Security FAQ
Passwords:
Should I use the same password on all accounts?
Don't reuse the same password, security questions and answers for multiple accounts, especially important accounts. Use a different password for each of your important accounts, like your email and online banking. Using this strategy, if one of your passwords in comprised, your other accounts are still secure.
Should I use similar passwords on my accounts?
Don't used similar passwords where most of the characters are the same. For example, using a system like "donutsAreTheBestGoogle" and "donutsAreTheBestFacebook" will leave you open to attacks if one of your passwords is comprised.
What characters should I include in my password?
Use a mix of alphanumeric characters (letters and numbers, like "ABCDE" and 34567") and symbols (eg. #$%^*).
Should I change default passwords?
Do your best to choose a password that other people will not easily guess or hack. Avoid using default passwords, example passwords, simple words (like password, password123, 12345, admin, guest, or apple among others). Avoid using the names of your family members, friends, boyfriends / girlfriends, pets or sporting teams in your passwords. Also, don't use things like phone numbers, postal codes, house numbers, birth dates, card numbers, CRN numbers, and so on in your passwords.
Should I share my passwords with family and friends?
Don't share passwords, even with friends, family or partners. Sometimes you might find it's easier to give your password to a friend to let them access something your share, especially when you're in a hurry (or they are). Password sharing open you up to a world of hurt later on down the track.
Are passphrases stronger than passwords?
Overall, passphrases are typically a better choice, and are longer and stronger. Using some simple common words can produce a long password, that is easy to remember and hard to crack.
Why use passphrases over passwords?
Passwords with different types of symbols might seem more difficult for people and computers to guess, but also might be harder for you to remember. Whereas with passphrases, using a string of random, unrelated common words, is generally easier to remember and a very safe option.
How long should my password be?
Use a password that has a minimum of 16 characters, uses at least one number, one uppercase letter, one lowercase letter, one symbol and one non-breaking space (or underscore). In the case of passphrases, using 6 or more words is safe, making sure the words are unrelated to each other.
How can I test my password or passphrase?
You can use websites like How Strong Is Your Password? and How Secure Is My Password? to test the passwords you're using.
What can I do to protect my accounts?
Setup password recovery options, like specifying an alternate email address on your accounts, and using multifaction authentication (eg. MFA or 2FA).
I have a good password system, why should I change?
If you have developed a pretty clever way of creating passwords, don't share this method with friends. A method like the name of a band, coupled with the initials of an album title and a song title, then the year it was released, with every third letter as a capital. So, Queen's song "Now I'm Here" from their "Sheer Heart Attack" album released in 1974 produces a password like QusHanIh1974. Such a method can produce some pretty strong passwords, but once you tell friends about it (over a couple of drinks), consider all your passwords hacked.
Should I reuse passwords?
This can't be stated enough, don't reuse passwords. If you're using the same password across accounts, once one of those accounts is comprimised, all of your accounts have been compromised.
Why should my passphrases be unrelated words?
Don't use a common phrase. While using some common words can make a strong secure password, make sure they are words that aren't usually used together. For example, "mary had a little lamb" is easy to crack, whereas "elephant purple hotdog vomit" is much more unlikely to be cracked.
How can I take passphrases to the next level?
These days this may seem simple to mention, but use a combination of uppercase, lowercase, numbers and symbols. Even passphrases, since they can be much easier to remember, throwing in a few combo letters in your passphrases can make then significantly more difficult to crack. For example, "monkey_m1crowave pants oRange b|ender" is much more difficult to crack than "monkey microwave pants orange blender".
How often should I change my password?
Changing your passwords regularly can't really hurt, but you're better off choosing better passwords from the get-go.
Should I use a password manager?
Use a password manager. There are plenty of them out there, like LastPass, RoboForm, and LogMeOnce to name a few. But, be aware that storing you passwords in the cloud isn't always the best idea.
Avoid using the password systems which are included with your browser (eg. Firefox, Chrome, Internet Explorer). These password storage systems are getting better, but even with master passwords enabled, they can be quite easy to hack, especially if someone has physical access to your device. A quick Google will show just how easy it is to export account user names and passwords from these systems. All someone has to do is copy this exported list to a USB drive (or send via email) and a malicious person has access to all of your accounts.
What other methods can I use to protect my accounts?
Do not login to accounts using computers or devices, other than those you own / have control over. Other devices system could be compromised with malware / spyware, or the owner of the computer could have software that logs your keystrokes. And avoid connecting to public Wi-Fi networks (including motels, hotels, etc.) unless you're using a Private VPN.
