Last updated March 2020

Computer Security Best Practices:

Questions:

(Some of these questions aren't answered yet.)

1... Slow computer ?

2... Malware scan says something is infected.

3... Pornography filters ?

4... How do I remember my passwords?

5... I forgot my password!

6... How do I buy stuff online without getting scammed or having my credit card stolen?

7... This popup says I have a virus.
Is it legit?

8... This stuff is too technical.
I just want my computer to work.
What's the risk if I don't do this stuff?

9... Can you fix my computer?

10... What's my wi-fi password?

11... Can I just buy Norton or whatever instead of doing all this stuff?

12... How do I keep my kids from messing up my computer?

13... Why do computers change so much?
I just want it to work.
Something changed, and now I don't know how to do [whatever] anymore.

14... How do I get pictures off my phone?

15... Smartphone addiction

16... What's wrong with my printer?

17... I just downloaded something, and I can't find it.

18... Why am I getting popups?

19... How do I back stuff up?

20... So according to this page I have bad passwords.
Does that mean I got hacked?

21... How long should a password be?

22... Do I need antivirus software?

23... Is this cheap [whatever] on ebay any good?

24... What is the cloud?

25... How do I secure my phone or tablet?

26... Why is [the website in question] asking for my phone number or email when I sign in?

Table of contents:

1... Secure vs convenient

2... Don't use Internet Explorer.

3... O&O ShutUp10

4... Clean up your browser.

5... Faster, more secure internet

6... Full scan for malware

7... Popup / email scams

8... Buying stuff online

9... Ad blockers

10... Some networks are safer than others.

11... Backup files you have created.

12... Don't save passwords and credit card numbers.

13... Strong passwords

14... Password managers

15... Critical passwords

16... Updates

17... Driveby malware

1... Secure vs convenient:

Secure computers are harder to use than insecure ones.

If you build a wall and moat around your castle, it will keep people out, but it's harder for you to get out of your castle.
I don't do some of the stuff on this page, because it messes things up on my computer.
The risky behaviors listed on this page are common, because people take the easiest route.

If you want a secure computer, it will take some effort.

What's the risk?

If you do nothing, people like me can hack you right now.
If you do some of these things, maybe only hackers can hack you.
Computer security is so complex, unless you're a security expert, you will probably be hacked.

2... Don't use Internet Explorer.

Instead use one of these browsers:

Edge
(Comes with Windows 10)
Chrome
Firefox

3... O&O ShutUp10

4... Computers get slower & more infected by malware over time.

Configure your browser to delete cookies when you exit:

Chrome:

1. Click the 3 dots at the top right.
2. Click Settings
3. Click in the Search settings box at the top...
4. Type "site settings".
5. Click Site Settings
6. Click Cookies and site data.
7. Clear cookies and site data when you quit Chrome
(This should be on... It should be blue, not gray)

Edge:

1. Click ...
(At top right)
2. Click the lock icon
(Privacy & security)
3. Click Choose what to clear

4. Cookies and saved website data

(This should have a checkmark.)
5. Always clear this when I close the browser
(This should be On.)

Firefox:

1. Click the three stacked lines at the top right.
2. Click Options.
3. Click Privacy & Security.

4. Under Cookies and Site Data...

Delete cookies and site data when Firefox is closed
(This should have a checkmark.)

5... Faster, more secure internet:

Change your DNS to one of these:

1.1.1.1


...probably the fastest DNS.

cleanbrowsing


...filters out pornography.

6... Malware can hide in almost any file on almost any device.

Do a full scan of your whole computer (hard drive, USB flash drives) for malware regularly.

Use one of these:

Windows Defender
(Comes with Windows 10)
1. In Windows 10, click the start menu and type windows security.
2. Click Windows Security.
3. Click Virus & threat protection.
Malwarebytes
Avast
Bitdefender

7... Microsoft says, "You may already be infected!"

PayPal says, "We got hacked, and we have to check your account!"

