While it's often true that what you don't know can hurt you, sometimes when it comes to online security, you can get in more trouble by believing things that just aren't true. Here are the truths behind some common online-security myths that may be influencing your online security practices. If you know the truth, you can make better decisions about protecting yourself online. Click "Next" in the top right corner to read all the myths.
In fact, most users' passwords are far weaker than they think they are, said Ed Skoudis, a faculty fellow at the SANS Institute, a Bethesda, Md.-based resource for information-security training. For example, obscure long dictionary words are not good passwords. The truth is that passwords shouldn't be regular words at all. You should use a passphrase with some special characters, Skoudis said.
You should never share passwords between accounts in different organizations. In other words, you wouldn't want your password for your bank account to be the same as your password for your Gmail account, your Twitter account or your Facebook account. If one of them gets exposed, then all of your accounts get exposed, Skoudis said.
An anti-virus tool does not protect you from everything. An anti-virus tool won't protect you from your stupidity, Skoudis said. You can't be an idiot, and do stupid things, like clicking on a [suspicious] link in an email or providing your credit-card number to someone who asks you for it in an email.
The truth is that you're not impervious just because you have a Mac. Because more people are using Macs, we've already seen some malware that targets Macs, Skoudis said. It's a problem that is starting, and it will continue to grow.
It's not safe, Skoudis said. You don't know who your friends are. You can't trust who your friends are. Because of the popularity of Facebook and Twitter, the same bad guys who have been sending spam via email and perpetrating online scams are now targeting social networks. These people have ways to post messages that look like they are from your friends but really aren't.
Not all browsers use the locked-padlock symbol. Not only that, but cybercriminals are quite adept at reproducing it. You want to look for the 'https:// ,' Skoudis said. The bad guys can also fake an 'https://' but that's a better breed of bad guy.
If you get an email from a friend or relative saying something like, I'm in London and I was robbed. I can't get home, please wire me money, don't fall for it. The likelihood of that is so small, I would try to contact that friend [directly], Skoudis said. Their account could have been compromised. I would contact them, but not through their email account.
But not all of them are. Essentially, you have to think about the context of an email and what it's asking you. This can be hard, although sometimes the bad guys are comically inept. You have to ask if it makes sense for this entity to be asking you for this information, Skoudis said. The bad guys are good at doing this in a time-sensitive context. You better believe shortly before April 15, or shortly thereafter, there will be a bunch of spam or phishing emails [claiming to be from the IRS].
No, it's not OK, Skoudis said. They could get information, like when you're [online], to help attack your account. And if you respond and ask a spammer to remove you from his list, you'll probably get more spam.
If you think an email is probably spam or a scam, don't even open it. There are ways an attacker can launch an email attack that [doesn't] require you to click on a link, ways that can be just as dangerous as clicking on an infected attachment.