Anti-Virus

Every time some cat gets a new computer, they come ask the Dogg what anti-virus program to use. Well, cats, in my opinion the best anti-virus to use is Microsoft Security Essentials. MS Security Essentials is a free anti-virus program for Windows that rates well in independent tests when compared to McAfee, Norton, and other paid products. Note that no anti-virus program is going to block every single threat every time; it’s just not possible. But having an anti-virus program is good practice and piece of mind. The best way to prevent virus infections is through better habits; here are some tips:

  • Don’t install anything that you are unsure of!
  • Pick a good password! Check out the password section below.
  • Don’t use Internet Explorer; I recommend Google Chrome.
  • Avoid any social network “add-on’s.” A Facebook profile watcher?! No, it’s fake! It will trick you into entering your Facebook username & password on a website that you think belongs to Facebook, but really doesn’t.
  • Use a separate Windows account! Don’t use an administrative account for your daily web browsing. It is much easier for a malicious program to get installed if the user already has admin privileges!

Online Safety

Another problem I often see is when someone’s Facebook account is “hacked.” Note that this is not exactly hacking, but more of a social engineering or phishing scam. Users are tricked into entering their login credentials into a fake (but authentic looking) website to “re-authenticate,” or download some kind of neat Facebook add-on, or some other nonsense. It is fairly easy to make a webpage that looks like Facebook, or your bank, or any other website. Of course, the best way to combat this is to question everything.

  • Check the URL; does it actually say facebook.com, or is it a clearly unrelated site? Maybe they were crafty and took advantage of your mis-typing to redirect you to another site.
  • Don’t click on links in emails! Have you ever received an email that says you need to click on a link and login to change your password or your account will be suspended (or something similar)? Yea, it’s bogus.
  • Don’t open email attachments from unknown sources! It may look harmless, or even have a cute name, but if you don’t know who sent it, don’t trust it!
  • Never enter your personal information into a pop-up box! A scammer could redirect you to the actual website, but pop up a form asking for your info before taking you to the real website!
  • Run an anti-virus program, a software & hardware firewall, and keep them up to date!
  • Run a secure web browser, such as Google Chrome. The Google Chrome web browser will attempt to notify you of known scams, preventing you from potentially entering sensitive data into a phishing website!
  • And, of course, have a good personal password policy in place to mitigate the damages.

If you think your account may have been compromised, act fast to change your passwords! Also, if you use that same password anywhere else, change it too! Make a note of the dates & times that your accounts may have been compromised, just in case some nefarious person used this information to take advantage of your bank accounts…

Don’t forget, people can use this same tactic over the telephone. Just because someone calls and says they’re from your bank, doesn’t mean that they really are. Be sure about who you are dealing with before giving out personal informaiton!

Password Policy

The basic password policy for years had been to have a password that is eight characters or more, and uses a combination of upper case, lower case, numbers, and symbols. While this will create a good password, recent advances in brute-force attacking have made it much easier to crack such short passwords. The latest approaches use a video card (or multiple cards), with hundreds to thousands of GPU cores, to try billions of passwords per second. The longer the password length, the longer it will take to crack.

A more modern approach recommends using a much longer password, such as a short sentence, instead of a single word. Throw a few special characters in your sentence, and you’ve got a much harder to break (and easier to remember) password.

Many policies also require frequent password changes. All this really does is confuse and irritate the user, who has trouble remembering their new password. What they then tend to do is just write it down! Many users just write down their passwords and stick them somewhere easily accessible. On a sticky note stuck to their monitor, on a piece of paper tacked to their cork-board, or just taped to the underside of their keyboard! What is the point of having such a password policy when users just leave their passwords in the open for anyone to see?!

So, what to do?

  • Well, first, quit requiring your users to change their passwords every 60 days. It just irritates them! Change it to at least 6 months.
  • Next, educate users (and yourself) on better password management. Use a program like KeePass to store your passwords in an encrypted file.
  • Don’t use the same password for everything! If someone gets one of your passwords, they can now access every other resource that uses that same password!
  • Don’t use personal information in your password. Your kid’s name is not secure…
  • Avoid dictionary words, as one of the major methods of password cracking relies on using words from the dictionary.
  • Use at least eight characters in your password, with a combination of upper/lower case and special characters. As was stated above, try a short sentence instead.
  • Don’t give out your password.

One method I recommend is to use different “tiers” of passwords. Think of everything you have a password for, and categorize it by importance. You can then share passwords among items in the same tier. If Facebook, Myspace, and Pinterest all share the same passwords, then those are the only ones you need to change if that password becomes exposed, and since your bank account doesn’t use the same password, you don’t need to worry about your money dissappearing! For important sites (bank accounts, credit cards, etc), it is probably best to use a separate password for each.

And, for a somewhat humorous take on password length, here is a great XKCD comic on Password Strength.