Use 2FA (Two Factor Authentication) or MFA (Multifactor Authentication) wherever possible. Using a combination of password and hardware token, or password and fingerprint, or even passord and text message will make it significantly more difficult for anyone to access your accounts.
That being said, when looking at methods for storing your passwords; balance reliability and convenience. Keeping your password written down on paper, which you store in a locked desk drawer, might not always be the most convenient method, but it can be the most reliable storage method.
Where can I read more on passwords?
Wired magazine has a pretty good article with tips for creating strong secure passwords. In summary: a) Length, over complexity. b) Avoid personal, sports and pop culture references. c) Don't bunch up numbers and special characters at the end, spread them throughout. d) Never double dip your password. e) Changing passwords often, doesn't help. This isn't the 1990s. f) Don't panic. Your more sensitive data is protected, by banks and the like, and they take security seriously. g) Have more layers. Passwords are great, you've got that covered, how about 2FA, encryption and perhaps do double dip your encryption. In general, Wired has a lot of great articles, on various topics that touch on technology, without being too nerdy, while remaining nerdy enough.
Antivirus and antimalware software:
Do I need antivirus software for my computer?
Always make you have up to date an antivirus package installed on your computers and other devices. Most packages only cost a few dollars are month, and they can usually be installed on multiple computers / devices, and most come have a version that can be installed on all your devices. And you don't want a package which is just an anti-virus, you want to look for something which provides anti-virus, anti-spyware, anti-malware and anti-ransomware, as well as other features. There's a load of vendors out there, like Norton, Kaspersky, and McAfee to name a few. There's also a number of vendors that provide a free version, trial version, or are totally free (but may include advertising). Something to be aware of is that many large banks provide links to such software packages which will give you up to a year free. Check with your bank on that one.
Do I need antivirus or antimalware package for my smartphone?
There are packages out there which work, and if a version comes with the package you bought to provtect your laptop or computer, that's generally safe, but be weary of app that claim to a cureall for your smartphone. Many of them do little except slow your smartphone down. There's a lengthy article over on PC Magazine which covers this topic in detail.
Software updates:
Why update my device's software?
Keep your Operating Systems up to date. Operating Systems (like Windows, Linux, iOS, OS X and Android) offer fairly frequent updates, which can usually be configured to be installed automatically. They updates provide your device with important security improvements. Other software packages and Apps should also be kept update, as the vendors frequently provide security updates, as well as feature packs.
Networks:
Should I add a firewall to my network?
Always protect your computer with at least one firewall, block all incoming connections and limit outgoing connections. While you don't want to install multiple firewalls on your computer, having a firewall on your computer, router and a hardware (or software) firewall in between can improve your security tenfold. There are plenty of open source firewall options out there, like OPNsense and Untangle, and they also have additional features like Intrusion Prevention, Virus Blockers, Ad Blockers, and much more.
Is my Wi-Fi vulnerable to attack?
Make sure the wi-fi routers you control (ie. those in your home or business) have complex passwords configured and the default passwords have been changed. If you have a wi-fi enabled router but aren't using the wi-fi on the device, disable the wi-fi features. This will prevent people who might be outside your home (or business) using your connection for nefarious purposes and / or hacking the computers on your network.
Privacy:
Should I share my location?
Consider using a Personal VPN, like ExpressVPN or NordVPN. Disabling location services in your devices Operating System (eg. Windows or iOS) if possible, and only giving essential apps your location helps protect your privacy significantly. There are a multitude of Apps and services out there than can help people keep track of you, and very few Apps that help you prevent people from cyber-stalking you, turning off Location Services is a good option. Considering more countries are getting on Australia's band wagon (where a law was passed that forces telecommunications providers to keep two (2) years of your browsing meta-data) obfuscating your location is a sound policy when it comes to protecting your privacy.
Should I encrypt my smartphone, laptop, or computer?
Consider using either hardware of software encryption for your computer, laptop or other device. Android is automatically encrypted be default not, but your desktop and laptop probably aren't. By encrypting the hard disks of your desktop computer or laptop will help protect your valuable information in the case that the device is lost or stolen. With the lightening fast speed of devices today, with technology like Solid State Drives (SSDs), encrypting your devices is safe, simple, and speedy.
Can Social Engineering cause me problems?
Be aware and vigilant of social engineering. There a tone of articles out there. Be especially vigilant of ex-boyfriends, ex-girlfriends, or new and old friends chumming up to you all of a sudden. Sure, getting extra attention and flattery can be nice, but does the person or persons have an ulterior motive for this behavior?
