7 security tips for your computer and the web

Keeping yourself and your business safe and secure is essential, right? So why is it so many people use obvious, sometimes dangerously simply passwords? Here’s a few ideas on how to keep yourself and your business website safe.

But first, a story. Well, before the story, let’s have some background:

“According to a new analysis, one out of five web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like ‘abc123’, ‘iloveyou’ or even ‘password’ to protect their data.”

When I first read about some of the terrible passwords people are still using, I really wasn’t surprised.

Shh .. can you keep a secret?

In one notable, recent example, I was asked by a former client to “fix” a web application I was developing so there was only the one username and password for everyone. At the time of being asked, I’d only set one account up, but someone had decided to share this account and soon after, people were signing in with the same account details.

The problem is, due to the security options I’d put in place, each person that signed in signed out the one previous. This was because the system couldn’t deal with two people signing in with the same account details. The client was dismayed.

“Why can’t we all sign in with the same details?”

They asked.

“Because the system doesn’t allow more than one person to have the same username and password.”

I replied.

“Can’t they just type their name in after they’ve signed in?”

They enquired.

“That’s the whole point of having a username; so the system knows who each user is.”

I replied calmly, trying not to sound patronizing or condescending. But the question, I suppose, is: why did they refuse to have a unique account for each member of staff?

Being a very large business that bestrides continents, they have thousands of staff all over the world, so issuing usernames and passwords for each member of staff would be a considerable undertaking, one their own IT people refused to manage, even though it was firmly within their remit. And, ultimately, no one could be bothered with having a new account to remember, on top of the ones they already have.

In the end, I came up with another solution, one that didn’t rely on usernames and passwords, one that was arguably as secure, but came with unique problems all of its own.

7 ways to keep your computer safe and stay secure on the web

Consider what you stand to lose if someone snags the password for your computer. For most people nowadays, they stand to lose just about everything.

So what can you do to stay safe and secure on the web? Here’s a collection of ideas for saving and storing all of those usernames and passwords to all of those websites and web applications you sign up to, as well as staying secure while using a computer:

  1. Avoid obvious passwords — OK, this is obvious by now, but do not use regular names (your own, for example), words (“duck”, “apple”, “tea”, “foot”, “dog” etc), notable dates (your own birthday, or national events) or sequential letters and / or numbers (“qwerty”, “123456” or “abc123”) for passwords.
  2. Password protect your computer — Most computers (such as Microsoft Windows, Apple Mac OS X, Linux etc) have user accounts. Don’t use the default account, because that’s often the master administrator account. Instead, leave that alone and create a new one, just for you. Then, set it up so you have to sign in every time your computer restarts.
  3. Be careful in public — If you’re sharing a computer, or using one in an internet cafe, do not allow the web browser to save your details. If someone else uses that computer and visits the same website, they could, potentially, sign in as you.
  4. Do you own a Mac? Then go into your Applications folder, then the Utilities folder and find the Keychain Access application. By default, many applications store your details there. You can use Keychain Access to add Secure Notes and new Password Items, to store your details securely and safely. Also, you can use Keychain Access to retrieve account details, should you forget them.
  5. Managing passwords on Microsoft Windows isn’t quite as straight forward; there isn’t an equivalent to Keychain Access. But there are tools built in that do help keep you safe — here’s how you manage stored usernames and passwords on Windows XP and Windows Vista.
  6. Don’t share your accounts with other people — Sometimes, you’re rushed for time and someone needs to get into application X right away! Sign in for them, let them do their thing and then make sure they sign out afterwards.
  7. Passwords on paper won’t do — Scribbling passwords down on scraps of paper, stuffed into draws isn’t optimal. You’re either going to lose them, or worse, someone will find them.
  8. Complex is good — When choosing a password, remembering it isn’t the most important thing, not with the plethora of options for securely saving them to your computer. So choose one that’s more than ten digits, a mix of numbers and letters, both upper and lower case. Some software will even let you use punctuation marks and accents, like [email protected]£$%^&*()¡€#¢∞§ which is even better, because then you have password that contains more combinations than there are grains of sand on every beach on earth.

