It seems that just about every month, someone I know has their email, Paypal, Facebook/Myspace, etc. account “hacked.” Though most of the tricks these “hackers” use are often easily avoidable, most Internet users wouldn’t know how to stay safe online if their life depended upon it. In this article I am going to explain, in terms anyone can understand, how the average person can avoid the biggest traps on the net.

As is the case with much in the field of security, the more useful something is, the less secure it is. The safest computer is the computer not connected to a network. I could easily write a guide for the safest web browsing possible, but it would make things very inconvenient, as the guide would cut out much of what makes the Internet useful. Instead, I am going to try to seek a balance between safety and usability. Most of what I will say in this post pertains to everyone on the Internet, no matter if they are using Windows, Mac or Linux. There will be some bits that are specifically for Windows though, as Windows is by far the most vulnerable operating system. If you want a truly secure and easy to use computing experience, switch to Linux.

Browsing Best Practices

Though using secure software is rather important, by far the most important component is the behavior of the user. I have a friend who uses her first name as the password on her computer. It would not matter if her laptop was the digital equivalent of Fort Knox: her bad choice made her computer’s security of no use.

Picking Good Passwords

Obviously using a strong password is important, but what makes a password strong? The general public is just beginning to figure out that your mother’s maiden name might not be the best choice, but there is a lot more to it than that. First I will explain what a bad password looks like, and then I’ll give you some tips for making a good one.

The first rule is that anything that is a matter of public record should be off limits. However, with more and more of our lives happening on the Internet, the number of things that are a matter of pubic record is quickly growing. Would your third grade teacher’s name make a good password? I’m sure there is an official record of that somewhere, and you may have even discussed it with a friend on Facebook. What about your first dog’s name? I hope you took it to the vet some time, and if so, there is a record of that somewhere. Also, don’t base the password upon anything that you might have ever talked about before ether via email or instant messaging, as both are trivially easy to intercept.

Also, just a simple combination of words that can be found in the dictionary is a bad idea. Why? Usually a computer program trying to find your password will launch what is known as a “dictionary attack.” This means it will systematically try every word combination in it’s dictionary, until it finds a match. You might be surprised how fast that match can be found, as a computer can try thousands of combinations per second. Also, you must redefine your definition of a “dictionary,” as these custom made dictionaries always include common misspellings of words, slang, words that are not actually in any official dictionary yet, etc.

So what would a good password look like? The two things that matter most in a password is complexity and length. When I say complexity, the goal is to make sure that any computer trying to guess your password cannot make any assumptions about that password. For example, if your password is a few words, then it can be assumed that some combination from a dictionary would work. However, if you also use numbers with those words, then the addition of the numerals 0 – 9 increases the number of possibilities many hundreds of thousands of times over. Also, if you mix upper and lower case, you are again increasing the number of possible combinations exponentially. However, the best scenario is that the computer cannot assume that anything in your password can be found in a dictionary. This increases the number of possible combinations by some absurdly large number.

While reading online about the subject, you’ll see a lot of fuss made about complexity. However, length is rather important as well. In fact, a short but complex password is rather easy for a computer to guess. Lets say that your password was as random as imaginable, meaning that you used a combination of random letters in both cases (a – z and A – Z), random digits (0 – 9), and all the special characters (!, $, &, etc). With this, you would need a password 20 characters in length to be absurdly unbreakable with modern technology. With “sryx829$@5FJS%@IUE09” as your password, even the US government isn’t going to be able to crack it. Of course, that password is much more difficult to remember as “jack” (the name of my parent’s dog).

Lets throw out complexity for just a moment, and say that your password was just random words. You would need eight random words to reach a point where the complexity was high enough that trying to guess the password with a computer would not be practical. This would be much easier to type, but also not very easy to remember.

For most people, having the truly perfect password is not going to work, because they will never remember it. Therefore I suggest a middle ground, something less than perfectly secure, not difficult to remember and yet stronger than the vast majority of passwords in use today. I suggest the following five step process for picking your password:

1. Pick about three random words (give or take a few).
   Example: balloon quickly strange
2. Add some random capitol letters.
   Example: ballooN Quickly sTrange
3. If you have spent much time online, you have probably noticed that some people randomly substitute letters for numbers, just for the fun of it. Some common combinations are ’3′ for ‘E’, ’0′ for ‘O’ and ’1′ for ‘L’. Do something similar with your password, but don’t necessarily use the same combinations that I used.
   Example: ball00N Quickly sTrang3
4. To top it off, add some special characters.
   Example: (ball00N-Quickly=sTrang3)

Since this method allows the attacker to make certain assumptions about your password, it is far from being perfectly secure. However, the number of assumptions that can be made are far fewer than the average password. Also, the length of the password made with this method is long enough that a computer will need to spend a long time trying to guess it (potentially as long as several months).

Needless to say, such a password will take a little while to memories. Write it down on a small piece of paper, and stick this in your wallet/purse. Quiz yourself on it on a regular bases, and if it is a password you use often, it will probably only take a week to memorize. Once it is memorized, ether burn the piece of paper, or lock it in a fireproof safe, if you have one.

Now that you have created a good password, you can pat yourself on the back, as the single hardest part of safely using the web is now over. However, you must be careful how you use that password, or else all your hard work is waisted.

Saved Passwords

Many web browsers have a fancy little feature that will remember your password for you. Never use it! In fact, you should disable the feature, so you will never be tempted. Not only does this increase the chances of you forgetting your own password, but this makes it very easy for any virus on your computer to retrieve your passwords (more on viruses in a moment).

