Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English
Translate This Page
Common Tasks
Search Form
  • Advanced search options...
Tag Cloud
Monthly Archives
Archives

Measuring your level of online safety

MSDN Blogs > Terry Zink's Cyber Security Blog > Measuring your level of online safety

Measuring your level of online safety

28 Oct 2011 5:23 PM
  • Comments 3

Microsoft has released a new web page that teaches people about how to be safe online and gives you a way to measure your online safetyness score, as determined by Microsoft.  You can read all about it at that first link and take the test for yourself here: Take the survey.

The page has some basic information about things that users can do to make sure that they are more secure:

  • Use a newer operating system.

  • Update antivirus and antispyware software regularly.  Even better – use one that does it for you automatically like Microsoft Security Essentials.

  • Use automatic updates (both for your operating system and if possible, your 3rd party software.  Even better when it does it automatically for you).

  • Keep a firewall turned on.

  • Connect to secure wireless networks.

  • Limiting information-sharing.

  • Creating strong passwords.

The score of the average user in 2011 was 34.  I took the survey and I got a 64.  You would think that being a security professional, it would be a lot higher since I should be setting an example for others.  Well, at least I got better than a 34.

What are the good things that I do?  I educate myself about the latest threats, run A/V and anti-phishing filters, use https where I can (especially when buying anything), and use firewalls.

What didn’t I score well on?

Well, according to the survey:

  • Passwords 

    I don’t create unique passwords for each account I use, and not all of my passwords have upper and lower case letters, numbers and/or symbols.  But even though this is security advice the industry gives, it is not good advice because it is impractical.  Nobody can remember all of those random passwords.  Humans are not good at doing it.  Why are phone numbers 7-10 digits long?  Because we can only remember so many random strings of digits, only 7-10 of them.  We can’t remember anymore of that.

    Yet the security industry says that we need to remember not only 10 digits to pick from, but 72 characters (or more!) to pick from (the letters of the alphabet in both cases, numbers, and special characters along the top).  I don’t know about you but I have web accounts to something like 40 accounts (it’s not hard, just think about your own).  How am I expected to remember unique passwords to all of them?  Using password software isn’t going to cut it because I have multiple devices – a phone, a PC and a Mac.  I can’t use that password manager on all of those devices, I have to remember my passwords.

    Thus, I reuse passwords because I have to – the limits of human memory require this. The only way to have different passwords for each site is to have some sort of algorithm to do it that uses a token of some sort.  But then the password is no longer random, is it?  Or else I can reset my password every time; yeah, like I’m going to do that each time I login to Twitter or eBay.
     
    If a security professional is going to you if have random passwords and use that as a checkbox proving how secure you are, they need to have a follow up question – since you obviously write down your passwords on a piece somewhere, do you at least not leave it next to your computer?

    I differ from security experts in this regard.  While using different, strong passwords is a good idea, it’s impractical to advise this.

  • Managing my online reputation

    I don’t do things like remove tags or comments about me, request that sites remove information about me, or anything like that.  I sometimes use the search engines to look up myself and see what others are saying about me.  However, this is more out of vanity and not out of a desire to manage my own security.

    I don’t think I am important enough for anyone to write all sorts of bad things about me (I’m not rich or famous, I have a blog that a few people read).  But this wouldn’t be a bad idea to do once in a while.

  • Sharing information about myself online

    This goes hand-in-hand with the previous point.  How well do I conceal information about myself online?  Good question.  The answer is probably “Too much.”  I live in or around Seattle (TMI?).  But I’ve never shared where exactly I live.  People know I work for Microsoft.  They know I watch South Park, 24, and Battlestar Galactica.  This is all stuff I’ve written about on this blog and posted to my Facebook profile (and even made my profile semi-public!).

    This is a serious gray area.  I’m not sure what I can reveal and what I can’t.  Yet my goal when I write is to be transparent and honest.  It’s easier to do that when I share stuff about myself.  But I don’t want to reveal it all.

    But if I am truly honest, I can’t check this checkbox.

So those are my scores.  Not a bad score and there’s room for improvement.  I guess I’m not perfect.

But then again, neither are you.

Leave a Comment
  • Please add 6 and 5 and type the answer here:
  • Post
Comments
  • 28 Oct 2011 6:53 PM

    Which is why 'strong passwords' are a bad practice. Instead non-obvious pass phrases should be supported.

    Much to my dismay at this month's Silicon Valley Code Camp, in a TDD setting, it was proposed that a strong password have a limit of 16 characters, mixed case, and symbols and alpha numerics. People expect my mother to get this? A five or six word passphrse is better then what most Moms use and in the hands of anyone who understands them, better than any 8-12 mixed combo of characters.

  • Steve
    8 Nov 2011 1:11 AM

    I strongly agree with Trae about the passphrases suggestion.

    I would also add that making a distinction between sensitive sites (shopping sites,...), social sites, ... can help make a choice for a common password or distinct password ... (sorry I meant passphrase!) for each site/category.

  • Yaron
    15 Nov 2011 7:12 AM

    That survey isn't really helpful the way it's run right now.

    Got 62, which while being a lot more than the reported average, feels low on a 0-100 scale. And the reasons are ones that I feel are pretty spurious (as far as explaining why my "Online Safety" would be so low goes).

    I don't have any anti-virus, etc..., on my phone, which was a question. Why? Well, because I use a phone that doesn't have internet access. I can't install any anti-virus or anti-malware on it even if I wanted to, but then again I can't get any viruses or malware on it even if I really wanted to. So I'm perfectly safe there, but if I answer the question honestly as asked....

    And I do often use my real name when posting comments or creating accounts. But just my first name, which is not really helpful. Run a search for the real name I posted this comment under, and I don't come up for at least the first 100 results on search engines (OK, I only just tested with google, yahoo, duckduckgo, and bing, maybe I'm a big hit on something else, but I seriously doubt it). It's just not that unique, and I'm just not that active online. But they don't ask how unique it is, or how active online I am, just if I use a real name or not.

    And the same not being very active online means that I don't actively ask websites to remove comments about me, etc... Because first there really aren't that many, and second because so far there hasn't been any reason for a problematic/revealing one to appear, so I had absolutely no reason to ask someone to remove anything. But they don't ask why in the survey, or if there was even potentially a reason, just if I do it regularly or not.

    So I think that using a modern browser, a good AV, keeping updates, using secure and different passwords, and controlling what and where I actually write online, should as a ballpark put my online safety much higher than this score. So the score is meaningless, and so not helpful. Not for anyone taking the survey to get a feeling of their safety if they don't already understand all the points, and not for whoever running the survey to estimate overall trends (since a lot of the data is too ambiguous).

Page 1 of 1 (3 items)