Let’s make your computer less crap.

A couple of years ago, a friend was having computer trouble and asked for advice. As I thought about the best way to go about this, I thought: “you know what would be really great? I’ll write a big guide for Split Screen and then everyone can benefit from it!”

Then I got a commission or two for the New Statesman, founded Five out of Ten and put everything else on hold. Today, I read that there’s a massive security hole in Chrome that will reveal your saved passwords to anyone who has access to your browser. Well, this has gone too far, folks. It’s time… for a massive computing security guide.

Brief background: I used to work in IT support and dealt with a lot of requests on basic security problems. My philosophy is that it’s never the fault of the user, always the computer, and that computers are here to make our lives easier without us having to learn their intimate details. While computers have improved their inherent security, many breaches are due to social engineering: phishing and other such schemes that persuade the user to hand over their data.

Don’t assume that because you are an unimportant person, you are less of a target: phishers and hackers prey on the easy and vulnerable targets, not the big ones. The good news is that drastically overhauling your security is relatively straightforward, and hopefully you’ll enjoy the additional peace of mind.

This guide aims to achieve two things: tighten up any problems that may exist on your system, and lessen your chances of being a victim of a scam. There is one caveat here: although I’ll try to keep things free of jargon, some of these things are irreducibly complex. The golden rule is that you should never do anything on a computer that you don’t understand. Don’t just take my advice: read around the topics and understand why I’m giving the advice. That’s what will really make your computing experience a lot more safe and enjoyable.

2015 update: it is now the future. I’ve revised this feature with more up-to-date information on everything from operating systems to the best software for the job. In some places, I’ve left the old information and explicitly added new stuff you can see how my processes have changed.

Back up your data

time-machine

Please back up your data. Buy a cheap external hard drive and use the tools built-in to OS X or Windows. Follow a guide online. There’s no excuse. If you aren’t regularly backing up your computer then you may as well not bother with the rest of this.

I keep three backups of my Mac: I run a Time Machine backup to an external drive every day or two (or on the hour if I’m working on Five out of Ten), I update a bootable clone of my internal drive every fortnight with SuperDuper, and I have an offsite backup on a work server to guard against data loss from theft or fire, which runs on a monthly basis. It is highly unlikely that your workplace offers such a backup service for free, so instead consider a service like Backblaze or Crashplan. These both run in the background automatically, and allow remote file access from mobile devices or the service website if you’ve forgotten to save something into your Dropbox.

Dropbox, OneDrive, and Google Drive are not really backup solutions. They are fantastic for sharing files across multiple computers, but they can’t cover everything – all your photos, music, application settings – and it would take a really long time to download your stuff. They’re also not designed to work that way, and trying to be a smartass by symlinking your Home folder or iTunes Library into Dropbox is a recipe for disaster.

One other thing to mention that isn’t quite so obvious: moving photos and videos onto an external hard drive is not the same as backing them up. Backups need to be redundant, i.e. there needs to be more than one copy of each file. In an ideal world, a backup drive should be moved to another location, like a family member’s house or your drawer in work, in case of theft or fire. That’s not always practical, but worth considering.

There’s a simple test if your backup solution is up to snuff: if I took your computer and threw it into a lake, and you could claim a new one for free on your insurance, would you lose anything? If you just reacted with an expression of horror, then your backup solution is not good enough.

Up to date

software-update

If you’re using Windows XP, Vista, OS X 10.8 Mountain Lion or earlier, then your operating system is officially past its best-before date. Microsoft are still offering security fixes for Vista, but Windows XP is now a serious liability. Apple only officially support the most recent version of the operating system, but in practice, they also support the previous version. At the time of writing, that’s 10.10 Yosemite and 10.9 Mavericks.

Windows users should upgrade to 8.1. I’ve had it since release and would now rather use Windows 8 than Windows 7, although of course I’d rather use OS X than either of them.

Mac users should upgrade to 10.10 now through the Mac App Store. OS X 10.10 works on anything that will run 10.8, and if your Mac doesn’t support 10.8, buy yourself a new one. You deserve it! Alternatively, download Ubuntu which is a free and easy-to-use Linux distribution. If you’re using a six year-old Mac then you’re probably not using it for any heavy lifting, anyway.

It’s not just the operating system you should consider. Microsoft Office, Adobe Reader, all those other applications whose bouncing update boxes you ignore – get them up-to-date as well. Most apps have a ‘Check for Updates’ option hidden somewhere in their menus. Set your computer to install updates automatically where possible.

Really old versions of Office, Adobe Acrobat etc. will no longer receive security updates and are a serious liability. You should consider buying the new versions or replacing them with open-source software, or a cheaper alternative.

Do I need anti-virus software?

Windows- Yep. Microsoft provide their own free tools – included with Windows 8, called Security Essentials for 7 and Vista – that will do the job. I used to recommend AVG Anti-Virus but found its protection was over-zealous and it crashed a lot of games. You should also install the free Malwarebytes anti-malware scanner.

