Thread: Time for a lesson in Basic Computer Security for Internet Users.

This post was moved from https://www.woodworkforums.com/showth...25#post1832025. The original post edited to indicate that the post has been moved to this new location.

OK. Time for a lesson in Basic Computer Security for Internet Users.

(Note: A bit of information re my background. Before retiring I worked in the Information Technology industry for nearly 30 years. For a good part of that time, my work was devoted to managing Security on Computers and Computer Networks.)

Most web sites, whether it is Google (or gmail), Yahoo, your ISP's email service, your Centrelink or ATO Login, and plenty of other web sites, are subject to regular attacks targeted at stealing information - mostly the User's Login Name and Password information. Once a thief has that information they can use your email account to send spam and phishing emails, or they can steal personal information that can help them steal identities, and if you have a credit card or bank account linked to the Login information they've stolen, then they may be able to access your money. Theft of information from Internet companies is not something we (personally) can prevent. Until such time as Internet companies can develop the technology to defeat all of the theft attempts, then all we as users can do is to ensure that we make the thieves' jobs harder by making sure that our passwords are as unguessable (is that a word?) as possible.

Theft of password and login information is a fact of life, just as banks, businesses, homes and cars getting robbed every day. Fortunately, when your password is stolen, it is not much immediate use to the thief, as the stolen password is encrypted. Passwords on the internet use what is called "one way encryption". That is, you can only encrypt the plain text password into the encrypted password. You can not decrypt the encrypted password to get back to the plain text unencrypted password. So, what the thief has to do is to take a guess at your password, encrypt that guess, and see if the encrypted result matches the encrypted password that they stole. If there's a match, then they've guessed your password, and they can then log into your account using the Login Name they've stolen, and the Password that they've guessed.

The thieves use sophisticated password guessing and password cracking programs, running on large banks of computers, to try to break passwords. The more computer power they have, and the more time they've got, the more likely they are to be able to successfully guess your password.

So, how can you make it harder for the thief to guess your password ?

Well, for a start, forget simple things like the idea of substituting the number one for the letter "i", or the number zero for the letter "o". Many people use passwords like "h0l1day" instead of "holiday" thinking that substituting numbers for some letters makes their password secure. Sorry to tell you this, but the password cracking programs will guess those combinations very easily. The same goes for people who mix upper and lower case letters thinking that will keep them safe. A password such as "HoLiDaY" is no safer than the password "holiday", and will be guessed by the thief very quickly.

The first protection you can have against the thief is to NOT use obvious passwords. I used to run "Security For Computer Users" training courses at a University. At the end of each course, after everyone had changed their passwords to far more secure passwords, I asked people in the class to tell the rest of the class what passwords they had been using. As just one example out of three years worth of those classes --- Out of a class of twenty fourth year medical students, five admitted using the word "password" (sometimes with some number substitutions) as their password. Another six admitted that they used their name (or nickname) as the password. Eighteen of those present admitted that they used the same password for every internet login that they had - everything from their ISP login through Gmail, to their Internet Banking login, used the same password. Even when I delivered the same course to Computer Science students (who should have known better !), the password survey at the end of the course often revealed similar results.

So - three main rules for password safety on the Internet:

1. Use a different password on every Internet web site login. If that's a bit of an over kill for you, then maybe use separate passwords only for critical web sites (i.e. Internet Banking, and places like Google, Ebay, Apple, Sony, etc, that store your credit card information).
2. Use longer passwords - the longer the better.
3. Include letters, number, and punctuational marks in your passwords (but not Function Keys !)
4. Don't use obvious passwords.

The best protection against the thief who is trying to guess your password is for you to use the longest password you possibly can. Some web sites will still limit you to a short password (often 8 or 12 characters) but these sites are usually not storing anything private, and even if a thief did gain access to the account, they probably couldn't do much damage. A typical example of a low risk web site is this forum - I don't know the maximum password length for this forum, but there is nothing of value to steal once the thief guesses your password here, so the risk is low. About all the thief could do is trash your reputation, and I doubt that the thief will have the time to be bothered writing forum posts to do that.

The majority of web sites that are storing sensitive information will allow long passwords. How long is long? How long is a piece of string? The longer the better.

But the problem for most of us is how to remember passwords, particularly long passwords, especially if we use multiple different passwords on each web site. The best approach at the moment is to use a Password Management Program to generate secure passwords, and to securely store your passwords.

By that, I do not mean that you should use your Web Browser to store passwords when it asks to. Web Browsers store your password unencrypted in plain readable text (or sometimes using reversable encryption which isn't much better) - so if someone gains access to or steals your computer, they have easy access to your stored passwords. Turn off the option in your web browser that lets the browser store passwords for you !

There are a few Password Management Programs that are available that have proven to be secure, and most are free. I've been using Lastpass (http://www.lastpass.com) for about four years. It stores your passwords online in a very secure manner. It will also generate complex passwords that you can use to access your web site logins. And because it is remembering your passwords, you can have a different password for every Login. It works on Windows, Apple OSX and Apple mobile devices, Windows Mobile Devices, Android and Linux - which means that you can securely share passwords across all of those devices, because the passwords are securely stored online on Lastpass' servers. I use Lastpass because I only use Android and Linux on my computers, and Lastpass is the only program I know of that supports both Linux and Android. Lastpass has also been subjected to numerous independent security audits, because Lastpass is also a commercial service which is purchased by business and government organisations who demand high levels of security. Lastpass is free for individuals to use.

When you use Lastpass, or any other Password Management Program, you are asked to create a master password that gives you access to the rest of your passwords. Please ...... ensure that you use a very secure password as your master password. I change my Lastpass master password once a year, each Christmas. By doing it at the same time each year, I don't forget to do the annual password change.

Seeing I've just recently changed my Lastpass Master Password, I'll let you into a secret and tell you what password I was using for the last year - for no other reason that it might give you some inspiration when you are choosing your new Master Password. Last year I used the registration numbers for my first five cars as my Master Password. Each number plate was a combination of six letters and numbers. Join all five number plates together in the right sequence with no spaces, and you have an easy for me to remember 30 character Master Password. As a car nut, those registration numbers are easy for me to remember. And from the point of view of a thief trying to guess my master password, it is basically 30 random letters and numbers, which will make the thieves job vary hard. You just need to pick a theme for your master password that will result in a long string of characters that will be easy for you to remember, but very hard for a thief to guess.

There are numerous other Password Management Programs that support specifically Apple devices, or only Microsoft computers and Microsoft mobile devices, but Lastpass seems to be the only one that covers the widest range of computer devices. I can't speak for how secure those other Password Management Programs are, because I haven't used them, and I haven't bothered checking whether any computer security audit companies have audited them. If one of these other Password Management Programs stores your data on the Internet (i.e. "in the cloud") and the program has not been subject to independent security audits, I recommend that you do not use that program.

So - make a few New Years Resolutions - and keep those resolutions long enough that they become habits:

Resolution 1. Start using longer stronger passwords on all new internet logins that you create.
Resolution 2. Change all existing passwords for new longer and stronger passwords.
Resolution 3. Start using a Password Management Program on all of your computers and mobile devices ---- then do Resolutions 1 & 2 above.
Resolution 4. Remember to change your Password Management Program's Master Password at least annually. And remember, if you think that your master password might have been compromised (e.g. someone looking over your shoulder), then change your master password immediately.
Hope that information is useful. Sorry for the long post, but after an hour's editing. I couldn't make the post much shorter whilst still getting the essential parts of the message across.

Regards,

Roy