As a guy who works in the computer security industry, I am well aware of all the advice that we give. Use different passwords at multiple sites that you login to. Always install the latest software updates. Run antivirus programs. And for heaven’s sake, don’t click on any links in spam! We sometimes get frustrated at the inexperience level of our general user base. I actually back off on this because to most people who aren’t geeks, a computer is just a tool you use to check email, browse the web and talk to friends. You aren’t really using it to do a lot of in-depth stuff. Most people have better things to do like watch football on TV, go out with friends take walks in the park. It’s no surprise they don’t understand the finer points of security anymore than I personally understand the finer points of the medical profession, or health care industry, or chemicals industry. When I go to the store and buy a cleaning product, I’m vaguely aware that it’s kind of dangerous and shouldn’t be inhaled. I don’t read all of the labels to see the chemicals involved in the product and then do a synopsis of whether or not I am allergic to each one. Similarly, I’m vaguely aware that in order to maintain my weight I need to consume only as many calories as I burn. I don’t really know much about omega fats, unsaturated fats, good and bad cholesterol, what my iron levels are, what amount of sodium and potassium I need every day, and so forth. I just know to not eat sugary foods, eat enough fruits and vegetables, and exercise. In other words, my knowledge is very limited compared to what a nutritionist would know.
To that end, my girlfriend and I were out the other night and I decided to test out what she knows about computer security. I figured I was going to use her as a bellwether for the advice and education that we as an industry give out. My girlfriend is not particularly techie; she uses a web browser to check her email and regularly checks travel sites, searching for deals for her next trip out-of-town. She also browses one or two discussion forums. That’s mostly, though not completely, what she uses a computer for – keeping in touch with a small set of interests. She is not the type of person that has embraced the digital lifestyle (something that the computer industry keeps telling us will happen but is always 5 years out). In my view, my girlfriend is far more representative of the average computer user than I am. Thus, anything that she did or didn’t know is likely to be more or less in sync with the rest of the Internet population. This, of course, is not a completely representative test because I am sampling one person whereas a true test requires a random sampling of 500 to 1000 users. Still, I figured this was a good way to see how good our advice is.
I asked her a few questions.:
I think I asked a couple of more questions but that’s all I can remember. As an industry, we are okay at getting our message out, but I think we also trip over a few things that need improvement.
nice one tzink
Ever heard of password managers ?
I started using the fingerprint reader on my laptop to track my passwords - i could create whatever was required for each site, different passwords, usernames, etc. However, the first time i tried to log into even some of these sites on a different computer - well, you can guess the result. People will resort to that which is easiest to remember and perform, even if it is not always in their best interest.
I'm starting to wonder if strong passwords are important at all. Given unlimited tries, cracking programs can break the strongest passwords I can actually remember or type reliably. Given limited tries, even a moderately weak password is plenty of security.
Popularizing the term "malware" is better than trying to differential between viruses, worms, spyware, etc., for the end user. Unfortunately, there is not one software package that is a solution to everything.
I share your frustration with password rules differing between sites. So I use tools like password safes or browser password storage. Yet I see little about the pros and cons of these tools written about in the industry.
Ease of use is big for getting users to comply. Yet this is where weaknesses lie that malware will use.
I agree that the computer security industry has not done enough to move forward the average user in thier abilitites to identify security threats. Education is the only way to do this, however the trick lies in the who, what, how, when, where, and why of things.
Who do we train? Is it our co-workers, our family, friends or only those who could be at the highest risk levels?
What do we train them in? Should it be when to update, how to maintain safe passwords (mf55 by the way I can get all of your passwords out of the browser storage without any trouble.. stick to the password storage tooos such as keysafe).
How do we train? Should there be public service announcements, special classes during the workday, an afternoon of training at home.
When do we train? Is highschool too late or should it start in middle or grade school? Do we offer training during the day at work or special classes after hours?
Where do we train? Goes hand in hand with how and when.
Why do we train? Well this is answered by the author of the article to some degree. SImply because our average users are not well trained enough.
Can't agree more about the passwords issue. Particularly frustrating are companies whose policy makes you change your password every 30 days - that means every user has to now remember 11 more passwords each year than necessary, thereby hugely increasing the likelihood that they will get written down - especially for casual users - or somehow turned into a guessable sequence.
You should probably clarify on your algorithm example. You're making it sound like it's a good idea to build a password out of something like a phone number plus the website's name. While this guarantees uniqueness, it does nothing to protect you if even one of your passwords is compromised. If your Facebook password is "5551212-Facebook" and is compromised, then you can bet that the attacker will be trying "5551212-PayPal", "5551212-Google", "5551212-BankOfAmerica", etc. At that point, it's even worse than using the same password everywhere, because you're literally telling people that you have a system that you use multiple places, and giving them the password to all of your accounts.
KeePass or similar password managers are really the way to go.
Your girlfriend doesn't play games on her computer, you say. Why don't you try to get her to use Linux? IMO, this would address two of the security issues described above: updates being sometimes delayed in order to delay rebooting, and regular updates to the antivirus program. Only kernel updates get you to reboot Linux, and anyway, the boot time for the latest Ubuntu/Kubuntu is below 30 seconds from power on until after login. Besides, a properly configured Kubuntu looks even better than W7, which is something your girlfriend would probably like. As for malware, I don't know of any botnet infecting Linux, or any Linux virus in the wild.