General guidelines for end user IT awareness

Contents include:

• Password awareness

• Points to keep in mind when creating passwords

• Two factor Authentication (2FA)

• Basic computer hygiene and security

• ++ will be updated

Password awareness for internet and personal computer.

Today, a regular user has several services/websites they visit on a regular/daily basis.
Several of these may be websites/services that require you to login with a username and password.
(Social networking ex. Facebook, LinkedIn, email, banking etc)

Now, the more services they are using, the more usernames or passwords for the user to remember.
The users are getting told to make sure they make a «strong» password, to prevent someone from gaining access to their services on the internet.
In general they get told to make a password of sufficent length, with upper and lovercase letters, one or more numbers and preferably a special character – like ! or % etc.
They normally then end up with something like this (often with the word having som meaning for the user (name of children, dates etc)):

Example 1 – the normal end user
Password123! – in an effort to make something that is easy for a human to remember, but also complies with the said requirements for a strong password.
But in reality, this ends up beeing a very weak password due to this beeing a normal dictionary based word with some numbers before/after.

Example 2 – the more advanced secure user
PassW0rd! – here, the password looks a bit more secure for the human eye and brain.
The password now has upper and lovercase letters, number and a special character.
The letter O in password has been switched out with the number 0, thereby making the password a word you dont normally see in a dictionary.
So this has to be astrong password right? Answer is actually no.

As a end-user and human beeing, passwords like this gets to complex for people to walk around remembering.
It’s illogical to our brain to write words like this, they also gets more difficult to remember due to complexity in where the upper/lovercase letter is, where is the number etc.

So for the user, they get more difficult to remember, which again may lead the user to write this down somewhere for keep, making access to their services more compromised.
This also leads to one of the bigger mistakes anyone does, using this «strong» password, across all the websites/services the user has, because humans always take the easy way, by nature.
Remembering 10-20+ password with that complexity becomes impossible, and that happens as a result, for convenience to the user.

As for someone trying to crack the password, they get not much more difficult in reality.
Using a compination of dictionary and brute-force, this is easily cracked.

So what is left to do? How can a user make a strong password, thats easy to remember, while also beeing hard to crack?

Example 3 – the better, more secure and easyer option!
This is actually very easy to put together, and may come as a surprise (and relief) for the user.

Learning from example 1; A complex password that is easy for a user to remember, is easy to crack
(a logical password for the user becomes a logical password for guessing)

Learning from ex2; A complex password that is hard for a user to remember, may also be easy to crack .
(An illogical password for the user to the user, may be logical for cracking tools to guess)

Cracking tools are looking for known words, with associations etc – this is the quickest way to guess.
Brute force – guessing one and one combination of letters until full word is the more slow one, but also gets there in the end.

So to make a password that makes the job hard for crackers like this the answer is simply:

Make a sentence – use that as a password.
Write the sentence as you would write it normally, start the sentence with big letter, space between words, end with a period, etc. And it dosent need to cointain dozens of words either.

For fun you can try kasperskys tool for verifying your strength, and also see how long they estimate it will take to crack the password. Dont be surprised if the answer is that it estimates it will takes centuries to crack.
And with a sentence, a normal person gets something logical and easy to remember also.

But still, try not to use the same passwords around all websites and services, sometimes the website itself can get hacked, and they get your password that way.
Using different passwords mean you get less work to do if the password gets stolen, and you dont need to visit countless websites updating your passwords everywhere.

Using sentences you can easily make something like this for password for different services:

Service – Facebook
Password- This is my facebook password!

Service – E-mail
Password- This is my email password!

And so on.

So for fun, how long does it take to crack the passwords in the example above?
Kaspersky Lab has a website (Link) you can use for checking the actual strength of your password, and how long it would take to crack using known hardware.
The results will come as a shock to most people, so here goes:

Example 1 – Password123!:
Now this should make you think twice about your password.

Example 2 – PassW0rd123!:
Not a very big change here.

Example 3 – This is my email password!:
Now THIS changes things for the better

Bonus Example – sometimes, putting in a very known word in the phrase makes it less secure i.e the word: facebook
Password written as: This is my facebook

Password written as: This is my facebook! Or This is my faceboo
Something to keep in mind.

After looking at the results. As a normal user, which one would you prefer to use, which one is the more easy to remember?
I would think example 3 is the prefered, secure password, easy and logical to remember for the user.

