Internet Security

Here are a few examples of ads that are meant to look like windows.

A fake alert

A fake critical error

The easiest way to see through these is to notice the Internet symbol at the top of each windows. In this case, one has the Firefox symbol and the other Internet Explorer. That's because each is actually a browser window with the buttons removed.

All you're looking at is a picture of an alert. Just close the window and don't worry about it (always click the "X" at the top right of the pop-up, not anything inside the pop-up).

A while back, people discovered that a network administrator function called Messenger (easily confused with Microsoft's chat program of the same name) was turned on by default on all Windows machines. This would let advertisers send you an alert that would disrupt you no matter what you were doing at the time.

Microsoft fixed the issue in Service Pack 2 (which I recommend you get from their website). If for some reason you don't want service pack 2, you can manually turn off the service that allows this kind of Spam by following these instructions.

Unless it's an image trick like the one talked about above, this alert means something is trying to install on your machine and you have a chance to allow or disallow it here.

Something's trying to install... Uh oh.

A common trick among spammers, scammers, and spyware scum is to warn you that the alert will pop up and to ignore it. For example:

So while you thought you were just going to play an online game, but you just allowed some unknown program to install on your machine.

Generally, you should always say "NO" when you see this and re-evaluate the trustworthiness of the website you're on. Some exceptions might be Microsft.com or java.com. Big name sites might use this kind of installation for some features you really need or want.

Either way, just be really careful. Ask a friend or do a web search for more information before you decide, but if you aren't sure, just click "NO".

If you think you'll never need this site again, but the resource you need is hidden behind a login, check Bugmenot.com.

They have a service where people can share names and passwords for sites so you can login, get what you need, then never come back (all without having to go through the hassle of creating an account).

Clearly this won't work for things like forums, online stores, or anything else where you need continuous access, but for sites like drivers.com where you only need access for a second to get the driver you need, it's golden.

Typically, a website will make it clear which data items are required and which aren't by highlighting them or marking them with some symbol (usually *).

In other cases, a site might not indicate which are required in the hopes that you'll just fill the entire thing out giving them more valuable data. In these cases, the quickest way to highlight the required fields is to hit the "Submit" button without entering anything. The form should come back up and list which fields you didn't enter that you need to. Any fields that aren't listed, ignore.

How to force a site to show you which fields are optional and which are required.

In this case, only the age is optional and they want you to fill in the rest of the data which includes some very personal information. At this point, you might want to re-evaluate whether you want the service or not and whether you have any obligation to be truthful on the form (see my article on protecting your personal data for more details).

While I was able to prove in my master's research that major companies won't spam you from just signing up with them, that doesn't mean that smaller, lesser-known websites won't (or that the bigger companies won't change their policies).

There are even worse things that can happen if you're not careful about giving your main e-mail account (covered below), but for now, let's just say it's in your best interests to withhold your real email or use an alternate.

Withholding your real e-mail can be difficult because most sites require an e-mail response to activate your account. Usually this is done by sending you an activation e-mail that contains a link you need to click.

A simple solution for this is to use another neat service called 10minutemail that gives you a web based self-destructing e-mail address that lasts for, you guessed it, 10 minutes. That's plenty of time to get the activation e-mail and respond to it. After that, if the web site you signed up with tried to use the e-mail address, it will send the Spam to the dead e-mail address.

Alternate e-mail addresses are useful when you actually need to get e-mails from this company (say when ordering an item), but you still want to protect your main e-mail. Just sign up with one of the free e-mail services (Yahoo, Hotmail, etc.) and use that e-mail address for sites or people you're not too keen on.

Later, if that address gets buried under Spam, you can just open a new account and let the other one drift slowly into nothingness.

Do not. Do not. DO NOT use the same password everywhere. Let me explain why that's a problem:

Signing up for a new account

Take this account sign up form for example. You enter a user name of your choice, your password and your e-mail (note that you should never enter real answers for the secret question).

Given only the information you've provided, I can own you and destroy your life. As the webmaster of this site, I can see the password you entered by just checking my database. Assuming you use the same password for every site, all I have to do is go to any website, enter the user name you gave me (since the odds of you using the same user name is very high) and the password and there's a good chance I'll get in (as long as you're a user of the site I chose).

As any smart thief will do, I'll try all the major banks, financial websites, and online retailers first.

But there's an easier way. You gave me your e-mail address. If you use the same password, I know which e-mail service you use, go to the site, enter your password and now I can read all your e-mails to find out exactly what sites (your bank for example) you use.

It gets worse. If you used your business e-mail address on my form (as in this example) and the company you work for is pretty big, I've got access to your business computers as well. How?

The name of your business is in your e-mail address. Most businesses have the user name you log in with as the name before the @ symbol. That means in this case, you work at "Big Company" and your user name is "johnj". If your password is the same, all I have to do is go to that company's site, find the employee login screen, enter "johnj" and your password and I'm in. Now I can defraud or destroy the company in your name.

In short; pain, agony, and shame all brought to you from having a single password for everything.

You don't really have to have a completely unique password for absolutely every online account. The question to ask is, "what level of password is needed?"

For example, if you post regularly to a series of web forums and you're not that concerned about your accounts, it can be far easier to remember your password if you have a "forum password". In other words, you have the same password for any given "class" of web site.