Is this popup / email from Microsoft...
...or is it someone pretending to be Microsoft?

The hacker is trying to get:

...your credit card
...or your username & password
...or you to click on something that will infect you with malware.
...or they are verifying that your email or phone number is active.

Hackers make you feel scared or rushed so you are more likely to click.


It's a scam if they say:

"gift cards"

Vague wording, i.e., not identifying the company

"your electric company"
"your credit card"
"I thought of you when I saw this video"

Unsolicited tech support or advice
Do you actually use the claimed company?
(Your antivirus program may give you warnings about malware, but Microsoft probably won't.)

"password"
Legit companies will not ask for your password except on their login webpage.

T-Mobile requires me to change my password every once in a while...
...But only when I'm logging in at their page.
They don't email me about it.

A company may email you requiring you to change your password after a data breach at the company.
But you don't have to click on the links in the email.
Instead you can just go to their website and login.

After a data breach, it is more likely that you will be required to change your password when you are logging in at the company's website, rather than receiving an email about it.

Don't click on links before checking where they will take you.

(Sometimes you can't do this with popups.)

A clickable link can say anything...

The link may say amazon.com...
but will take you to badsite.com.

Don't click shortened links like http://bit.ly/GVBQJS...
before checking them at http://unshorten.it/ or a similar site.

How to check the link target on a desktop computer:

Hover on the link (without clicking) to display the link target in the status bar at the bottom of your browser.

The domain is the important part...
(website.com... business.net... organization.org... company.co... irs.gov, etc.)

The domain is immediately to the left of the slash.

There may be sub-domain(s) to the left of the domain.

...which will be separated from the domain with a period.
Sub-domains don't matter.
The domain is what matters.

Here are some urls with the domain highlighted:

https://login.yahoo.com/?.src=ym&.intl=us&.lang=en-US

https://login-yahoo.com/?.src=ym&.intl=us&.lang=en-US

(This is not yahoo.com.)

https://www.paypal.com/us/signin

http://signin.paypal.com@10.19.32.4/o

(This is not paypal.com.)

http://www.paypal.com.ssl2.us/webscr.php?cmd=LogIn#
(This is not paypal.com.)

Companies sometimes use other domains, particularly for payment processing.

The above technique is not foolproof.
It is more useful for showing malicious links than good links.
Verifying that the link is a "good" domain does not guarantee that it is not malicious.
Website addresses can be faked with unicode characters.
Status bars can also be hacked with scripts.

Email:

Don't trust emails from people you know.

Email addresses can be faked.
An infected email account will email people in its address book, trying to spread the infection.

8... Buying stuff online:

Safest to riskiest:

1... amazon:

Amazon is great for product ratings.
Check seller ratings.

i.e.,

98% positive
over the past 12 months.
(46,140 total ratings)
< Avoid sellers with small numbers here.

2... ebay:

Ebay is great for cheap prices.

Is this cheap [whatever] on ebay any good?

Many cheap ebay items don't have product ratings.
Check seller ratings.

Recommended payment methods:

PayPal is safest.
Check is probably the only other payment method I'd use on ebay.
Don't give your credit card number to an ebay seller.

3... froogle:

froogle is great for price comparing an item across many websites.

4... craiglist:

Craigslist doesn't charge you to sell stuff.
You can meet in person or mail stuff.
There's no seller or product ratings.

Local sales:

Meet in a public place.
(They could murder / rob you.)

Recommended payment methods:
PayPal
Cash
Check

Unfamiliar websites:

(i.e., you found a good deal on froogle, but you never heard of the website.)

Web of Trust displays website ratings on google search hits.


1. Add the Web of Trust extension to your browser.
2. Google the website in question and check if it has a Web of Trust rating.

Is [the website in question] secure?

(Secure websites have https at the beginning of their address.)
You don't want to enter your credit card number at a regular http website.

Is [the website in question] who they say they are?

Will the seller send what you bought or take your money and run?

