Sophos Cloud Optix
As part of National Cyber Security Awareness Month last October, we suggested three essential tasks you could do for your family to improve their cyber security.
Tomorrow marks a year since we published that advice, so we thought we’d revisit it to ask if you’ve done them all.
If you haven’t, there’s still time!
All three are simple but important things that all of us who act as our family’s unofficial technical support and cyber-defence team can do to make things harder for the bad guys.
We’ll be issuing some new advice tomorrow, so today is a good time to make sure you’re up to date on last year’s advice!
1. Check computers for zombies and other malware
Most people seem to be using anti-virus software these days but the software is only as good as its most recent update.
If your family members have subscriptions that have expired, if they haven’t done a baseline check lately, or if they’re Mac, tablet or smartphone users and think they aren’t vulnerable, get them a reputable product, bring it up to date and do a check for zombies and other malware today.
(Sophos offers free anti-virus software for Macs, as well as for Android.)
2. Enable WPA or WPA2 on home Wi-Fi
If anyone in your family is using unsecured home Wi-Fi or has secured their Wi-Fi with WEP encryption, take two minutes to switch them to WPA or WPA2 today.
If you think you have already set up WPA for them, go and check they haven’t done a factory reset or anything that might have undone your work.
But, before that, watch our video on Busting Wireless Security Myths so you can see if anyone is engaged in any Wi-Fi security that’s, well, mythical.
3. Set different passwords for every website
Make sure your family members are using different, strong, passwords for each website they log into. Thieves will often try stolen passwords on a range of popular websites because they know that people reuse them.
Help your family choose strong passwords that are at least twelve characters long and made up of a mixture of letters, numbers and special characters. If they have trouble remembering passwords then consider a password manager like LastPass or KeePass.
And one more thing…
Stay up to date with latest computer security news, opinion, advice and research by signing up to our daily newsletter, liking our page on Facebook, or following us on Twitter.
Image of road sign courtesy of Shutterstock.
It’s certainly easier to tell someone to set a different password for every website than it is to tell them to set a different password for every website *that matters*, but the rest can be a common password if you don’t care about it at all.
However, I’m not sure I even know 5 security experts who truly set a different password on every site or for every account they have…
KeePass is good, and I actually do use it, but is the db available on every device I may have when I need to log into something? It’s like relying on your phone to know your parent’s home phone number; when it’s not available, you’re SOL. KeePass does encourage reliance on it, so while a nice tool, it shouldn’t be allowed to foment a lax attitude about memorizing your passwords (or figuring out a scheme to assist in the memory of it, such as only making the important stuff unique).
You don’t really know me, but I’m a security expert who has been using a unique password for each account since around 1995. I generate them in my head based on contextual data, but the result is a “random” string that I can chop off at whatever length is deemed appropriate by the password-holding server/device. I’ve been doing it for so long now (almost 20 years) that once I figure out what contextual data to use as the seed, I can just type the password in without thinking too much about it.
I used to use a different, simpler method of generating throw-away addresses for accounts that “don’t matter”, but stopped that around 15 years ago, as I began to realize that while the accounts “don’t matter” from one viewpoint (having to create an account to download a file, etc), anyone who took over those accounts could easily co-opt my identity and use those accounts as a stepping stone to further mischief. Now I treat *all* accounts as if they are the key to stealing my entire identity, and this perspective, while slightly paranoid, reinforces good security habits at all times, so I don’t have a momentary lapse in judgement as to whether something really matters or not.
The downside is that as the method of generating passwords exists only in my head, if I had some sort of an accident that caused me to forget it (temporarily or permanently), I’d have no way to figure out what my passwords were. I’ve been thinking of writing it down and storing it with my will in a safety deposit box, but haven’t got around to that yet.
This raises a corollary to the password task though:
Treat all security questions as if they were password requests.
That is, don’t use the same security question for multiple services, or you’ve just done an end-run around your password security. This is an excellent place to use a randomly generated response for the security questions, and store them all somewhere. Otherwise, anyone with access to your social media account (if you’ve got one) can likely also gain access to pretty much every site and service you use, just by first breaking into your email address and then resetting your passwords using your security questions — or in some cases, just replacing the email addresses via said security questions.
A chain is only as strong as its weakest link. If you don’t hold all the links yourself, minimize the amount of data you have tied to a single chain. Don’t use the same link to secure all your chains, or when it fails, everything fails.
Don’t know about KeePass, but LastPass allows you to access from any device. Only catch is you have to pay for that “premium” service, but I think it’s only $10/year.
I have always used different passwords for everything. It never even occurred to me to reuse them. A password is a secret I share with another party. If I deal with multiple parties, I need multiple secrets. Most people think that a password is just some extra stuff you have to type to get in. That seems to be the problem here.
This is a great article! You’re reminding me how important it is to use different passwords, but sometimes it’s hard to keep track of all the different one’s for different sites. I need to get on this train of just keeping a running document of different passwords and protect myself! Can’t wait to share these tips with our student body and faculty, they will absolutely love them! And I will definitely being using number three!
Hi Taylor,
Since you are going to keep a running document of your passwords, please ensure to secure that document as best as possible. For example, consider encrypting it. Don’t place a shortcut on your desktop to a text file containing your passwords.
I keep my most used passwords in a text file stored within an encrypted file container (VeraCrypt). The decryption key is not stored on my PC. For the remainder of passwords, they each have their own text file also stored in that encrypted file container. I hope this helps. Thanks.
I go to over 60 different websites that require a password. I have developed a system that is easy for me to remember and yet allows me to have a unique password for each website. My only problem has been to develop an alternate system for those websites that do not allow the use of “special” characters. We need to get websites on board to allow the use of special characters.
Hi Jonathan,
I agree, it’s very frustrating when websites reject special characters (or worse only accept some special characters and it takes multiple attempts to determine which ones). You’re right not using special characters weakens passwords.
More simply… use strong passwords but don’t forget 2 factor. HeartBleed didn’t care how strong passwords were and affected many sites.
I used LastPass when they first came on the scene and they were hacked a few months later. I use KeePass now and haven’t had any problems plus there is a KeePass Android app too. They both use the same encrypted database and it’s very easy to update the database on my phone and PC’s. I’m for having the database on my own computer vs. storing anything in the cloud. To me, storing anything in the cloud is just asking to be hacked.