One for forums, one for news sites, one for games. When the accounts aren't attached to money or your reputation, they don't need the security that comes from separate passwords.

Clearly any financial site like a bank, eBay, or stock brokers should have a higher level password. Not only should you be more careful to make a strong quality password (described next), but it should be unique from all your other passwords.

And for the account that needs your strongest, most important, most secure password of all… your e-mail. "E-mail? Are you kidding!?", you say? Actually, I'm not.

Resetting your password

What you see here is a password reset form. It turns out that almost every website and service has one of these. The only thing you need in most cases is access to the e-mail address used on that site.

For example, if I have access to your e-mail account, I can go to PayPal, enter your e-mail address and a quick verification number that's shown on the screen and they'll either send the password back to me or reset it to some random value (which they'll send to me).

Because of password reset forms, access to your e-mail account is access to your world. Keep your e-mail account secure!

The easiest way to get someone's password (without using extreme or illicit means), is to try every combination one after another until you get in.

For example, if you had a lock with three digits on it, each lock has 10 possible values giving 1000 possible combinations. If it took you about 3 seconds on average to spin one wheel and test the lock, it would take you about an hour to crack it.

A three digit password on a computer is a whole different situation. There are 256 characters in a normal computer character set. That means each "letter" in the password can actually be any of the 256 possible values. Most people don't use near that many characters, but even if you did, 256 characters time 3 spaces is roughly 17 million possibilities.

While that's a whole lot of combinations, given the speed of computers as of the writing of this article, it will take less than 50 seconds to try every single one. However, the number of combinations and the time it takes a computer to crack a password goes up exponentially with each character added:

• 3 characters = seconds
• 4 characters = minutes
• 5 characters = hours
• 6 characters = days
• 7 character = years

So the longer the password, the less likely someone will be able to crack it just by trying every combination.

Having a longer password isn't enough. A truly random password might be something like this: 3i*YG21h

But people don't use passwords like that because they're too hard to remember. Far more common are passwords like love, money, password, letmein, 1234, or qwerty. Common categories of passwords are curse words, animals, famous places, sports terms or teams, or religious terms.

Knowing this, people have put together "dictionaries" which are nothing more that the most commonly used passwords (as proven by years of research) followed by common words and word variations (ex. cat, cat1, 1cat, 1cat!, cat!, etc.).

Running a "Dictionary Attack" is similar to brute force except that they are using knowledge of people and the way they think to cut the search time. Preventing this attack requires using complex or unusual passwords.

Note that I didn't say "random". Yes a random password is generally more secure, but it's also hard to remember. When faced with a random password, people are likely to write it down on a piece of paper somewhere on or near their computer.

• Hard to create, but easy to remember
• Misplel
• Use numbers, special characters, and both upper and lower case letters
• 8 characters or longer
• Use phrases

An example of putting these together is to take your golf club membership number and create Golf#2143

It's long, has upper and lower case letters, a special character, and four seemingly random numbers. This is a good password and it's easy to remember! Here are some more:

• MyIQiz134 - It's a phrase, but uses a misspelling of "is" and has numbers that have no meaning outside of this phrase.
• Take your favorite animal, color, and number and make 3PurplKitteez. Misspelling, plenty of length and a number.
• IRdaBaumb! - "I are the bomb".

That's the basic idea. Put some thought into it and you'll surely be able to come up with some as good or better.

The suffix trick is a method of quickly taking insecure passwords and adding length and complexity to them in a simple way. For example, say you have three passwords at three different sites: cat, money and camero.

These are all strikingly weak passwords, but you may have used them for a long time and not want to get rid of them. Fair enough. But take my advice and you can secure them all without changing them too much.

To use the suffix trick, first pick your suffix. Here are some suggestions:

• @site.com - Where "site" is any word you want and ".com" is any domain (like ".gov", ".org", ".co.uk" etc.). Here you are making your password into something that looks like an e-mail address. The beauty of this one is that it adds special characters and good length while being super easy to remember.

  For example, you could use "@hubris.jp" or "@gonzo.uk". Note that using country codes works well because they're more random than ".com".

• 2^3=8 - Math is great because it's all numbers and symbols, but it's easy to remember and understand.

  2+5=7
  9-1=8
  6*10=60

  See?

• 3141592 - Pure numbers. This is good for sites that don't let you use special characters in your password. You can go completely random, but in this case, it's pi.
• three3 - Numbers and letters. Again, useful for sites that don't let you use special characters.
• &7sh3 - This is truly random. Pick something as complicated as you can think of (so long as it's only 4 to 6 characters). This is better than some of the other picks because even if a web site admin looks at your password, they probably won't figure out the trick (where some of the other suffixes are pretty obvious).

  Again, good length and now your passwords have numbers AND special characters.

Now that you have a suffix, you're going to go to every website and webservice that you can and add the suffix to your passwords. No matter how long or hard the suffix is, since you're using the same one everywhere, it becomes easy to remember.

For example: cat2^3=8, money2^3=8, and camero2^3=8

Even if someone were to figure out the trick you're using, they still have to guess the rest of your password (which will be at least as strong as your password was without the suffix).

In other words, there's a chance that someone might be able to figure out your trick and your passwords lose the extra security, but in all other cases, your entire online web presence has become more secure with very little effort. This is the least you should do right now until you have time to pick better passwords for your more important accounts.