Should I use a different email address?
While you want to use different passwords for each of your accounts, it can be a good idea to use a different email address for some accounts, services and functions. For example, using one email address for banking and finance, another for school / university and a third for social media will help to keep your secrets compartmentalized. As an example: your bank is less likely to be compromised, so the email address and password you've used there are safer. So, if one of your Social Media / Forum accounts is compromised, you can dump that account, and setup new Social Media accounts, without the hassle of changing your banking.
Why should I use a Private VPN?
While especially important when you're traveling, but it can be just as important when you're at home or work, encrypt your connections at all points. Installing a VPN software package will encrypt everything (including your passwords) your device sends and receives. Alternatively, you could set up your own VPN tunnel between your device and your home, so that whenever you're on the road you'll be protected from intentionally malicious wi-fi hot spots and dodgy hotel or motel Internet connections.
Why have a screen lock on my device?
Lock your computer, laptop and smartphone with a screen lock on a timer. This will protect your device when you walk away from it, and if you loose your smartphone no one will be able to access it. Enable the feature where your device will become completely locked (bricked) if your credentials are incorrectly too many times.
Phishing attacks:
How to avoid phishing attacks?
Avoid clicking on links sent to you via email, direct or text messages. It is extremely easy to fake emails and text messages and send them out to millions of email addresses. Phishing attackers often use tactics such as sending a fake bill from your electricity or gas provider saying your bill is overdue. In anycase contact your service providers (eg. gas, electricty, banking) directly. Most providers won't send customers emails or text messages. More recently, there has been an uptick in the number of phishing attacks where the emails and text pretend to be from your postal provider (eg. AustPort or UPS). Always think before you click.
What do I do if I fall victim to a phishing attack?
Always check you bank, Credit Card, PayPal, eBay, et al for any unusual activity. Check frequently enough, like once per month as a maximum, and you'll be able to recognize any activity that wasn't you easily and quickly. While it is a good idea to go to the police if you do detect any unusual activity, you might not get the response from them that you'd expect. Make sure you report any unusual activity to the financial institution, and the relevant watchdog. We have seen cases where even large sums of money have been stolen, and the police don't even seem to understand what they're being shown. Most of the time, scammers will only withdraw a very small amount of money (eg < $100), as these types of transactions are a) unlikely to be detected, and b) even less likely to be investigated by authorities.
Safer web browsing:
How to keep myself safe when browsing the web?
Privacy has become vulnerable in the internet age. It used to be that the Internet was open exchange of ideas, but this really isn't the case anymore. More and more we see cases of individuals personal and private information being breached, and people just generally behaving badly. It is up to we, as individuals, groups, and a community to keep ourselves and others safe in the digital age. That being said, we've compiled a short list of useful browser extensions, focused on providing you with security and privacy:
| # | Extension | What it does |
|---|---|---|
| 1 | HTTPS Everywhere | Automatically makes websites use a more secure HTTPS connection instead of HTTP, if they support it. |
| 2 | Adguard AdBlocker | Blocks scripts and Ad in your browser(s). There is also a version for Windows. Also blocks Google Analytics. |
| 3 | Cookie AutoDelete | Helps you take control of Cookies. When a tab closes, any cookies not being used are deleted. |
| 4 | DuckDuckGo Privacy Essentials | Increases encryption protection, helps escape ad-networks, rates the privacy of websites. There is also a mobile browser available. In general using DuckDuckGo as a search engine your privacy will be dramatically, as it doesn't record and track either your search queries or which links you click/tap on (unlike Google or Yahoo). |
| 5 | Privacy Badger | Helps promote a balanced approach to Internet privacy between consumers and content providers by blocking advertisements and tracking cookies that do not respect the Do Not Track setting in a user's web browser. |
| 6 | NordVPN | NordVPN is a personal virtual private network service provider. It has versions for desktop, mobile, browsers and other devices (ie. routers). |
| 7 | LastPass | Password Manager (be careful of storing your passwords in the cloud). |
| 8 | NoScript | Blocks scripts, like JavaScript, Java, Flash and other plugins to be executed only by websites of you trust. |
| 9 | ExpressVPN | Personal virtual private network (VPN) service provider. ExpressVPN has various versions available. |
| 10 | AdBlock Plus | Blocks scripts and Ads. |
Wiping data from devices:
I'm selling or giving away my old device, what steps should I take to protect myself?
