I am currently in the process of getting an new computer and I want stuff to be as safe as possible in the future.
So - talk to me about computer security. Consider me a layman. I will be installing Antivirus software of course - currently I plan on using Avira Free Antivirus. What else should I be doing? Something against Malware/AdWare - like Malwarebytez? Using different user accounts on the new PC - only using the admin account for certain stuff, but another standard account for everyday stuff? Is that easily possible in Windows 8.1?
How do you guys go about passwords? Create a different, highly encrypted one for every single use?
All advice is appreciated.
0
Posts
I suggest doing the following.
On the admin account vs. non-admin account. That is always a good rule, but fortunately it has become less of an issue since Windows does now let you assign rights to programs and so meaning you can be admin, while the programs you run can't be unless you grant them explicit permission.
Finally. You do of course take backup of anything important :-)
And by backup I don't just mean putting data in a cloud or on a separate hard drive. You need to regularly backup all important data and then store the backups off-site like with a trusted friend, in a bank or something like that. Keep multiple copies and make sure they work so test them once in a while. There is software for such jobs or you can manage it manually, but then use a file compare software like Beyond Compare to make sure the copies are 100% identical to the originals.
Install AdBlockPlus in your browser, and don't use IE.
Now, my number one piece of security advice is... get used to an addon for your preferred browser that blocks scripts. Basically, there are extensions/addons for Firefox and Chrome that block scripts (which are how people get hit by drive-by attacks without ever downloading sketchy programs, and this is how most people get viruses/etc. these days) by default, but let you allow scripts that YOU actually want. When you're first starting out, using these addons might be a little confusing and/or annoying, because you have to allow many of your favorite websites to use scripts to start with (although I could send you my current Noscript list if you want to cut down on the work), but once you permanently allow them, you won't have to worry much about getting hit by anything nasty! If you like Firefox, you'll want to grab Noscript, and if you like Chrome, you'll want to get ScriptSafe. With no addons, Firefox is MUCH less secure than Chrome, but because ScriptSafe is slightly more limited than Noscript due to what addons are allowed to do in Chrome, from what I understand, Firefox + Noscript should be somewhat more secure than Chrome + ScriptSafe. (I also find Noscript more user-friendly, but that may just be me!) That said, either one is FAAAAAARRRR more secure than not having one of those addons, so go ahead and pick whichever browser you prefer and try to get used to using the addon. If you decide it's too much of a pain for you, then make sure you use Chrome so you're safer.
Oh, and... well... sure... you can use AdBlock on either browser. That does make your browser safer. I don't personally like using it, because I don't hate ads! I want to be able to support websites! I just hate the possibility that outside ads could give me Bad Things, which is why I use Noscript or ScriptSafe to protect myself.
You say not to use two programs that say antivirus, but is it safe to use malwarebytes (the free version) with another antivirus software, and is it safe to have an extra one if it isn't actively defending you PC, and is just used as a scanner?
Also with noscript, does it have the option to subscribe to certain allow lists, sort of like Adblock has that option so it by default blocks most ads?
NoScript is built on a domain level whitelist system. So initially, the whitelist will only contain a few major websites, you can add websites to the whitelist to allow them access. Also, because it's domain based, you can control which domains the various website elements are allowed to operate freely - so you can grant access to the main domain, while restricting the ad server domain. There is also session based whitelisting, where you give a temporary ok for that browser session only. And there's a blacklist, which allows you to remove domains from being listed for temporary whitelisting (I put Google Analytics on that, because fuck tracking.)
You definitely want more than 1 antivirus/antimalware program but you only want 1 program doing active scanning/defense. The other 1 or 2 programs should just be for on demand scans that you setup every few days to every few weeks or months depending on how paranoid you are.
Creating a VM seems like it would be a pain in the ass for private browsing. Most browsers have some sort of incognito mode if you are concerned about leaving traces of what you were doing behind. As for additional security purposes I would think it would be much easier to setup something like sandboxie to isolate browsers from the rest of your computer. I think chrome has it's own built in sandbox also. In both cases it's the same idea in that everything that is running inside the sandbox/VM is contained and at anytime you can wipe the slate clean.
Finally I have to disagree somewhat with NoScript and ScriptSafe. They are amazingly powerful tools, and can be super effective, but for 99% of the population they are practically useless. When you click on a site, nothing loads, and NoScript informs you that there are 26 scripts asking for permission (none of which are from sites you've ever heard of) you aren't going to take the time to google every one and find out which ones are legit. You're going to hit temporarily allow all and it's going to be the same as if you weren't running NoScript in the first place. It just takes way to much time to properly curate scripts.
You're strawmanning what XKCD said. It specifically says to use random words, not a phrase. The real issue with it is that too many sites have very limited password length options.
First of all, you're kinda exaggerating how many scripts usually need to be allowed. :P But second of all... that's why I said the OP should TRY using one of the two addons, and then if they don't like doing it, they don't have to keep using it (and in that case I would recommend making sure they're using Chrome-- I'm only okay using Firefox because of Noscript). It's worth at least attempting to get used to it, because it's WAY more safe once you do! Plus if you regularly visit a site, you don't have to do anything once you permanently allowed what it needs. You also don't really have to go googling... Even before you get used to using it, you just look at the list and go "oh well here's the site I'm actually on, so let's see about allowing it... and those sites have 'ad' in the name, so I certainly don't need those..." and if you're a bit more savy, "this site in the list has the initials of the site I'm on and 'cdn', so I'll try allowing that..." And beyond that, even if you DO simply randomly allow things, or even temporarily allow all on some pages when they don't work... you're still way more secure on pages where you DIDN'T need to allow scripts to make the site work. Noscript (not so much ScriptSafe, IIRC) also has extra security features even if you had actually set it to constantly allow all scripts... but if you're doing that, you should probably be on Chrome anyhow. I totally agree that they're not for everybody, and I mentioned that in my original post, but if you're interested in being more secure, it's definitely worth trying to get used to it, since it makes an INSANE difference in security!