OS X- Personally, I don’t, and it would be hypocritical to tell you to install something that’s not running on my Mac. But I don’t run such software because I only download things from reputable sources, anti-virus software creates an unacceptable performance hit on my Mac, and the risk of getting something dodgy is undoubtedly lower than Windows (unless you’ve torrented the Mac version of Adobe Creative Suite; then you’ve got it coming). If you’re not confident in your abilities, Sophos Anti-Virus is free and I’ve used this on work machines for years without problems.

Linux – I wouldn’t bother. With anti-virus, I mean – I think Linux is cool.

We really want to focus on keeping dodgy files off our computers in the first place, not on catching viruses that arrive there. Anti-virus software is a safety net, but you don’t need a safety net if you don’t jump off a building in the first place.

Are those ‘Clean my PC’ tools any good?

They are almost universally terrible, and some like MacKeeper are malware in themselves. Applications that promise to boost performance by removing crap just don’t work. When it comes to registry cleaners etc. it’s better to err on the side of caution. There are only two applications I would ever recommend:

For PC, CCleaner (that’s ‘CrapCleaner’) is good for removing temporary files and clearing garbage out of the registry. It uses a light touch. Don’t download the Mac version, because I don’t know if it is any good and there’s a better alternative.

For Mac, Cocktail is a graphical front end for some UNIX command line tools, with a few other nice features. I run it every couple of weeks and it does a great job. I wouldn’t touch anything else.

Sort out your passwords

1password

Allow me to peer into my crystal ball for a second:

“You have one password for every website. It’s the name of a pet, family member or childhood hero, plus the year you were born, with the odd capital letter and exclamation mark”.

Did I get it right? Passwords are problematic because they are hard to remember and you’re meant to use a unique one for every website. So people use the same password all the time, or they use weak passwords anyone can remember, or they have a monitor covered in Post-It notes with passwords written on them. None of these things are acceptable:

  • If I can read your password, you’re obviously compromised
  • If your password is easy to guess, you may as well not have one
  • If you use the same password for everything, you’re putting a lot of trust in the company holding the password.

I already wrote a guide on how to make a password. Read that and then come back. I’ll assume you now have one very secure ‘master password’, which we will use for any site you’ll need to access frequently: Facebook, webmail, Apple ID, that sort of thing. Change those passwords now, making sure each site has its unique mini-password in the middle. Only change those you use all the time: it makes to change accounts like Google, Facebook, Apple ID, Microsoft, Twitter and Dropbox in this way.

What might surprise you is that I only know a handful of passwords: one to login to my computer, my Google account, Dropbox, and the master password to unlock the database that holds the rest. People seem to assume that I enjoy memorising random strings of characters, like it would be a really interesting hobby or something.

We don’t need to remember most of our passwords. We will always need to remember some of them, but we can take advantage of computers to reduce our reliance on memory. I store everything from Amazon and Paypal to generic site logons in a database managed by the wonderful 1Password. When you need a password for a new site, it’ll generate one for you and remember it. When you need your credit card details, or a software license, it’ll store those too. It will warn you if a website has been compromised through a security issue and prompt you to change your password. 1Password has plugins for every major browser and will automatically fill passwords with a keyboard shortcut. Use the 30-day trial and see what you think. I think it’s one of the best applications I have ever used, and the customer support is excellent.

Password managers like 1Password, and my previous free pick KeePassX, securely generate new, random passwords on demand. My Amazon password looks like an unrecognisable mess of letters, numbers and symbols. I don’t need to see it, because I just paste it in from 1Password. You can also use it for those ‘security questions’, which turns your mother’s maiden name into the title of an alien overlord.

Naturally, your database password needs to be extremely strong and unique: try a website like the Strong Password Generator to create one.

Multi-factor authentication

google-auth

By now most of your passwords are unique 25-character behemoths stored in an encrypted database, and no one can crack them. I asked you to use your master password for frequently-accessed sites. Only the most inept websites would store passwords in plaintext and most are ‘hashed’ to create a semi-scrambled string, but because your passwords are all subtly different, so are the hashes. If your Twitter account gets hacked, it’s unlikely your password for Google will be compromised.

What if you think you’re typing your password into Facebook, but it’s actually an impostor site who then gets free reign over your account? This is a classic phishing scam, where you’re fooled into providing details. We need a way of stopping people from getting into our accounts, even if they know the password. There’s a solution to this and it’s called multi-factor authentication (often called two-factor or TFA).

