Your CHILDREN may be at risk! Find out tonight at 11:00.

In the past week, LinkedIn, eHarmony, and Last.fm were each subject to a serious security breach, resulting in the leakage of many user passwords. Not coincidentally, in the same week, Facebook started pushing a security tips page to all of its users.

The cold, hard truth is that it’s more likely than not that you will have some Internet account that you use end up having its password leaked out at some point in time.

Whether or not that results in a minor temporary inconvenience, or more dramatic identity theft, is up to you.

Unfortunately, there has not been a very good effort to teach everyday computer users how to keep themselves safe. Equally unfortunate, too many everyday computer users ignore advice when they are taught, and fail to recognize their own complicity when they do become victims.

It does not take a great deal of effort to dramatically increase your digital security. A few small habit adjustments and some tools to help are all it takes.

The following is a brief, opinionated guide for “normal, everyday” computer users. People of a higher technical background will likely have their own preferences, and that’s fine, but this is a guide that we consider to be ideal for the average user.

1. Practice Good Password Security

The rules for passwords:

  • No password should ever be used twice
  • Passwords should be long and random
  • Don’t try and memorize your passwords – use a password manager

People often use simple passwords, and use them over and over, because it’s difficult to remember a whole bunch of random passwords. That is why password managers were invented. Instead of remembering passwords yourself, these tools store passwords for you, and help you enter them in when you need them. This allows you to use a long, random password for every service you use. The only password you need to memorize is the one that unlocks your password vault.

LastPass stores your passwords, and fills them in for you, so you can have strong, random passwords without having to type them in yourself.

LastPass is our suggested password vault. It installs on every major operating system (Windows, Mac OS X, Linux), typically as an extension in your browser. It generates strong random passwords for you when you create new website accounts, saves those passwords securely, and then fills them in for you when you go to login somewhere.

If you take only one piece of advice from this post, make sure it’s this one. People will often say, “my Facebook got hacked!”, not realizing that what actually happened is that a different website they use got hacked, and that person used the exact same password on Facebook and dozens of other sites. This is the #1 risky behavior that, if you do, you must curtail immediately. If you use different random passwords for every site, then when one of those sites gets hacked, none of your other accounts are at risk.

The only password you need to memorize is the one that unlocks your password vault. Let the vault do the rest of the work for you.

2. Backup Everything! Use CrashPlan

The next most important topic is backups. If you have data that is not backed up, it is destined to be lost unless you create a backup. Systems will break. Hard drives will fail. Accidental deletions happen all the time.

Our standard backup recommendation for normal users used to be Carbonite, and Carbonite is still a good option. Our current recommendation, however, is CrashPlan.

CrashPlan provides unlimited data backup for $5/mo or $50 a year, with further discounts for longer terms. It supports Windows, Mac, and Linux. Unlike Carbonite, CrashPlan does not limit daily uploads, allowing for the initial backup process to go much faster. On top of that, CrashPlan offers much faster transfer rates (in addition to total amount of data, Carbonite throttles transmission rates – dramatically so in the event of large backups).

CrashPlan offers a great cloud backup solution, but CrashPlan also allows users to store encrypted backups on other systems running CrashPlan. This means that users with multiple PCs can have their computers store a backup of each other’s data (provided there’s enough disk space to go around). Also, if you have a friend that also has CrashPlan installed, you and the friend can store backups of each other’s data. These remotely-stored backups are encrypted with your encryption key, meaning your friend cannot ever look inside of them. Best of all, this sort of share-between-PCs backup feature is free.

CrashPlan has become so good that we are planning to start using CrashPlan Pro for server backups.

3. Use Gmail for its rich security features

For the average person, our suggestion for email is simply: use Gmail.

Gmail is the best thing to happen to the normal computer user’s email. What makes it our email recommendation for normal users are its security measures.

One of the biggest is Gmail’s activity log. You can find it waaaay down at the bottom right corner of your Gmail screen.

Down in the bottom right corner...

Click on Details, and you get the Activity screen:

A table showing the IP addresses and locations of all your Gmail account's recent activity.

There’s a few important pieces to this screen. First, there’s the “Sign out all other sessions” button. That one’s a biggie. In the event that a system of yours is lost or stolen, clicking this button will log out your saved sessions. Or, if someone manages to steal your password, you would change your password and then hit this button to drop their session.

Next is the table showing all of the recent activity on the account. Here you can see exactly what IP addresses are accessing your account and when.

Finally, there’s the Alert preference. This feature will give you a warning if your account has suspicious activity. When you log into Gmail and there has been unusual activity, you’ll get a warning message like this:

Suspicious activity warning at the top of Gmail

Another important feature is the ability to have Gmail always use HTTPS, making your entire email session run over an encrypted link. In Gmail’s settings, enable the “Always use https” option.

"Always use https" ensures all of your Gmail browsing takes place in a secure, encrypted session.

Many sites use HTTPS only for logging in, while having the rest of the session transmitted “in the clear”. Unfortunately, it is all too easy for an attacker to listen in on unencrypted connections, especially on shared networks like wireless hot spots.

