, at least in critical SW.

 

[Options]

The top five practices of experts:

install SW updates (even though Windows, Adobe, or Java updates couldn't be any more obnoxious)...check
use unique passwords...check
use two factor authentication (this has been debated, but I still use it when available
use strong passwords...check
use a password manager...check (Keepass/not stored on the computer)

 

[Rick_Head]

"use a password manager"
------------------------------

While I'm a retired IT security guy, I've never called myself an expert in the field (I don't think there are any). I will suggest that any data (ie. passwords) that exists in digital format is or will be hackable especially if it is stored "in the cloud". Not a good idea.

 

[DEC-1982]

I agree with unique passwords, strong passwords and 2 factor authentication.

Software updates are not bullet-proof, and sometimes cannot be undone. Most companies IT groups do a fair amount of testing of other software before they allow them to be applied everywhere. in their environment. I don't have a test environment for testing, so I wait for a bit to hear the scuttlebutt. Windows 10 may make this waiting not possible, and maybe other companies may follow suit for their software.

I don't think our passwords should be stored digitally.

 

[sengsational]

Check on all except limited two-factor coverage.

I'm surprised at the number of well-informed people that still fear a properly implemented password manager, such as LastPass. If your local machine is compromised, all bets are off, but with a long unguessable pass phrase (that is never stored anywhere and never sent anywhere, encrypted or not) that is only used to locally decrypt your data using appropriately strong encryption, I'm not sure there's too much to worry about. If they get quantum computing going, there's a lot more to worry about than my LastPass vault, lol! I will send my LastPass vault to the NSA (oh, they already have it), and if they figure out a way to undo prime factorization (or is it elliptic curve?) sometime in the future, they'll have all my passwords. But again, if that happens, there will be more shtuff hitting the fan and my vault will not be very high on the list.

 

[Alan]

Interesting articles, and having started to use Lastpass this year I now do all 5 of the top things the experts recommend.

I was surprised that keeping AV software up to date was not in the top 5 things experts recommend, although they do stay it is good practice to do so. The reason the experts didn't list AV software as highly is because most experts don't use Windows.

One likely reason explaining the divide over use of antivirus software is that security experts are more likely than non experts to use a non-Windows operating system. So while it may be tempting to interpret the results as showing experts think AV isn't an effective security measure, that's not automatically the case. The question posed to each group sought the top three things they did to protect their own security online. If experts are more likely to use an OS other than the highly targeted Windows OS, it stands to reason they would be less likely than non-experts to list using AV as one of the top ways they protect themselves.

 

[sengsational]

I was surprised that keeping AV software up to date was not in the top 5 things experts recommend...

And if the experts DO use Windows, they (and every one else) get Windows Defender by default, which is fairly light-weight and you'd need to go in and turn it off. If I were asked about top 3, I wouldn't include anything that most everyone will have 'on' by default....it might make people feel better, but would be a waste of a vote.

 

[gauss]

I'm surprised at the number of well-informed people that still fear a properly implemented password manager, such as LastPass. If your local machine is compromised, all bets are off, but with a long unguessable pass phrase (that is never stored anywhere and never sent anywhere, encrypted or not) that is only used to locally decrypt your data using appropriately strong encryption, I'm not sure there's too much to worry about. If they get quantum computing going, there's a lot more to worry about than my LastPass vault, lol! I will send my LastPass vault to the NSA (oh, they already have it), and if they figure out a way to undo prime factorization (or is it elliptic curve?) sometime in the future, they'll have all my passwords. But again, if that happens, there will be more shtuff hitting the fan and my vault will not be very high on the list.

I guess I fear the likes of LastPass being hacked not through the front door (ie breaking the encryption, but rather through some sort of back door compromise). Storing unique passwords in my head I feel is safer.

-gauss

 

[MichaelB]

I was surprised that keeping AV software up to date was not in the top 5 things experts recommend, although they do stay it is good practice to do so. The reason the experts didn't list AV software as highly is because most experts don't use Windows.

That's a very good point which I missed, and makes a lot of sense. I have reduced the use of windows at home but still use it and should probably start thinking about how to eliminate it completely.

 

[Sunset]

"use a password manager"
------------------------------

While I'm a retired IT security guy, I've never called myself an expert in the field (I don't think there are any). I will suggest that any data (ie. passwords) that exists in digital format is or will be hackable especially if it is stored "in the cloud". Not a good idea.

keepass is not a cloud based password manager, you can store it on your computer, or on a thumb drive, and you can keep the key file stored on the other thing, plus keep the password "sentence" long and stored in your brain.

I've used it for years, no connection to the company, use whatever you want. I tried other ways first, but none were as secure.

I have about 200 unique passwords and userNames AND unique answers to "mother's maiden name" or other silly questions.
No way I could remember that.

 

[Sarah in SC]

Another Lastpass user. Nothing is foolproof. You have to stay on top of stuff, and mostly that means financial sites. I use Mint to check my accounts at least once a day, and have fraud alerts set up everywhere. Plus I check my credit karma once a week for anything new.

There's a price to pay for the convenience of online everything, and for me the "cost" of vigilance is a small one.

 

[ejman]

That's a very good point which I missed, and makes a lot of sense. I have reduced the use of windows at home but still use it and should probably start thinking about how to eliminate it completely.