The old policy for password complexity was made in good fate, and was good, in its time.

Today they are outdated and not at all a good policy to follow if you want to prevent access to your services.
You can see from results on example 1 that a computer from the 80s would crack this in 6 days.
Example 2 shows that a relativly normal computer in todays standard would crack this in 12 days.

Now go change your password for the better.
(the next section contains som simple points to follow when making up a password)

Points to follow when creating a password

Back to top

• Use strong passwords – refrence the above for details.
  • Use a sentence, written as you would write normal. Big letter first, periods, comma etc.
  • Use a sentence you are comfortable remembering.
• Do not use the same password on everything.
• If you have to many passwords to remeber, at least use different passwords for services that gives access to different levels of information (banking/government VS social sites etc).
• Do not write the passwords down together in a notebook, or in a document on your computer.
  • If you absolutely need to write them down together in one place store them somewhere very safe, or in a softwar eon the computer designed for this.
    • Ex: Keepass, Lastpass etc. They create an encrypted database file with all your password, make sure you put a secure password for gaining access to the database/software.
• Do not use informating about yourself or family etc as a part of the password.
  • Ex. Your name, birthdate, pet name, children name, girlfriend name etc. They can all easily be found online.
• Enable 2FA (two factor authentication) – if possible/available.
• Do not save passwords in your computers internet browser (Internet Explorer, Edge, Google Chrome, Firefox, Opera etc)
• Always log out from the website/service after you finish.
• If password for computer hardware (Wi-Fi router etc), do not use the default password that comes preconfigured on the equipment.
• The longer the password, the more difficult it is to crack.
• Never share your password/passphrase.
• If your password is suspected lost or compromised, change that password on all services using that password as soon as possible.

Enable two-factor authentication (2FA)

Back to top

First what is 2FA.

You probably already have this for some services, ex from government/ bank etc.
2FA is an extra layer of security before granting access to the requested content.
Normal for banking services and services on the internet from the government, after all, they store tons of personal data about you that can be used with cruel intentions if the right people gain access to them.
(social security number, banking information, id info etc.)

When you log in to services from them you probably have som kind of physical token/mobile app etc, that gives you a random number you have to put in along with your password when logging in.
This adds an extra layer of security by utilizing two main components:

• The users personal password/PIN (something the user knows).
• The physical token/app/atm card (something the user possesses).

This puts a pretty good security for gaining access to the requested service, especially if the users password already is secure by design.*

More and more websites and services gives the user the ability to enable 2FA to ther existing login, and if you can you should.
Facebook is one, they give you the choice to easily activate this from their website after login to their website.
They give you the choice of using something like the mobile app for 2FA from google (free and no need to have a google account, can also be used by multiple services in the same app).
If you have the facebook app on your phone, the app will pop up with a message if you try to login from your computer, and the app also generates a random number you can use for authentication.
Information and guide from Facebook on this can be found here. (Link)

As a user, you should check, in the services you use, if this is something that is available, if available – use it.
Internet today flourishes with people trying to gain not just your personal information like social security number, but also information about what you are doing on the internet in general.
So it’s a good thing to be aware of the services you use, and the information you store in them.
What websites your are visiting etc, is not very interesting for you, but very interesting for people placing ads around the internet. This is where they make very good money today.

A detailed description about 2FA can be found on Wikipedia. (Link)

*Reference the section about password awareness

Basic computer hygiene and security

Back to top

Keeping documents and data
Be aware of where you save your files on the computer. Most users use the default «documents» folder for saving files, and this is fine.
But most users also have a habit of storing files and folders on the computer desktop, desktop meaning the area the users comes to after login on the computer (with wallpaper background, start meny etc).
When doing this, especially on a Mac computer, the computer actually start to behave more slowly in relation to the amount on the desktop, and nobody wants that.
It also makes alot of clutter for working with files and documents.

Another thing with this, also comes in to play if you do this on a work computer. Your company may have policy controlling where this data actually is stored.
They generally do this to get a good backup of a users file related to work matters etc, so if the computer crashes and needs replacing, no data is actually lost in the process (recovery by third party does not come cheap).
Maybe you also are working in a shared environment, via terminal server or similar, where the amount of data actually stored local to the server you are working on needs to be kept to a minimum.