Seller ratings on froogle.com:

First sort by price.
Only buy from sellers that have a good rating.
This will appear to the right of the seller...

rating >95% (1,265) < number of ratings

Many sellers on froogle don't have ratings.

Does the seller accurately & completely describe the item?

What features do you need the item to have?

Is the item new?

Used items:

Why is the seller selling a used item?

Is something wrong with it?

What are common things that wear out with a particular used item?

Did the seller provide that information in the item description?
(i.e., for used computer monitors... Are there any dead pixels?)

Photos of the item:

If there aren't photos, you don't know what you're getting.

Don't give your credit card number to unknown sellers.

Instead use PayPal if available.
Or use a check.

9... Adblockers:

Install one of the following to get rid of YouTube and facebook ads and stuff:

AdblockPlus
AdBlock

After you install an adblocker, some websites will block you with a popup.
There is usually something small you can click on to procede like an X or Continue with Adblocker.

10... Some networks are safer than others.

Don't sign in to websites on public wi-fi.

(i.e., networks that don't require a password to use... Starbucks, library, etc.)

Safest to riskiest:

1... No internet connection

2... Modem, But no router

(Turn off or unplug your modem when not using the internet.)
(If you turn off your router, it may default to the factory password.)
(ISPs often use a all-in-one device that contains both a modem and router.)

3... Modem + Router with your password

(You need a router for wi-fi)

4... Modem + Router with the factory default password

(Hackers know the default passwords.)

5... Modem + Router with an ethernet cable connection to the internet

(A wired internet connection requires physical access to the device in order to hack.)

6... Modem + Router with password-protected wi-fi connection to the internet

(A wireless connection to the interent can be hacked wirelessly without physically accessing your device.)
(Turn off your wi-fi when not using.)

7... Modem + Router with a wi-fi connection to the internet that doesn't require a password

(The hacker doesn't need to hack the wi-fi password.)

8... Modem + Router + Computer with a password

(If your computer is physically accessible to people you don't trust, enable a login password.)

9... Modem + Router + Computer that doesn't require a password to use

11... You will probably get hacked, have a fire or accidentally delete your documents.

So, backup files you have created.

(Photos, documents, password file, etc.)

Make an extra copy of your password file.

You can just copy and paste files onto a USB flash drive:

1. Click a file to select it...
...or CTRL + click to select multiple files.
...or SHIFT + click two files to select all files between the two files you clicked.

2. CTRL + C (Copy)
(Not CTRL + X... This will move (cut) the file instead of copying)

3. Open File Explorer or something and click around until you find your USB flash drive...
(Click This PC, then Devices and drives)

4. CTRL + V
(Paste)

...or you can use backup software like Cobian Backup to save a list of important files you want to back up regularly.

12... You will probably get hacked.
...or a webiste you use will get hacked.

Hackers can't get what isn't there.

So, don't save passwords and credit card numbers on your computer or websites.

Instead, keep them on a USB flash drive.

If you use a smartphone, enable multi-factor authentication for websites.

When you sign in, the website texts a code that you need to enter in addition to your password.
This can be inconvenient if you have to enter a code every time you sign in.
But it is a foolproof way to prevent hacking.
If a hacker gets your password, they can't sign in without your phone.
Instead of entering the code every time you sign in, some websites can be configured to only require the code when changing your password.
What if you forget your password for a website?

1. On the website, click Forgot password?
2. The website will email or text you.

Websites often ask for your email or phone number when you are signing in.
Provide it in case you forget your password.

Don't let your browser or operating system save passwords.

Don't store credit cards on websites.


(i.e., for automatically paying for subscriptions)

Delete your credit card from amazon, ebay, etc. after buying something.

Look for Account settings.

Use PayPal instead of credit cards.

(You give your credit card number to PayPal instead of the seller.)
But delete your credit card from PayPal after buying something.

If you use online banking...
...turn off your credit card when you're not using it.

Sign out of websites when you're done with them.

You are easier to hack when you are signed in to a website.
It's easier to stay signed in, and websites usually do this by default, but it's risky.