When upgrading computers or devices, makes sure the old ones are completely wiped before selling them or giving them to friends, family, or the recycling center. Even if you delete your documents and emails from an old computer there can be a lot of important details, about you, left behind. If you don't know how to wipe a device yourself, paying your local computer shop to do this for you is worth the piece of mind, and it should be pretty cheap (less than $100).
I'm throwing my old laptop or computer in the bin (or taking it to the recycling center). How can I wipe my device completely?
Electronically wipe your device before disposing of it. When disposing of old technology ensure you wipe the devices memory and storage securely. There are plenty of tools out there, like Darik’s Boot And Nuke (DBAN), Active@ KillDisk, HDShredder which provide a free version which will do the job for most people. Once you have finished wiping the device, and if it's not longer going to be reused, physically destroying the device will give you an extra level of protection.
What about wiping my smartphone?
Smartphones have an inbuilt function to wipe all the data from the phone, and it's typically a one step process.
What does the department of defence do with their old devices?
The US Department of Defense (DoD) securely wipes their old devices, puts them through a blender like process (which essentially reduces them to dust), then pores the remaining pieces into concrete.
Web development security tips:
If you're a budding developer messing around with website or app ideas, or hosting websites or apps, there's a few basics that may or may not be aware of. Some of which you really need to consider, especially the basics:
| # | What is it? | What it does |
|---|---|---|
| 1 | Encryption | Encrypting all traffic to and from your services. Encryption used to be a bit of a pain, it was slow (because computers and Internet connections were slow) and expensive (it still is for some features). Let's Encrypt is free and enables everyone to be able have have encryption. Many hosting companies have Let's Encrypt available for use (you just have to turn it on), but if you're planning on having e-commerce, consider paying for a higher grade certificate. |
| 2 | Intrusion Detection | There are many open source solutions out there to help stop brute force attacks, on system requiring authentication, and your services in general. |
| 3 | Keep Yourself Updated | Keep up-to-date with trends in the market, as to who's being hacked, how they were hacked, and what others might be doing to prevent and protect themselves from being hacked. There is strength in numbers, so don't stray (too far) from the herd. |
| 4 | SQL Injection | These attacks occur when an hacker uses a web form field (or URL parameter) to gain access to data in your database (or manipulate data in it). There are quite a few articles out there which are worth a read. |
| 5 | XSS Attacks | Cross-site scripting attacks usually come about when user content isn't properly parsed before being posted onto a site, which can lead to malicious scripts being run in the browsers of you other users. This is in the same vane as defending against SQL injection. |
| 6 | Default Passwords | Make sure none of the systems you have control over are using default passwords. This can include things like MySQL. Not only can it look bad, it could cost you your job or a client. |
| 7 | Default Database Prefixes | Change the default database prefix on the systems you have control over and responsibility for. |
| 8 | File Permissions | Another really basic thing that shouldn't be a problem, but often is. It can't hurt of check external parties can write to files on your website, can it? |
| 9 | Directory Browsing | This is yet another really basic thing, that if configured incorrectly, can allow hackers to browse the folders of you site looking for exploits. Something to keep in mind is that some hosting providers have Directory Browsing enabled by default. Can hackers browse you're directories? |
| 10 | Updates | Keep your hosts and packages up-to-date with the latest security patches. It's not all about feature packs. Software companies spend huge sums of money on fixing bugs and improving security. It can't hurt to install updates when they are released can it? And make sure you patch all systems, not just the obvious ones. |
| 11 | Reduce Attack Surface | Installing a hardware or software Web Application Firewall is essential in this modern battlefield, which is today's Internet. |
| 12 | Backup | Just because you have a copy of a website you've developed on your workstation, and copy if live on your hosted server solution, doesn't mean you can get lax when it comes to backups. And if you're a hosting provider backing things up, and installing updates is your bread and butter, so hot to it! |
| 13 | Website Security Tools | There a number of really good tools out there that can test your websites security with pen(etration) testing. Many servers are open source and provide a free or community versions like Netsparker, OpenVAS, SecurityHeaders, and Xenotix XSS Exploit Framework. |
| 14 | Encryption, Encryption, Encryption | We can't bang on about this encryption thing enough. This isn't the 1990s people. If it can be encrypted, encrypt it! If it can't be encrypted? encrypt that as well! Not happy with the free certificates that Let's Encrypt provide? Give digicert a go. We've used them over the years. Their certs aren't to pricey, and the support and documentation is good. |