Friday, August 29, 2008


Most people, tech and non-tech alike, have some very basic, easily correctable, user created security holes. Here are the most common I run in to:

1. If you use Firefox to store your passwords and don't set a master password then anyone who uses your computer can view your password in clear text with about 5 clicks - or about three seconds. Either don't use Firefox to store your passwords or set a master password. Be aware that other browsers have similar security issues when storing passwords.

2. Do not use the same password for everything. If someone manages to hack, crack, steal, or find out your password any way then they will have access to all of your accounts that use that password. Anyone who runs a website has access to the password you use at their website; do you trust them? Also many sites do not use encryption while authenticating you, thus your password is sent in clear text over the internet for anyone to see.

3. Check to see if a website is using encryption, especially for authentication. (You can check by looking at the url, which should start with https://, and there is usually a padlock in the bottom right corner of your browser.) Gmail by default only uses encryption to authenticate you; all of your email is sent unencrypted - this includes any passwords that are emailed to you by other websites. Last month they (finally) added a setting to always use encryption, but it isn't enabled by default... If a website does not use encryption for authentication then be very, very, sure to use a different password for that website.

4. Your email is a security hole for all the accounts tied to it. Be careful to not leave your email logged on anywhere other people have access to it. If you use email on a mobile phone/device then be sure to that it is protected with a pin or password. (*cough* iPhone *cough*)

5. Anyone with physical access to your computer can access all of your files in the time it takes to reboot the PC, regardless of whether you have it password protected. It is ill-advised to store passwords in a text file on your computer. There are plenty of programs that allow you to store passwords in an encrypted format (including Firefox, if you set a master password). If you have a lot of sensitive data then you may want to look in to full disk encryption, such as LUKS (Linux only...).

No comments: