Last Updated on December 5, 2015 by Dave Farquhar
There was a fair bit of talk last week about a study that compared security advice from security experts versus security advice from people who are at least somewhat interested but don’t live and breathe this stuff.
There were significant differences in the answers, and a lot of security professionals panned the non-expert advice. I don’t think the non-expert advice was necessarily bad. Mostly it was out of date.
Here are the top five things experts do to stay safe online:
- Install software updates
- Use unique passwords
- Use two-factor authentication
- Use strong passwords
- Use a password manager
Here are the top five things non-experts do.
- Use antivirus software
- Use strong passwords
- Change passwords frequently
- Only visit websites they know
- Don’t share personal information
I’ll explain the expert advice first.
Install software updates. Once a software vendor discovers a defect in one of their products, it takes no more than 30 days for exploits to appear. While problems with updates do occasionally happen, they are usually comparatively minor, and I do not recall a time I had a problem with a patch at home.
Use unique passwords. Your data will get breached. It’s a fact of life. And when your password on some hobbyist forum gets breached, the attacker is going to try the same e-mail address and password on sites like Amazon and Ebay. Guaranteed. Using unique passwords everywhere is hard, but it’s the only way to protect against that.
Use two-factor authentication. Some sites send you a text message when you log in. Enable that, and an attacker is just going to move on to someone who didn’t.
Use strong passwords. If you can’t remember your password long enough to type it in, then you stand a chance of a computer not being able to guess it in the near future. Notice I said you stand a chance. If you can use a 54-character password at a particular site, do so.
Use a password manager. This is a compromise to facilitate unique, completely random, long-as-possible passwords. There are drawbacks to using an online one versus one that resides on your computers. I tend to favor one that resides locally despite the necessity to occasionally synchronize them. But the biggest advantage is that it means you only have to remember one password. If something like Lastpass works better for you than something like Keepass, that’s OK. Just use one of them.
Let’s run through the non-expert advice.
Use antivirus software. Few would say this is a bad idea, it’s just that antivirus software is overrated. The problem is nobody really knows how much stuff gets past antivirus software. Some people think 20% of it does and some think 80% does. Nobody doubts it offers some protection, so you should do it. Just don’t make it #1.
Use strong passwords. Yes, this is good. But your dog’s name with the number 1 and an exclamation point at the end isn’t a strong password, even if a web site’s strength meter says it is. An attacker is going to try that one before they try “rrrrrrrr.”
Change passwords frequently. This used to be good advice because we used to be able to predict pretty easily how long it takes to guess a password. We’ve learned in the last few years that the time keeps getting shorter as computers get faster and password guessing programs get better. If you use really long random passwords and store them in a password manager, there’s little need to change them unless the web site requires it, or the site gets breached.
Only visit websites you know. It’s not uncommon for even well-known sites to momentarily harbor malware, so this advice drew some snickers. There was a time when this may have been good advice, but the web is so interconnected and syndicated now that it’s no longer very helpful.
Don’t share personal information. Oversharing on social media is a real problem, and of course, the less you share, the less damage there is if you get breached. Then again, if you want to do business with someone, you do have to share an awful lot. This is another example of something that is good advice; there just wasn’t room for it in the top five.
In the last few days I’ve found a good bit of extra-mile advice, so over the course of the next week or two I’ll share it.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.