Do you really know the best ways to stay safe online? A recent post on the Google Online Security Blog showed that average web users focus on different tactics than those favored by security experts.
In the blog post, Iulia Ion, Rob Reeder, and Sunny Consolvo highlight the results of two surveys they conducted. One was with security experts and one with users of the web who weren’t security experts. The two groups were asked to list the three best practices for remaining safe online. As the graphic (from the original post) below shows, the opinions of the two groups diverged, although both had recommendations about password usage.
I thought it would be useful to look at these recommendations and provide some of my thoughts:
Install Software Updates
Experts’ top recommendation was to install software updates – why? All software is prone to bugs, and many of these can be exploited by “bad guys” to compromise a user’s computer. As these bugs are discovered and the exploits employed, vendors provide patches for their software which fix the bugs. If you don’t keep your software up-to-date, you are unnecessarily exposing yourself to the risk of being compromised.
Experts advise using strong, unique passwords, while non-experts only advised strong passwords. By using unique passwords for each site, you can reduce the impact of a single site being compromised or your password exposed. Think about it this way – if you use the same strong password for every site you visit, what happens if one site gets hacked and someone finds out that password? Now, the “bad guys” have your password for all the sites you use.
Using strong, unique passwords presents challenges, like, how do you remember all those passwords, especially if they are non-memorable? That’s why the number four recommendation of experts is to use a Password Manager. Most reputable password managers keep your passwords encrypted, so they can only be unlocked with a master password or fingerprint – now you only need to remember one strong password, and the rest can be unique and non-memorable.
Non-experts recommend changing passwords frequently, but that really only provides protection against passwords being exposed and used long after the fact. This recommendation is likely made because many enterprises encourage (force) their users to change their passwords every six months.
Experts also advise the use of two-factor authentication. This means that, in addition to your username and password, you must have something else to prove who you purport to be. Many services, like Twitter, will send you a text message with an additional authentication code, if you configure it that way. This means that even if someone has your username and password, they wouldn’t be able to log in as you from a new device (most two-factor authentication can be set to only prompt for the second factor every 30 days, or when logging in from an unrecognized device.)
The number one recommendation of non-experts was to use anti-virus software. Why didn’t experts recommend the same? Since new bugs and exploits are being discovered all the time, anti-virus software often doesn’t catch the latest problem. If you believe that having anti-virus software will protect you from all threats, then you may be less cautious and let your guard down.
Being an active participant in online communities and using online services entails some level of risk that your personal information will be misused. Adopting some of the expert-recommended practices outlined above will make it a bit harder for the “bad guys,” and doesn’t impose a large burden on you.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.