“Secret” Questions

Also, the so called “secret questions” are nothing but a trap, seeing as the answers to the questions are rarely secret. A perfect example of this is the recent “hack” of Sarah Palin’s email account. Basically, the perpetrator went to the secret question password reset page for Palin’s email account, and took a look at the questions. After 45 minutes of research on Google and Wikipedia, he found that the answer to “where did you meet your spouse” was “Wasilla high.”

So the best thing to do is not to use secret questions. However, some accounts force the use of them. In this case, pick something like “my favorite hobby,” and enter something long and random such as “secret questions are stupid and dangerous, so I’m not telling you the answer!”

Personal Info And Privacy Policies

Unless you enjoy receiving Viagra advertisements every day, you need to be careful who you trust with your personal information. First of all, when signing up for any account online, it is best to give no more personal info that what is absolutely necessary. Secondly, you need to check out the privacy policy.

When signing up for an account anywhere online, you usually must click a button or check a box saying that you agree to the privacy policy. Most people don’t read it, but you should. Skim reading certainly comes in handy, but you are basically looking for something that says that your personally identifiable information will not be shared with any third party, for any reason. If you cannot find a statement to that effect, do not sign up for the account, or create a second “spam” email address for signing up with such services.

Don’t Browse Without Protection

In the first section I covered best practices for when you are browsing the web. Next I will give you some simple tips for protecting the browsing experience itself.

As I briefly mentioned at the beginning, Windows is by far the must insecure operating system on the planet. Mac OSX much, much more secure than Windows, but is not perfect. Linux however comes the closest to security perfection, plus is the cheapest of the three systems (aka free). For users of OSX and Linux the next two tips are unnecessary, though Windows users should pay close attention. The last tip (Use Firefox) is for all three systems.

Viruses, Worms And Other Nasty Bugs

The number of wide spread viruses that can attack Windows is into the hundreds of thousands. By far the most important thing for a Windows user to do the first time they turn on their computer is install some anti-virus software. Most PC vendors put ether Norton or McAfee on their computers, but both of these slow down your system, plus cost money to use.

The best in my opinion is AVG, which provides high quality protection without slowing down the computer. AVG is a free download, but feel free to pay some money for a few extra bells and whistles.

Use A Separate Account

On Windows everyone who uses the system has an account (even if there is only one account on the system, in which case you never see the login screen). By default, each account has full administrator privileges, which gives the user the power to install software and change settings. If a virus gets past the anti-virus software (and eventually it will), being on an administrator account makes it much easier for the virus to go crazy on your system.

I recommend that you create two accounts on your Windows computer, one named “admin,” and another with your own name. Both accounts should have different passwords. Admin of course is where you would go to install software or change system settings. Make your personal account an unprivileged account, and use it for your normal computer usage. If a virus does get onto your computer, this is often an effective form of damage control.

Use Firefox

Simply put, Firefox is not only the most secure web browser on the planet, it is rather cool too. One of it’s great features is that whenever you visit a page, it will automatically check to see if that site is suspected of doing naughty things, such as spreading viruses or conning you into giving it your bank account number. Especially if you are running Windows on your computer, you need to upgrade to Firefox, as Internet Explorer is a security nightmare. Go to Mozilla.com to download the newest version.

Not only is Firefox secure right out of the box, but you can easily add extensions that make your browsing experience both more secure and more pleasant. Below I have listed several extensions that you should download immediately.

• Adblock Plus: Though not a security enhancing extension, Adblock plus blocks advertisements on the websites that you visit. This is especially useful for sites that display advertisements with disagreeable content.
• Perspectives: When logging into most websites, such as an email account or bank account, your password is protected in transmission with encryption. To insure that you are only giving your password to trusted sites, these login pages are digitally signed with what is known as a certificate. Like a signature that is impossible to forge, these certificates help insure that your browser is sending your password to the right place. However, sometimes the signature cannot be validated. This validation failure is usually just a technical glitch, but can sometimes mean that an attacker has tricked you into going onto a fake login page, so he can steal your password. Ether way, you will see a certificate warning. What the Perspectives extension does is ask a series of “Notary Servers” if they have seen this certificate before. If the notary servers have consistently seen the certificate in the past, then it is very unlikely that someone has sent you to a fake login page. If not, then you should leave that site immediately
• Dr. Web LinkChecker (Windows only): It is important for Windows users to scan any download for potential viruses. This extension allows you to right-click the download link from any web page, and scan the file prior to downloading it.
• Web Of Trust (WOT): The idea behind WOT is whenever a user of the extension finds a suspicious site, they use the extension to report it. As more visitors rate the trustworthiness of the site, it builds up a grade, which is automatically displayed on links in Firefox. So whenever you are about to click on a link, you can see if other users trust the site.

Conclusion

That is all there really is to safe web browsing. While using the Internet will always include a certain amount of risk, following the tips just described will keep the average user away from the most common dangers of the web. If you have any questions regarding the guide, please post a comment below, and I’ll answer the question as best I can. Happy browsing!

Update – 22 October 08

After using the extension a little more, I have found that tweaking some of it’s settings can make WOT much nicer. To access it’s settings, ether go to Tools/WOT/Settings. Then in the “Searching” section, check “Show only negative ratings” to only see ratings for sites that you should be cautious when visiting. You’ll still be able to move your mouse to the area just right of the link to see a rating for any other site.