I just installed linux mint in one of my older computers (that was running Windows XP) a few weeks ago and so far I'm very happy with it and find that I'm using the old computer more and more but coming from the Windows world I wonder if there isn't some complacency going around in linux land regarding security.

 

[RetireBy90]

I just installed linux mint in one of my older computers (that was running Windows XP) a few weeks ago and so far I'm very happy with it and find that I'm using the old computer more and more but coming from the Windows world I wonder if there isn't some complacency going around in linux land regarding security.

You should have a package to. Run updates on a Linux box also. Check something like yum-cron or yum-updatesd. They check for and install updates on regular schedule. Like every day.

Please don't get the idea Linux is secure, there is a greater benefit to hacking a Linux server, as lots of the good stuff from hackers perspective is stored on Unix servers. On my Linux servers I run yom updates every day!

 

[jim584672]

I would add:

If you need to go to "questionable" (and I think you know what I mean) sites use Virtualbox with a Linux distro. Worst case the virtual machine gets damaged, not your real machine.

Sensitive files can be encrypted independently for an additional layer of protection.

Use whole disk encryption if possible.

Lengthen your passwords to the greatest degree possible.

 

[audreyh1]

I don't put any sensitive data on someone else's server up on the Internet, and that includes a password manager.

I always pay attention to system security updates.

I get rid of software like Adobe Flash that has security holes.

Sensitive docs are in encrypted drives and disk images.

We are very careful about phishing emails and any kind of web download. We only download from certain sites unless it's a PDF.

We don't run virus scanning software on our Macs. Not sure if there is really anything considered good virus scanning software for the Mac. If Apple didn't write it I'm leery adding anything to run as part of the system.

Two factor authentication for financial accounts online plus alerts.

 

[Katsmeow]

Interesting. I do automatic updates on the OS and usually update immediately. I use a password manager (Roboform) and use some 2 factor authentication although I do need to use it on a few more sites.

 

[ejman]

You should have a package to. Run updates on a Linux box also. Check something like yum-cron or yum-updatesd. They check for and install updates on regular schedule. Like every day.

Please don't get the idea Linux is secure, there is a greater benefit to hacking a Linux server, as lots of the good stuff from hackers perspective is stored on Unix servers. On my Linux servers I run yom updates every day!

As you can tell, I am a total newby to the linux world. So far, I've only installed software that is available thru the linux mint software manager and I install every update the update manager says to install (levels 1-3). I didn't find specifically yum-cron or yum-updatesd listed as part of the approved packages in the software manager but they maybe in some of the more advanced repositories than what I'm currently using.

 

[ejman]

I don't put any sensitive data on someone else's server up on the Internet, and that includes a password manager.

I always pay attention to system security updates.

I get rid of software like Adobe Flash that has security holes.

Sensitive docs are in encrypted drives and disk images.

We are very careful about phishing emails and any kind of web download. We only download from certain sites unless it's a PDF.

We don't run virus scanning software on our Macs. Not sure if there is really anything considered good virus scanning software for the Mac. If Apple didn't write it I'm leery adding anything to run as part of the system.

Two factor authentication for financial accounts online plus alerts.

Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.

 

[jim584672]

As you can tell, I am a total newby to the linux world. So far, I've only installed software that is available thru the linux mint software manager and I install every update the update manager says to install (levels 1-3). I didn't find specifically yum-cron or yum-updatesd listed as part of the approved packages in the software manager but they maybe in some of the more advanced repositories than what I'm currently using.

I believe Mint is an Ubuntu derivative so yum would not apply. Just follow the update manager in Mint.

If you need to update via the terminal use these two commands:
sudo apt-get update
sudo apt-get upgrade

 

[jim584672]

Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.

I have been using Linux for years and have never had a virus problem and do not use any anti-virus.

 

[steelyman]

I'm not sure any OS is invulnerable to security violations (including Linux, we had experience all the way down to patching the kernel to support hardware access we needed). Windows just has such an entrenched user base it attracts more attention from the bad guys.

The practices that are being discussed in this thread and articles are a good idea, regardless. It's good to be vigilant.

 

[DEC-1982]

It was my understanding that LastPass was hacked in the last couple of months.

 

[Sarah in SC]

It was my understanding that LastPass was hacked in the last couple of months.

Yep, there was a good thread about it, on the forum, if you want to check it out.

 

[ejman]

Yep, there was a good thread about it, on the forum, if you want to check it out.

Thank you, I guess I'll continue to keep my passwords in a little inconspicuous notebook. I guess this is also why I've never felt comfortable using financial services sites like Mint that ask for all the passwords for one's financial life in order to aggregate the results.

 

[imoldernu]

A few questions about a password keeper:

With 5 computers and a tablet, in three different locations, all synced with Chrome, how does this work? Separate on each computer?

Over 30 years, have signed on to many hundreds, maybe thousands of websites. Does a password keeper have to be changed for every website individually?

What kind of security does this provide when there are sites that have personal information, based on an email address where someone already has info on the original password... if I haven't gone back to that site for many years?

In simple terms, how does a password protector help protect from long forgotten, unvisited websites?

As it stands today, I can go back and sign on to sites that I visited from AOL, back in 1985.