If you ask the average person what the best ways to protect themselves online are, they will give some true answers — but they will likely be different than the answers you’d get from a security researcher. Here’s the difference.
Google, in a paper they’re presenting at the Symposium on Usable Privacy and Security this weekend, asked two groups — experts and nonexperts — what they do to stay safe online. While the nonexperts provided some good answers (like using antivirus software), the experts placed certain items as much higher priority, as shown in the above graphic.
The experts prioritised keeping your software up to date, and using two-factor authentication, two things that did not appear on the nonexperts’ list. Most importantly, however, the experts noted that strong passwords aren’t enough: you also need to use a different one for every account you have, which means you probably also need a password manager to keep them all straight.
If you’re more like the second column than the first, then good for you! Be sure to share this with the nonexperts you know. The more we can make those columns look alike, the better off we’ll all be.
New Research: Comparing How Security Experts and Non-Experts Stay Safe Online [Google Online Security Blog]
Comments
10 responses to “How The Experts Protect Themselves Online (Compared To Everyone Else)”
Looks like the infographic is written by a password manager company.
You missed one. They browse inside a virtual machine.
I’m not a security expert but I take all of the approaches mentioned in the right column. Password managers are absolutely awesome and I would encourage every internet user to start using one. Along with strong unique passwords, logins, 2FA, etc.
Every few months when your favorite website announces they have been hacked, you only need to change one password and not every account you’ve made on the Internet.
I do all of them except using a password manager. I don’t think I quite understand the purpose of them?
Well, for example, my gmail password is something like 40 characters of random gibberish. So are the rest of them. All I have to remember is the master password, which, by the way, is about 30 characters long (not so much gibberish though). I don’t have a single password that is the same as any other.
That makes sense. Follow on question then – is a 40 character gibberish password more ‘secure’ than a 40 character horsedeskchairclocksaturdayfishcoles password? (not my actual password, I promise)
That, I don’t know. I’d think it can’t be less secure? Anyway, I also use 2FA for everything that supports it. Even if they do get my password, it’s unlikely they’ll have access to my phone.
It is probable the 40 chars of gibberish is a more secure password than a similar sized string of words run together. I believe there was a LH article highlighting this recently, but I can’t find it.
So, (per password) something like LastPass or Dashlane, which attempts to generate “random” passwords is probably more secure since it can (theoretically) only be brute forced.
When you also add the following it only gets better;
– Two factor auth.
– Unique passwords per account.
– Ubiquity across platforms (and therefore increased user compliance).
– A dedicated and highly skilled team monitoring the security of your security.
Although, LH’s login forms seem to confuse my password manager. So thanks for that 🙂
Yes, because you can dictionary brute force, but the difference is academic. What is NOT academic, and is a very real security difference between the two strategies, is if you try to remember your 40 character word-based password, you’re going to want to use the same password for lots of sites. Therefore, when one of them gets hacked and their password database decrypted because they stored them in plain-text or reversible encryption, your password for all your sites is now comprimised.
If you had instead used different 40 character random password for each site, and a password manager to keep them, then your gmail account is still secure even after your Ashley Madison username and password has been published online.
Of course, it all rests on the hope that the password manager is actually secure. If LastPass gets compromised, then you’re in real trouble.
The big point that is missed.
Only store the minimum information (data) you can get away with online.
The possibility of the data being hacked or stolen increases with time.
It is a good idea to encrypt whatever you store on line. Any archiver like 7-zip lets you do this to produce an encrypted file to upload to the cloud.