4. Protect yourself from malicious software

Every time you run a piece of software, you are trusting it with your system and your data.

One of the main ways computers end up compromised is from users installing software from sources they should not have trusted. This is especially true of Windows users. The unfortunate reality of using Windows is that there is a rich ecosystem of malicious software targeted at that platform.

The rules for software security:

  • Install your operating system’s updates
  • Keep Flash and Java up to date
  • Install software only from trusted sources
  • (for Windows users): Have anti-virus/anti-malware software running in case you trusted wrong, or in case a hole in security allows bad software to attempt to install without your knowledge

Let the updates for your OS do their job and protect you.

It’s sad to see people run systems that are badly vulnerable because they refuse to allow Windows or other operating systems to install updates. These updates are usually security-related, and often close holes that have been recently discovered. Installing these updates is critical.

Flash and Java are extremely common avenues for compromise. It is very important to keep these pieces of software up-to-date, as it is very common to see big security exploits out in the wild that feast on all the users who don’t update these plug-ins.

Do not install software that you did not specifically seek out to install. A random email attachment that appears to have come from your friend may instead be the result of that person’s email account being compromised and used to send out attacks. Do not install software from “shady” places. This requires some good judgement. Failing that, you can turn to sites like Web of Trust to establish a site’s level of trustworthiness, and ensure that the place you plan to download software from is legitimate.

Finally, Windows users should be running some sort of anti-virus/anti-malware software suite. Microsoft Security Essentials is a very good, free anti-virus, and is easy on system resources and produces very few false positives. For additional protection, MalwareBytes’ Anti-Malware PRO is $25 a year and provides great anti-malware protection. MalwareBytes and Microsoft Security Essentials co-exist nicely together, and some minor setup steps can be taken to ensure they don’t step on each others’ toes.

5. Use Google Chrome, or Mozilla Firefox, for your web browser

Chrome and Firefox have much better track records for security than default browsers like Internet Explorer or Safari. Out of the box, users will be safer running one of these browsers. They can be further secured by running add-ons that block things like ads (a number of security incidents have come from malformed banner ads), tracking cookies, scripting, Flash, Java, etc.

More importantly, these applications aren’t deeply integrated into their operating systems the way Internet Explorer is in Windows, or Safari is on Mac OS X. Security flaws in these browsers are less likely to result in a system-wide security breach.

6. On laptops, use full-disk encryption

One of the leading causes of data theft is stolen laptops. A study in 2008 revealed that around 12,000 laptops are lost in US airports every week. That number is almost certainly higher today. Having your laptop stolen is bad, but what is even worse is having all of that personal data fall into someone else’s hands.

Every major operating system now ships with full-disk encryption. On Mac OS X, it’s called FileVault 2. On Windows, it’s called BitLocker. Modern Linux distributions have LUKS.

Full-disk encryption ensures that your laptop’s entire drive is encrypted, and cannot be read by a thief unless the thief also has your password. Typically, in a stolen PC situation, this information would not be available to the thief (provided you don’t leave your password on a sticky note on the laptop).

7. Enable your operating system’s firewall

All of the major operating systems now come with a built-in firewall.

On modern Windows systems, the firewall is enabled by default. Good job, Microsoft! Unfortunately, the same is not true on Mac OS X.

8. If you want to get a little more serious, use Google Authenticator

Someday, when computer users on the whole become a bit more experienced, and the security issue becomes even bigger, using multi-factor authentication will become normal. Unfortunately, in today’s world, it’s still all too rare.

Multi-factor authentication means having to supply more than one thing in order to login to a service. Right now, you probably only need to enter a password in order to login to a service you use. The problem is, anyone else who wants to log in with your username also only needs to enter your password, too.

Imagine if having your password wasn’t enough. Imagine if a person had to not only figure out what your password is, but also had to steal your cell phone. It’s pretty hard for a hacker in Russia to steal the cell phone out of your pocket, isn’t it?

This is what a tool like Google Authenticator facilitates. It is an app for iOS and Android, and it generates a series of codes. When you want to log in to your Google account, you provide both your password, and the current code from this app. Even if your password were stolen, an attacker could not log in as you without being able to produce this code as well.

Google isn’t the only place where you can use Google Authenticator. Other security-minded services (including LastPass) allow you to use Google Authenticator as a second authentication factor.

Some places, like banks, don’t support Google Authenticator, but have their own brand of two-factor authentication. Bank of America, for example, has SafePass, a second authentication factor in the form of a mobile phone app or a smartcard that you keep in your wallet. Other banks have similar offerings.

Epilogue

If you read this far, good for you. At the very least, we hope you take #1 and #2 to heart, as they will greatly protect your online accounts and keep your data safe.

Security is a deep rabbit hole, and this list could go on much longer. For a starting point, however, it’s quite good.

Much of security comes down to user behavior. You have total control of your computer, and there is no one to stop you if you download and run bad pieces of software, or if you are careless with passwords and put your online accounts at risk. Put a little thought into your computer safety, and it will become second nature, much like how you will naturally shy away from handing your car keys or wallet over to just any person.