Got a security tip to share? Let us know how you stay safe…


The pros and cons of staying secure and blocking spam with a contact form

So you’ve got a website! Now what? If you want to connect with your visitors, you’re going to need a contact form. But what are the security advantages and disadvantages associated with a contact form?

I’m sure you, like me, have had your fair share of spam email; people trying to sell you everything from prescription drugs to watches. Worse still, some of these offers will probably be coming through your companies contact form, which is both annoying and a time waster.

Securing response forms with a CAPTCHA

OK, I confess, this is a buzzword. After everything I said about buzzwords and jargon being a pain, I go and do this! But, there’s a a very good reason.

There is a way of preventing a good percentage of the unsolicited email you receive, and it’s a security feature you can add to your contact forms. It’s called CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Human Apart. If you go to the contact page of the Octane website, you’ll see one in action.

Manually submitting contact forms

However, CAPTCHAs aren’t a silver bullet, or some kind of cure-all. Because of the various tools I use, I can see where people come from before they send me a message via my contact form.

The vast majority of the spam I get is from India. So rather than this being some automated system trying and failing to complete my response form and navigate its way around the CAPTCHA, it’s a real person at the other end. That’s a problem you can’t solve with software alone.

However, some feel having a CAPTCHA on your response forms might be doing more harm than good. As an example, a recent body of research shows that CAPTCHAs have a measurable effect on conversion rates:

“From the data you can see that with CAPTCHA on, there was an 88% reduction in SPAM but there were 159 failed conversions. Those failed conversions could be SPAM, but they could also be people who couldn’t figure out the CAPTCHA and finally just gave up. With CAPTCHA’s on, SPAM and failed conversions accounted for 7.3% of all the conversions for the 3 month period. With CAPTCHA’s off, SPAM conversions accounted for 4.1% of all the conversions for the 3 month period. That possibly means when CAPTCHA’s are on, the company could lose out on 3.2% of all their conversions!”

Those figures do certainly offer pause for thought. But it’s also worth mentioning this is a relatively small study group, and I have a feeling that the type of visitor could play a major part in conversion and abandon rates.

Respondr response form script

Because I got sick of relying on other people, I wrote my own response form script, called Respondr, which you’ll find being used here on Octane, as well as on the Blah, Blah! Technology blog, and several clients of mine.

Rospondr is free to download, and if you’re a web developer, it should be easy enough for you to install and configure. Rospondr also includes a built-in CAPTCHA, which can also be configured.

In the time I’ve been using CAPTCHAs, I’ve seen several people get stuck with them, but very few have abandoned them. My feeling is, people know why they’re being asked to enter a security code, because they’re just as sick of unsolicited mail as I am.

But if you are concerned about people abandoning your contact form, make sure your telephone number is near by, so they can call you direct.

Masked passwords versus usability

I’ve always disliked masked passwords. What’s a masked password? It’s any text field on a contact form that turns all of the characters you’re typing into bullet points. Let’s face it, if you can’t see what you’re typing, how can you be at all sure you’ve typed the right thing?

Recently, usability expert Jakob Nielsen weighed in on the subject of masked passwords:

“The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.”

This is a problem for both new and seasoned web users alike. As a web developer, I don’t use masked password form fields. If a client asked for them, I explain why they’re such a bad idea, who’s positives are massively out-weighed by the negatives.

If you’re worried about people looking over your shoulder, that’s a people thing and not something software can get around. At the very least, if web developers are going to use masked passwords in their response forms, they should include a little check box which enables and disables it, to give the user the option.

Conclusion

Ultimately, if you choose to use CAPTCHAs or masked passwords on your company website, it’s about balance; are you doing the right thing by your customers / clients visiting your website?

And knowing your audience is essential, which is why I highly recommend you track the visitors to your website, to help widen that knowledge.