You may already have this without knowing: banks often give out security keyfobs which generate authentication codes. You can’t get into the bank account without both your password and the fob, so it’s much more difficult for your account to be compromised. Multi-factor authentication comprises something you know (a password), something you have (a fob or key generator) and something you are (biometrics). For web services, an easy solution is turn our mobile phone into a fob. Google Authenticator is a free app for iOS and Android phones that can be used to secure your Google, Dropbox, Microsoft, Facebook, Tumblr and Evernote accounts. (2015 update: I moved to Authy so I can access my authentication tokens on my iPad, but Google Authenticator is still fine). It should be straightforward to enable TFA through security settings, and adding the account to Google Authenticator is as simple as scanning a QR code with your phone’s camera.

For services that don’t support Google Authenticator: Twitter supports TFA over text messages and through their own app (it’s more painful than others, but at least it works), Apple send push notifications to an iOS device, PayPal can use SMS instead of a proprietary keyfob, and Steam Guard sends a one-time authentication code to your email address if you’re accessing a Steam account from a new computer.

One downside is that you’ll need your phone on hand to access these sites, although many have a ‘remember me’ function for your main trusted computers. Services that offer two-factor authentication also provide backup codes, which you can print out or save as a PDF in Dropbox or Google Drive for emergency access. Keep these secure, too!

There is no reason not setting up multi-factor authentication: it’s very little hassle after the initial setup and provides a great defence against would-be phishing attempts.

Locking down your computer with full-disk encryption

filevault1

It’s all well and good securing your computer about outside threats, but there’s always the risk of physical theft. There’s no point setting up TFA on your Gmail account if there’s no password on your laptop: anyone can then log in, access your Gmail through a desktop client and reset all of your passwords. So we need a strong password for our computer – see earlier – and a password-protected screen saver that engages automatically. If your family and friends use your computer, give them individual accounts with no administrator access and never share your password with them.

Even with a password-protected account, a thief could remove your hard drive and plug it into another computer to access the data. On-the-fly disk encryption is the way to prevent such an attack, but it used to be very slow and clunky to use. Things have improved considerably: OS X 10.8 comes with Filevault 2, which encrypts the entire hard drive in the background. Even if you tried Filevault before and didn’t like it, the new version is very secure and the performance hit on a modern processor is negligible. Don’t forget to also encrypt your Time Machine backups and external drives. This means you won’t be able to use those drives with another computer unless you have access to the encryption key.

Windows 7 and 8 users have built-in drive encryption called Bitlocker, which is probably very good, but limited to the ‘Pro’ versions of those operating systems because Microsoft are arseholes like that. If your data is valuable, it is worth investing in the upgrade. In fact, if you hold confidential information such as customer or employee details, it’s probably required by law.

Bonus tip: if you’re selling or dumping an old computer, you need to erase your personal data. Enlist the help of a tech-savvy friend to “zero out” the disk (literally writing zeroes over the entire contents of the drive) and install a clean operating system, or remove the hard drive and smash it to bits with a sledgehammer. There’s no joke here. That’s exactly what you should do.

Secure your web browser

padlock

The web browser is your main gateway to the internet and a major attack vector. As discussed earlier, you should keep it up to date: all modern web browsers do so automatically, but if you use Firefox you should check this because auto-updating was introduced relatively recently. If your computer doesn’t support the latest web browsers, you need to upgrade it as soon as possible. It’s a massive security risk.

Here are a few tips and tricks:

Disable Adobe Flash. Not only is it a drain on your battery life, processing resources and the source of every annoying advert you’ve ever seen, but it’s also a security liability. Various ‘Click to Flash’ browser extensions are available which allow you to load Flash on-demand, and this happens automatically in Safari with OS X 10.9 and later. Better yet, uninstall Flash completely and use Google Chrome if you really need Flash, as it includes an automatically updated version.

Force websites to use HTTPS. This encrypts your communications with websites, and most major sites support it automatically nowadays. The Electronic Frontier Foundation have a free plugin for Firefox and Chrome that you should consider installing.

Check that the websites you visit, especially online stores and places you’re entering credit card details, have valid SSL certificates and never use those who do not. This means your traffic is properly encrypted. Look for a green box, shield or padlock in the address bar.

Don’t store your passwords in a web browser. Of course, you’ll now be using an encrypted database for all your passwords and would have no need of such a facility, but with the aforementioned Chrome security hole in the news it’s worth repeating. Firefox also stores your passwords like this, and theoretically Safari will encrypt them from OS X 10.9, but why take the risk? Likewise with ‘autofill’ functionality, I don’t really trust browsers with such information. I vastly prefer a password manager such as 1Password to in-browser solutions.

Epilogue

Computers are complicated. They are very, very complicated, and there’s no shame in not understanding their inner workings. It’s taken me a lifetime of amateur enthusiasm and 4–5 years of professional experience to get a basic grasp of these things. You don’t need to be an IT expert to make your computing experience more secure: you just need to do absolutely everything I tell you.

That was a joke to see if you remembered the introduction – this thing got a lot longer than I expected. IT support is as much about educating users as helping them, so if you really want to improve your computer skills, a little learning will go a long way.

Good luck!