This article is a companion piece to our Total Privacy article
Linux has a well-deserved reputation for being incredibly secure in comparison to operating systems like Windows and OS X. However, that said, you can’t simply rest on your laurels and assume that your computer is impervious to attack – especially in the wake of security scare stories over the course of the last few months such as Heartbleed, Shellshock and the Turla malware, as well as the ever-present threat of more direct system and account intrusions.
This month we’re going to tackle security on both the online and offline front. First up we’ll go through good password practice with a fine-tooth comb, picking out everything that you need to know and showing you how to create super-safe passwords. We’ll then take a look at client-side security by running through the optimal settings for your machine and suggesting ways for you to ensure everything important is protected. Networks are next – we’ll explain how to build firewalls and properly set up and control your ports, then go through the principles of penetration testing. Finally, we’ll return to online matters with a look at securing your various accounts, including using two-factor authentication, and then locking down any information that could potentially be used to hack your accounts.
One of the most important steps in keeping anything secure is to create a very strong password that is difficult to crack. While movies will tell you enterprising hackers just need to look around your office to figure out your password (“it’s his son’s name – easy”), the most common method of password cracking is a brute force attack on the server and the username.
Under a brute force attack, short passwords, unmodified dictionary words and anything on top password lists will succumb very quickly. In terms of length of password versus time to crack it, the hours and days needed to successfully discover a password are always going down thanks to advancements in CPU speed and bandwidth. Using simple alphanumeric passwords are increasingly insecure, even if they’re as long as ten characters.
Let’s start with a password then and modify it – a non-dictionary word, reasonably long. Plucked out of the air we have:
Time to crack: two seconds
Seven is quite short. If you’re using it online, most websites require a minimum of eight letters, a capital letter and a number. This drastically improves the quality of the password, both offline and online. A basic modification would be:
Time to crack: 15 hours
Doing a lot better! The password is immediately exponentially more secure, although 15 hours is still not that long. We can do better by adding a symbol to the mix in an easy-to- remember location:
Time to crack: 3 days
Another big jump to three days. In theory, most people would give up by now, but as we’re dealing with an automated brute forcing, that won’t matter. We’re at about as secure as we can be with an eight-character password in terms of brute force, and the ‘1’ at the end is a bit basic. By just making it a two digit number we can further increase the time to crack:
Time to crack: 275 days
275 days is quite a while, but it’s still doable for persistent crackers. Adding a symbol, letter or number to the end of this password will increase its lifespan to 58 years. 58 years is a massively long time for someone to be trying to crack your password without upgrading their hardware and software or simply forgetting about it. So here’s an example of an excellent starter password idea:
Which, you know, PLEASE don’t use as your actual password as that would be a very silly thing to do. Anyway, we say starter, as while this is an excellent password, you shouldn’ be using it on every account that you have. If a list of passwords is leaked due to someone else’s insecurity, it doesn’t matter how long your password will take to brute-force if they already know what it is. If you hear of a leak, change your password immediately.
Passwords Do’s and Don’ts
Use capitals, numbers and basic symbols
Reset online ones every six months
Make sure it’s at least nine characters long
Run something similar to your password through a password checker
Use dictionary words
Use personal information
Use consecutive numbers
Use numbers such as your two-digit birth year
Use the same password everywhere
Write them down
Make them too long
Now we have a basic password, it’s time to start implementing it online. Security experts say you should use a different password for every account. Services like LastPass can offer a convenient way of doing this with truly unique passwords per account, but you might not be comfortable with them. Human beings can only remember so many passwords; as you most definitely should not be making a note of these passwords, what we suggest is to modify the password based on what website you’re using it on.
For example, let’s take Amazon. It has your credit card details so securing the account is extremely important. After the ‘Dw@n’ of the ‘dwanton’ base we have three characters to play with, so we could change them for our Amazon password. Here’s our working:
Take the middle three letters of the site’s name (as Amazon is six letters long we will choose ‘maz’), and reverse the letters to ‘zam’. Now insert it into our password:
This still has the high level of security, but will be different from, say, eBay (Dw@nabe12*) or Github (Dw@ nhti12*), without being immediately obvious to whatever cracking program would then try and use that password on other websites and accounts. A smart enough human might crack the code, but this is only an example of how you can modify your password while still making it memorable to yourself.
Security and Privacy
Last time we touched upon how to keep your details as private as possible. As well as brute force attacks, crackers can perform confidence and social manipulation tricks with phone support to deceive you, using any information they can gather from social accounts. Some of the privacy-orientated recommendations can help keep angles of attack secret from malicious people.
Go through your social media accounts – Twitter and Facebook mainly – and look at your privacy settings. Make sure nothing sensitive is set to public, and even think of removing items that you don’t need on your profile, such as phone numbers on Facebook or location on Twitter. Most importantly, keep your main email address completely secret: never share it on Twitter unless via a DM to someone you trust and don’t keep it in your profile. For work email, use a different address and link as few accounts as possible to this email.
Lastly, while an extreme step, you can always look at not using your real name on your more public social media accounts. Facebook won’t truly allow it for personal accounts, but everywhere else you can it’s a good idea to use a pseudonym if you want to be as secure and private as possible.
One of the best security features of recent years is two-factor authentication. Google, Apple, Tumblr and many other services and websites with sensitive information now include two-factor authentication to increase security.
Usually, a mobile number is securely supplied to the company, which then sends you a message including a special, one-use code to work in-conjunction with any system you’re trying to log into the account with. Other companies will send it via email or allow you to use a special app similar to banking keypads. Turning this on may be slightly inconvenient to some, but the peace of mind and added security is well worth it.
In part two, well cover how to secure your systems at home.