13... Strong passwords:

Short passwords and passwords made up of dictionary words are easier to hack than long, randomly-generated passwords.

Good passwords:

(Don't actually use these!)

F5gFd6&j9L;klMnS2#45g6_=A
presidentseniormalarkeyradiant

Bad passwords:

Fighthegoodfight
(phrase)
^(;A2#6y
(too short)
headpuntriseryour
(Words are probably too short.)
cumuluscloudsweatherreport
(related words)
FLU \/@((|NE
(Hackers use lists of commonly-used tricks like symbol substitution.)

Passwords become easier to hack over time as hackers' computers and botnets get more powerful.

So, use the longest random passwords you can.
Good passwords are hard to memorize.

But do you need to memorize your password?


Reasons to memorize a password:

1. It's the master password for your password manager.

2. You don't care if it gets hacked.

(i.e., disposable email)

3. You have to type it in (i.e., on your phone) instead of copying it from your password manager.
(i.e., your wi-fi password)
(f$h*7A is harder to type than fishykillerache)

4. You use it a lot and don't want to take the time to fire up your password manager.

If you don't use a password often enough to memorize it, you might as well make it random and long and save it in a password manager.

Don't use the same password at different sites.

If the password is hacked, all websites that use it become vulnerable.
Hackers share lists of previously-hacked passwords.
If you think you were hacked on a website, change your password for that website.

14... Password managers:

...save all your passwords in an encrypted file or in the cloud.
...can generate random passwords.
All you have to remember is your master password.

How to use KeePass:

1. Open KeepPass.

2. CTRL + O

(Open password file)

3. Find your password file.

4. Type in your master password.
5. Your password list is displayed.
6. Select the desired website or username.

7. CTRL + C

(Copy)

8. Go to the website and click the box where you enter the password.

9. CTRL + V

(Paste)

15... Critical passwords:

Master password for your password manager:

If you forget your master password, you lose all your passwords.
You can't keep your master password in your password manager.

It's easy to misstype when creating your master password.

1. Create the master password in your password manager.
2. Write it down.
3. Verify that what your wrote down matches what you typed in the password manager.

If a hacker gets your password file and master password, they have all your passwords.
You have to type your master password, so it probably can't be something really strong like 5Gdz`87f3kk#.
Instead use a passphrase consisting of long, unrelated words, like heiress99ninetymaintain.
Bank, Mutual funds, etc.

Email:

1. You use your email as a username on a website.
2. Someone hacks your email.
3. The hacker can reset your password on the website where you use the email as a username.
Router

On the bottom of your router is the factory username and password.
Hackers have lists containing those factory usernames and passwords.
Change your router's username and password to something better.
Google your router model to find out how to do this.
Most routers are configured by typing a url in your browser.

While you're in there, Check these router settings.

If your router's manufacturer no longer releases firmware updates for your router...


...buy a new router.
...or install 3rd-party firmware.

(There may be a firmware update option in your router settings...

...or check your router manufacturer's website...

Look for Support or Find Your Device or Downloads.)

16... Updates:

When a new security vulnerability is discovered...

...your computer or software needs to update in order to protect against the new vulnerability.

Keep your operating system and software up to date.

Enable automatic updates in each of your softwares.
(Windows 10 automatically updates by default.)

Uninstall sofware that you don't use.

Software updaters:

SUMo
Patch My PC
FileHippo App Manager

17... You can get infected by malware just by visiting a website.

The following 2 browser add-ons block the little programs that are written into websites.

Hackers can use these programs to hack you.

Most of these programs are safe, and many websites will look funny or not work right with them blocked.

You can temporarily or permanently enable them on a per-domain basis.
(domain = the .com part of a website address, i.e., yahoo.com)

It can be a pain, but I like the peace of mind of knowing stuff is blocked unless I unblock it.

for Chrome:

ScriptBlock

for Firefox:

NoScript


mark@chiptape.com