Microsoft has released a new web page that teaches people about how to be safe online and gives you a way to measure your online safetyness score, as determined by Microsoft. You can read all about it at that first link and take the test for yourself here: Take the survey.
The page has some basic information about things that users can do to make sure that they are more secure:
- Use a newer operating system.
- Update antivirus and antispyware software regularly. Even better – use one that does it for you automatically like Microsoft Security Essentials.
- Use automatic updates (both for your operating system and if possible, your 3rd party software. Even better when it does it automatically for you).
- Keep a firewall turned on.
- Connect to secure wireless networks.
- Limiting information-sharing.
- Creating strong passwords.
The score of the average user in 2011 was 34. I took the survey and I got a 64. You would think that being a security professional, it would be a lot higher since I should be setting an example for others. Well, at least I got better than a 34.
What are the good things that I do? I educate myself about the latest threats, run A/V and anti-phishing filters, use https where I can (especially when buying anything), and use firewalls.
What didn’t I score well on?
Well, according to the survey:
I don’t create unique passwords for each account I use, and not all of my passwords have upper and lower case letters, numbers and/or symbols. But even though this is security advice the industry gives, it is not good advice because it is impractical. Nobody can remember all of those random passwords. Humans are not good at doing it. Why are phone numbers 7-10 digits long? Because we can only remember so many random strings of digits, only 7-10 of them. We can’t remember anymore of that.
Yet the security industry says that we need to remember not only 10 digits to pick from, but 72 characters (or more!) to pick from (the letters of the alphabet in both cases, numbers, and special characters along the top). I don’t know about you but I have web accounts to something like 40 accounts (it’s not hard, just think about your own). How am I expected to remember unique passwords to all of them? Using password software isn’t going to cut it because I have multiple devices – a phone, a PC and a Mac. I can’t use that password manager on all of those devices, I have to remember my passwords.
Thus, I reuse passwords because I have to – the limits of human memory require this. The only way to have different passwords for each site is to have some sort of algorithm to do it that uses a token of some sort. But then the password is no longer random, is it? Or else I can reset my password every time; yeah, like I’m going to do that each time I login to Twitter or eBay.
If a security professional is going to you if have random passwords and use that as a checkbox proving how secure you are, they need to have a follow up question – since you obviously write down your passwords on a piece somewhere, do you at least not leave it next to your computer?
I differ from security experts in this regard. While using different, strong passwords is a good idea, it’s impractical to advise this.
- Managing my online reputation
I don’t do things like remove tags or comments about me, request that sites remove information about me, or anything like that. I sometimes use the search engines to look up myself and see what others are saying about me. However, this is more out of vanity and not out of a desire to manage my own security.
I don’t think I am important enough for anyone to write all sorts of bad things about me (I’m not rich or famous, I have a blog that a few people read). But this wouldn’t be a bad idea to do once in a while.
- Sharing information about myself online
This goes hand-in-hand with the previous point. How well do I conceal information about myself online? Good question. The answer is probably “Too much.” I live in or around Seattle (TMI?). But I’ve never shared where exactly I live. People know I work for Microsoft. They know I watch South Park, 24, and Battlestar Galactica. This is all stuff I’ve written about on this blog and posted to my Facebook profile (and even made my profile semi-public!).
This is a serious gray area. I’m not sure what I can reveal and what I can’t. Yet my goal when I write is to be transparent and honest. It’s easier to do that when I share stuff about myself. But I don’t want to reveal it all.
But if I am truly honest, I can’t check this checkbox.
So those are my scores. Not a bad score and there’s room for improvement. I guess I’m not perfect.
But then again, neither are you.