Ten simple, common-sense security tips

Security doesn't have to be complicated, as shown by these quick and easy alternatives to the conventional wisdom on passwords, privacy, backups, ID theft, and other tech-safety matters.

Dennis O'Reilly Former CNET contributor
Dennis O'Reilly began writing about workplace technology as an editor for Ziff-Davis' Computer Select, back when CDs were new-fangled, and IBM's PC XT was wowing the crowds at Comdex. He spent more than seven years running PC World's award-winning Here's How section, beginning in 2000. O'Reilly has written about everything from web search to PC security to Microsoft Excel customizations. Along with designing, building, and managing several different web sites, Dennis created the Travel Reference Library, a database of travel guidebook reviews that was converted to the web in 1996 and operated through 2000.
Dennis O'Reilly
9 min read

A friend took me to task last week for a post I wrote back in January on preventing Google from tracking you when you search. His alternative solution: "Just use Bing."

That got me thinking about other no-brainer approaches to security that thumb their noses at the conventional (and often convoluted and time-consuming) advice of the experts.

Search without footprints via the 'other' search engines
Truly anonymous Web surfing requires the use of a VPN service that blocks your IP address as well as other personal information. (For more on VPN, see the tip below.) If you simply want to prevent a search from being recorded in your Google Web History, use a different search service.

Each search engine uses a unique mix of factors to find pages related to the terms you enter, which proves that there are many routes to the information you need. For an unscientific test, I used Google, Bing, and the Ixquick metasearch engine to look for three unrelated bits of info: the name of the mayor of Terre Haute, Ind.; nonstop airfares from New York to Paris; and the city in which Christopher Columbus died. (No, I'm not planning my next vacation.)

Note that Ixquick doesn't record your IP address when you search.

Google and Bing listed Duke Bennett as the mayor of Terre Haute in their type-ahead suggestions, so I didn't even have to press Enter to find the honorable Mr. Bennett's name. The third entry in Ixquick's first page of search results showed the mayor's name in its summary.

As you might expect, the greatest disparity in results among the three search services in my informal test was the airfare query. Still, the top nonsponsored results returned by all three sites indicated comparable prices.

The ninth result summary returned by Google listed Valladolid, Spain, as the city in which Columbus died (on May 20, 1506, at the age of 55, by the way). The city's name was shown in the third result summary returned by Bing, and the sixth served up by Ixquick.

Bing search-results summary
Bing displayed the city in which Christopher Columbus died in the summary of the third result returned. Screenshot by Dennis O'Reilly/CNET

Most people use Google for Web searches out of habit, not necessarily because Google is faster or generates more accurate results (maybe it does, maybe it doesn't). Still, the easiest way to search without Google recording it is to use another engine.

Contrive strong passwords based on what you already know
Some security experts instruct us to write down our passwords. Others say never write down passwords or share them with anyone except your friendly local IT staffer.

In a post from last December I described how to master the art of passwords, and back in 2008 I presented what I humbly referred to as the Password Commandments.

Both of those posts mentioned password-management programs, which offer to store your passwords securely, generate strong passwords that you don't have to remember, and prevent reuse of the same password by providing a unique one for each service you log into.

While these utilities have lots of fans, I say, "Thanks, but no thanks." Password managers aren't any less secure than other programs that store your sensitive information. It's just that I have never felt the need for a program dedicated to password management.

I prefer to create my own strong passwords based on phrases that are easy to remember. For example, everyone has memorized some nursery rhyme, poem, or song lyric. Simply use the third letter of each word in a line or two (either skipping words shorter than three letters or using the last or only letter in such words).

Applying that pattern to the opening lines of Bruce Springsteen's "Thunder Road" creates this password: eroarsei. Make it even stronger by adding the second line and inverting the two lines: kasenrersedaeroarsei.

The calculator at How Secure Is My Password? indicated that the first of the two passwords would take a PC only 52 seconds to crack, but the second would require 157 billion years to decipher, give or take an eon.

How Secure Is My Password? results
A 20-character password based on a mnemonic is secure despite the lack of varying cases, numbers, or nonalpha characters. Screenshot by Dennis O'Reilly/CNET

The more often you sign into the particular service, the faster you get at entering such a mnemonic password. I've been using a version of this pattern for years with certain of the services I frequent (remembering to change the password every few months, of course), and nobody's hacked them yet.

You may have noticed that the resulting passwords are all lower case and bereft of numbers or other nonalpha characters. Services that require a mix of upper and lower case, numbers, and/or nonalpha characters are an abomination and should be outlawed. It's easier for users and secure enough to require at least 14 nonrepeating, nonsequential characters that aren't found in any dictionary.

Sign into a free VPN service
Your average telecommuter is familiar with virtual private network (VPN) technology, which organizations use to create secure Internet connections to and from their private networks. As the companies know, there's nothing like VPN to prevent snooping.

The down side of VPN is that encryption usually slows down your network link. Free VPN services also limit your downloads to a certain amount per day. In a post from February 2011 I wrote about the free OpenVPN-based SecurityKiss program.

Last February I tested the free versions of ProXPN and OpenVPN's Private Tunnel, but as that post states, neither program was practical for everyday use. The freebies are intended to entice you into paying for their pro versions.

Still, if you can live with the download restrictions and speed hit, free VPN is the simplest way to be sure you're browsing in private.

Lock your phone, please!
Smartphone thefts are rising faster than Apple's stock price (well, at least the stock was rising before the company's recent production woes, as Investor's Business Daily reports).

One reason high-end cell phones are targeted by thieves is how easy it is to resell the devices. If you haven't locked your phone and added a free remote data-wipe app, the thief could also use or sell the private information you stored on the phone.

