Tightening up security - Part 2

If you haven’t already, check out my original post: “Tightening up Security”.

Over the past couple weeks I’ve really been trying to ensure all my bases are covered (Or at least as covered as I can - unfortunately when the bad guys have the will, they have a way) regarding my computer security. My first post brought up network and data encryption, backups, monitoring software, and making locking down your computer to thwart amateur physical attacks; but I left out a few things that I wanted to come back and touch on.

The first things I want to talk about is 3rd party software:

After years of using computers, most people know what their default go-to software applications are for various computing scenarios. For instance they use Browser X for web browsing, Y reader for PDF files, and Z program for file compression. Unfortunately, as we get into our comfort zone - the bad guys are sneaking in the back door quietly while we’re kicking back and taking a nap. 

Time and time again will show that the more popular a program is - the more likely it is to be targeted for exploits and malicious use. Just throw up the Windows vs. OSX debates; yes, OSX is safer since it is Unix based - but it also has a much lower market share, so why should the bad guys bother with it when they can get 3x as many users by targeting an easier and larger user base? Now, just because a program is popular doesn’t automatically mean that it will be bad - but you can be sure that individuals are working to break it. 

Anyhow, a few programs that I use as alternatives (Feel free to add to this by reblogging or replying to the question box below - Also keep in mind not all of these are security issues, some I just like to switch out for other reasons):

  • Internet Explorer - Chrome or FireFox (I use Chrome)
  • Adobe Acrobat Reader - FoxIt Reader (Definitely should switch to this or another alternative PDF Reader, Acrobat Reader is bad news)
  • WinRar - 7Zip
  • Windows Media Player - VLC Player
  • Microsoft Windows Office - Open Office or Libre Office (Actually I still use MS Office since I get it for like $10 on campus, but definitely think these are worth mentioning)

The second item I would like to address is passwords:

Passwords are used for everything - and for good reason, they keep your information safe! But this is an example of a chain is only as strong as it’s weakest link, and guess what - that weakest link is you.
Absolutely everyone needs to follow good password protocol. But what does that mean? It means a lot of different things, I could lecture for hours on end just on very simple things - but I’ll try to knock a few out right here.

Length - For just a single password - this is probably the most important property in a good password. At DerbyCon last year one of the speakers was demonstrating how to crack every Windows password hash on the computer if an attacker had physical access; during this - we watched as a more complex password (Something like b3nk3n0b1) was cracked insanely quickly while a longer, less complex password, (Something like LolNoOneWillEverGuessThisPass) took incredibly long - if it even was cracked, I can’t remember - but point being that length definitely matters, and if you throw in complexity as well - you’re golden.. which drives me into my next point.
Complexity - People, it’s so simple. Just add a few random symbols, spaces, and capital letters, and for the love of God, stop making your passwords dictionary words or well known facts about yourself. Just a short example here on how much of a difference this can make just by adding one abnormal symbol.
The password “mypassword” would take a desktop PC about 6 days to crack.
The password “mypassword1” would take a desktop PC about 16 years to crack.
The password “mypassword%” would take a desktop PC about 69 years to crack.
Source: www.howsecureismypassword.net

Please, please, please keep in mind that this is strictly for informational purposes related to brute forcing a password and this does not take into consideration smarter analyzing - so please do not use “mypassword%” because in reality it would be cracked very quickly when using various techniques if you were sincerely being targeted. The point I want to make here is that using symbols will drastically increase your security - so do it!

Stop using the same password for everything - This is so, so important. Every time you sign up at a website or service and you use the same username/email/password that you always do - you’re digging yourself a deeper grave. It just takes one of these sites to be compromised and then an attacker has access to an entire database of username password combinations in which probably 1/3 - 1/2 of these will be working for many other sites as well. The more you do this as well, the less chance you have of even knowing some of your data was compromised - how often do you go on a website to never do so again? You could come back a year later and find out someone has been posing as you, or worse - using other services as well that you didn’t know about. Not. Fun. 

So you think you’ll have a harder time remembering all of your passwords if you stop using the same one? Setup a system for your passwords that allows them to change for each website - but in a way that you’ll easily be able to distinguish the passwords apart from each other, but still have someone not be able to guess what another password is by looking at another. Maybe throw in the name of the site you’re on, or something like that. There’s a world of different combinations - and you best come up with one since this is extremely pivotal point in password security.

Facebook/Twitter/G+/etc Single Sign-On - This one is pretty easy to do. If you’re using Facebook or some other network to register and login for websites - never re-enter your password! The cookies are saved and unless it’s a malicious (Or extremely poorly coded site which you don’t want to be a part of anyways) then never input your sensitive information on the website, they should be making a direct call to XYZ in which if you’re already logged in (If not, go login on XYZ’s site and then refresh the page you’re trying to register/login to) then it should just prompt you if you want to add the website or something - but it should never ask you to input your information unless they’re just trying to steal it.

Whew - *wipes brow*

That turned out to be a bit longer that I expected, but glad I got to it - Actually this post has been sitting in my Tumblr tab for a day now since I got busy and wanted to make sure to come back to this. As I continue to go into lock-down mode to protect myself from the bad guys if I come up with anything else I’ll be sure to write about it and hopefully others can work to protect themselves as well!

As always - if you’d like to, add what you do to increase your security by either reblogging or answering the question below!

What do you do to increase security?
  1. thomasbiddle posted this