It's 100% fine to use Malwarebytes' free version with another antivirus because the free version doesn't have any active protection... and yep, you can have as many antivirus programs installed as you want IF they allow you to turn off their protection so you just scan with them! Just try not to have two things actively protecting you at the same time.
Regarding Noscript, I don't think there's any sort of "trusted" list like with AdBlock because the creator of Noscript believes people should only whitelist what they personally trust... but like I said, I could send you my own current list, which should make a lot of sites you probably like work already, if you like. We probably visit similar sites, given our common interest! :P
Mostly I was addressing people who quote XKCD not what XKCD itself says. But even if you want to stick to XKCD, using 4 random but common words will still be an inferior password to using a moderately long string of random characters.
I'm actually kind of curious about this because I don't really know how it works. But outside of the basic "site.com", how do I know "sitecdn1.com" is owned and implemented by "site.com" and isn't a drive by script that's just copying the sites name? Like google has a million api scripts, how do I know which ones are legit? Are there certain scripts that are most commonly attacked? Like if I have a policy of allowing everything that doesn't have "ads" in the name will I be decently protected? My experience with NoScript was that every site I went to needed pretty much all of the scripts to run properly (which makes sense given that they are doing something, and outside of drive by malware that something is usually important). This means I wasn't getting any of the extra protection of blocking scripts because my first step upon visiting any site was basically to allow all so that I could get it working again.
I can't recommend keepass enough for password storage/generation.
That would be great, thanks!
Two points:
1) I can't help but feel you're missing the point of the strip, that an easily remember password is better than one that is not easily remembered. This ease of use and subsequent reduction of likelyhood of human error (i.e. writing it the fuck down where people get to it) is enormous.
2) You'd have to define a bunch of stuff here but what's moderately? At 8 character length and assuming 100 possible characters you lose to four four letter words by about six orders of magnitude. At 11 digits you just about match the minimum string length of words. By all means searching for the words is easier if you know they're all four letter words but attackers can't assume that. Just variable length words would fuck an attack based on making too many assumptions of the password string.
With the exception that you can remember 4 common words. And also, at the point where you pass up enough entropy for the cracker to take a human lifetime, it doesn't matter how secure it is. If you have 16 random letters, it's as secure as 100 random letters, because the cracker isn't going to crack either one.
The trick with passwords is to get something you can remember that is secure enough not to be cracked in less than a decade.
I'm no expert, but from my understanding it's pretty much standard to only brute force (as in guessing each character individually) for passwords up to 6ish characters in length. You can make a few assumptions like lower case letters only and maybe get that up to 8 or 9 characters, but for the most part anything longer than 8ish characters is not getting brute forced.
So mainly we are talking dictionary attacks. I don't see why word length would matter since the idea behind a dictionary attack is that you simply combine common words (with common substitutions) like awesome, aw3s0me, aw3s0m3!, ect... The amount entropy is going to depend on how long your dictionary list is. The more common the words you use, and the more common phrases you use the easier it's going to be to crack. Something like what XKCD has as the passphrase is not going to be amazingly secure given how common the words are even if it isn't a common phrase. Maybe I'm way off base here, but articles like this ars technica piece, make me think that whenever you lean towards easy to remember you're also leaning towards easy to crack. Passphrases not excluded.
At any rate the point I was originally trying to make is that creating a passphrase instead of a password is not a magic bullet. What's far more important is introducing randomness and uncommon substitutions. I highly doubt a 4 word passphrase of really uncommon words like obfuscate would be broken, but I also highly doubt a 10 character password with several sets of random characters would be broken either.
I mostly agree with you although you are apparently to generous to my side since wikipedia says you only get 8bits of entropy if you include the entire extended ascii character list. More likely you are case sensitive alpha-numeric which is only ~6bits.
At any rate it get's hilariously complicated really quickly. In the xkcd comic munroe is assuming the hacker knows quite a bit about the type of password used, and while he does a pretty good job of assuming commonly used rules, it's not the be all end all argument. Instead it's a very rudimentary calculation to show that the commonly used tricks to increase password strength are not all that useful. It's better to think outside the box.
Browser security, NoScript if you're willing to deal with that, AdBlock if you're not.
AV I like Nod32 or Kaspersky better than any of the free ones, but whatevs.
Running VMs and shit is honestly a good precaution but not something I'd ever do to check my account balance. If I'm checking out some shady site or playing with a piece of malware, sure; otherwise just overkill.
Looks like I am not that far off the norm . I still have a dislike for the built in Windows security features, but I maybe biased by earlier stuff like XP and Windows 98 or something. I do use KeePass and when I switch computers I will do a general reissuing of passwords across all accounts.
I never had any problems with an account being hacked or my identity being stolen (at least that I know of) or my PC being infected with a virus or something.
But one never can be too safe and I thought the new PC is a good enough starting point.
It's a 10 minute fix for most software problems.
not that that's security per se it'll just make your computer faster
What I do for passwords is I take a known pass phrase..."roll that beautiful bean footage"
for example
and I cook it down to first letter, then last letter...so my pass phrase ends up being rtbbfltlne and I have a couple easy to remember numbers I use to add complexity
then it I write down an incomplete key if I need to right part of it down
for example for this password I would write down "roll that pie footage"
That would make me remember the passphrase I used and to put 314 at either the beginning or end, letting me guess my pass in two tries. Since only I know (and I know for sure) that the incomplete key IS incomplete my key file is also hard for a stranger to interpret.
I host a podcast about movies.