In a post last month I described how to prevent phone and tablet theft. A follow-up post examined the security features in Android and Windows phones.

Most people don't think smartphone screen locks are worth the effort. To me, screen locks are sort of like seat belts in cars in that we're all better off when people use them. If it's your phone that gets stolen, the lock benefits you directly, but everybody benefits indirectly because over time stolen phones will lose some of their value (just like seat-belt use ultimately lowers health-care costs and car-insurance rates).

Stolen cell phones will likely be even less valuable to thieves once the major cell services start blocking reactivation of the devices via the stolen-phone registry promised for the second half of 2013, according to the Wall Street Journal.

All the major carriers have their own stolen-phone registry, so be sure to report your pilfered phone and remotely wipe its data as quickly as possible. The identity you save may be your own.

Take advantage of automatic software updates
Not long ago, many computer-security experts recommended that you download Windows updates automatically but wait a day or two before installing them just in case the updates caused more problems than they solved.

Today, the risk of being victimized by a bad software update is much lower than the risk of a zero-day infection. Make sure Windows is set to download and install updates automatically.

To do so in Windows 7, press the Windows key, type windows update, and press Enter. Click "Change settings" in the left pane and make sure "Install updates automatically (recommended)" is selected.

You can make sure the rest of the software on your system is up-to-date by using a patch-management utility. My favorite of the three free software updaters I tested in May 2011 is Secunia's Personal Software Inspector.

Use a disposable e-mail address
A person can't spend much time on the Web without encountering a site that can't be used unless you register by providing an e-mail address. Supplying your everyday e-mail address to each Web service that solicits one is just asking for spam.

If there's little chance you'll need to receive a correspondence from the service (once you've confirmed your registration, of course) enter an e-mail address you created with no intention of checking it for incoming messages. Alternatively, you could forward messages received at the throwaway address to a folder of your regular inbox and monitor the folder for received messages as needed.

A post from September 2011 described several free services that protect your e-mail. In November 2010 I explained how to combine and organize multiple e-mail accounts.

Previous posts covered how to forward messages from Gmail to Outlook and Thunderbird, as well as how to reverse the process to have your Outlook and Thunderbird mail appear in your Gmail in-box.

Be prepared for a computer emergency
Everybody knows you should use antivirus software and a firewall. Raise your hand if you also have a current backup of all your important files and a recent image copy of your hard drive.

Not many hands!

I confess the most recent drive images of my Windows PCs are all more than a year old, and I couldn't tell you the last time I backed up the personal files stored on those systems and on my Mac Mini.

Ever since I started using Google Drive and iCloud as my primary file repositories, I worry less about losing data. Unfortunately, while iCloud lets you encrypt sensitive information you store there, encryption isn't an option on Google Drive.

Back in 2009 I compared three free online storage services that let you encrypt the data you store. Unfortunately, CryptoHeaven now offers only a 30-day free trial of storage plans priced from $8 a month for 200MB.

SpiderOak continues to provide up to 2GB of encrypted storage for free, and SwissDisk -- the service I liked the most -- still gives you up to 50MB of free encrypted storage.

All Windows users should also have a boot disc handy. Microsoft's support site explains how to create and use a Windows 7 system repair disk.

Limit your online financial activities
It's the 21st century. Only died-in-the-wool Luddites still frequent brick-and-mortar banks.

Well, maybe not. A rocket-scientist friend of mine has been banking for almost 40 years and has never used or been issued an ATM card. Every bit of business he transacts with his bank involves an in-person person.

(He's also the guy who describes his network security as "air": no wireless access on his premises.)

I'm not averse to the occasional ATM transaction -- I only wish there were more deposits and fewer withdrawals -- but I've never signed up for an online bank account. I've never even disclosed my e-mail address to my bank.

That way I know any message purporting to be from my bank is a scam: no ifs, ands, or viruses. Like many people who receive payments for services via PayPal, I regularly transfer PayPal balances to my bank account. But other than PayPal no Web service knows my bank digits. Let's hope this makes me a smaller target for online crooks.

View e-mail as plain text
All the big-name Web mail services require by default that you manually allow images to display in the messages you receive from senders you haven't designated beforehand as trustworthy. Blocking images in messages you receive from unknown senders reduces the chances that an e-mail-borne bit of malware is activated simply by viewing its host message.

In a post from November 2008 I described four productivity-boosting Outlook tweaks. One of the tips covered how to send and receive messages as plain text in Outlook 2003 and 2007 (the steps are similar in Outlook 2010).

A follow-up posted the following month provided several tips for staying safe while using e-mail. One of the tips explained how to enable plain text in the Thunderbird e-mail program.

Turn it off? Leave it on? Who knows?
A casual online survey of computer experts leads to the unassailable conclusion that whether to leave your PCs and other network-connected devices on at all times or turn them off when not in use depends.

Depends on what is not so certain.

The consensus of the experts is that powering off networked equipment when not in use reduces slightly the chances of becoming infected. However, network managers and software vendors often apply automatic updates in the middle of the night. Turning off the machine may delay or prevent an important update from being installed.

On the other hand, restarting your PC or smartphone can improve performance by stopping unneeded processes that forgot to shut themselves off and by clearing out memory cobwebs. Then again, restarting may not speed up your machine at all, and the stress of stopping and starting components can reduce their lifespan.

But even in sleep mode, an idle computer consumes some energy. The only way to minimize the amount of electricity you use is to turn off all electric devices when they aren't being used. (This includes all those chargers that remain plugged in after the gizmos they're charging are at 100 percent.)

That's why I say unequivocally: turn them off. Or not.