I’d like to foreshadow a future title here called lock the doors. I have no doubt we’d like to think anything we are doing in terms of security is locking the doors but “it just ain’t so”. Look, to give good security tips is to be painfully honest. There are doors [into our computer] we don’t know about and they are being discovered constantly for Windows, Apple and Linux. Why is that? More and more software and changes are made and provided as updates or new versions, new installs day in and day out. Talking account secu
Doors is a metaphor for “any method of installing (infecting) a computer with unwanted virus or malware software. The door is left open when you run with an administrator account and potentially every program you run as an administrator may have a higher privilege. Many programs are able to “spawn” new processes – and to your computer that may appear like components of the same program and normal behaviour. This is how an attacker flies under your radar – and some of these attack programs are likely to disable known antivirus or antimalware. Why not – if it has the highest privilege there is usually a way it can trigger a kill on other programs. This metaphor may help you connect something mundane like “account privileges” with risk of attack and infection.
I met a smug programmer who had manual permissions for everything and felt he was secure and better than everyone … but you know, what if he runs a bunch of system updates? Does he have a manual thing to rewrite every rule and permission to perfection – I had doubts. The basis of his security idea was permission and that requires using the right type of account! He was on the right track but he seemed to fail to comprehend that you don’t know what is unknown.
However there is one place where a standard user will fall down and that is … by refusing to operate with a standard user account. That is, an account that doesn’t have carte blanche to change any file or directory and it’s permissions, content. On Unix based systems such as Linux and Apple users are discouraged from running as “root” – the common name for the highest level account. Windows accounts tend to start off as Administrator, similar to root type unix accounts which enable priviledged access. Be like Obi Wan Kenobi, famous jedi knight and use the jedi mind trick on attackers saying “these are not the droids you are looking for. ” Droids … well they are computers, and hackers are looking for them … those with open doors?!
Above Obiwan and his droid have a relationship and I assume in some fantasy sci-fi setting droids have ways of knowing their master. Your computer has no way of knowing without account security. This is why some people have fingerprint or camera recognition but this should generally just be for enabling you to get into your “safe for day to day work” standard account. If you had some kind of camera check for administrator/root access and it just saw you were sitting there and enabled an attack to install itself freely without asking for a password or blocking it outright that would have limited benefit. It might still slow attacks that happen while you aren’t present but we want all the attacks that can be blocked by this countermeasure to be blocked.
Maximum effective security just by using account based security and account access controls, warnings etc. The result might be that you visit some unknown website, suddenly there is a password request for admin to change the system and you think “I don’t want that, this is inappropriate” and deny it. If it is really necessary it will come again and again in a different context than “I just opened a random unknown website” and you can approve it if it is justified. Better yet, you should approve only conscious decisions on your side to make changes. You wait until something is obviously not working right before you remedy that with an update or change that requires that password.
Passwords, passwords – and again easy to remember pass phrases – all the better. Some passwords need to be used often and you will have to write it down somewhere. An administrator/root password will need to be used fairly often despite everything I said above – but don’t sticky tape it to your laptop or paste it on the wall in plain view. At least not unless your computer is in a secure place that only you ever visit. No, at least put it in a drawer and perhaps hide the password inside a puzzle or as a name that stands out to you as an anomaly but not to a stranger who isn’t you. For example, if you travel, you leave your laptop on the table at the hotel … with a sticker for root access password? No, don’t do that. Hacking is often the art of physical access but the attacker may only have a short time – don’t make it easy.
Make it easy for yourself with a pass phrase. 4 words and a number – it can be logical, but it has to be long and easy to type. Passwords like $%^&*(LKJLIKFU()#$CJ oi4d^&*(R3 are just way, way too painful for regular use but a password like thisisthelandofmilkandhoney873 are surprisingly easy to type in error free – at least relatively easier than gibberish and special characters. All the ideas about passwords with spaces and funny characters were helpful when people thought an 8 character password was safe but today you want 20 characters or more … and so those weird characters are less important. Those in one capital and you are done like making “Milk” capitalized in the above example.