But, when doing doing this, they often only include the documents folder, and the rest is ignored, or deleted on logoff, causing the user to lose their data stored outside the documents folder.
This makes it important to have a relation to where you keep your files in case of computer crash/accident/stolen etc.
It also makes the job of taking a personal backup for your self, to external drive/usb stick, more easy as you know where the files are.
Also keep in mind that if you are using file services from the cloud i.e Dropbox, Google drive, you may want to think about what information you save on their service.
Some countires have government rules about where special kind of data and documents are saved, i.e financial documentation, they can in some cases require the data to be saved within the border of your home country.
Services like Dropbox and Google drive are stored at that or one of, the datacenters managed by that provider, and that can in many cases be outside your country.

Back up your files
Take a regular backup of the files that are important to you.
Copy them over to a usb flash drive, or external drive, and keep that media safe and unplugged from the computer after taking backup, repeat regularly.
If you have alot of photos of family and friends, documents etc, it’s not very fun to loose it all if something bad happens.
If your computer gets a virus, which is very likely by just beeing online in todays internet, that can easily lock up your files and require payment from you, to get your files back.
Having a good and recent backup makes this alot more safe for yourself.

Keep private and personal information – private
Documents and information containing detailed information about you should be kept as safe as possible, unaccsessible to others then yourself.
Social security number, passwords, financial data etc are yours and yours only, dont let others gain access to this information.
Social security number, accessible to the wrong person can easily make you a victim of identity theft, and that is a very big mess to clean up once it happens.
Information about you, family and friends, internet history etc is interesting to others on the internet, both businesses and people.
Information like this can be sold for advertising etc to make profit by a third-party.
Services online tracks your internet browser for history to makes you see adds related to your search history when visiting i.e Facebook and other sites.

Be careful using public Wi-Fi
Today wi-fi is everywhere, and it’s easy to just try to connect to something you see within range, and not requiring password – free internet is always tempting right?
Many of these can also be «fake» wi-fi spots put up by someone to track your activity, listening in on what your are doing via that wi-fi, looking for your passwords as you are surfing etc.
Do not just connect to anything that is available, just to get online. If so, use a VPN service to encrypt your traffic while doing so.

Install Antivirus software
Windows 10 comes preinstalled with Microsoft Defender, so that takes some effort away.
But if you are missing antivirus software on your computer, get one.
A free and easy antivirus can be downloaded from Fortinet here (Link).
Keep your antivirus up to date to be the most secure from virus and malware – it comes from everywhere today.

Do not think you are safe from virus and malware because your are using a Apple computer.

Keep your computer up to date
Update your computer on a regular basis to be get the latest security updates and hotfixes for your operating system.
For windows this can be done via windows update – open the start menu, and search for windows update, chose to check for updates and install if available.
For Mac, this can be done via the small Apple icon in the top right corner and choosing app store – then updates – install if available.

Avoid getting virus/malware in the first place
Some general guidelines to help you avoid getting infected by malware and virus.

• If you receive an email from an unknown sender asking you to download some file from an attachement .
  • Do not click the link in the email.
  • Do not download the attached file, just delete the email.
  • Report to your IT department (if business computer).
• If you receive an email that seems to come from something you know, Amazon, USPS, Post office, IRS, government etc.
  • Do not click if the email contains link for something the say you have to download.
    • Order confirmation from amazon, tax report from IRS/government, package awaiting from mail office etc.
  • Do not download attached file.
  • If unsure about the link in the received email, hover your mouse pointer over the link text, a smal windows comes up with the actual web address,
    does the address look real? If not, delete the email.
  • Report to your IT department (if business computer).
• If you get an email about winning money for a lottery you not know about, or some prince similar want to give you money – please, just delete that garbage.
  • Report to your IT department (if business computer).
• Be careful in general when surfing around on the internet, and social media.
  • Adds on websites flashing with something like «fix your computer», «clean your computer» , «you are infected» etc – ignore it, it’s all fake.
  • Do not visit untrusted websites – in general, have a relation to what you are looking for on the internet, do not just visit all and nothing.
  • Be careful of posts on social media containing videos and files – they may seem to come from your friend, but can in reality contain malware/virus.
    • Some malware posts on social media via your friends account – this means if they post something that looks suspicious.
      • Make them aware – they may not know it’s been posted themself.
      • If they send you a message via social networks containing video or files – ask them if the really sent that message before you open -again, they may not know its been sent.
  • If you visit a website, and the website asks you to install some software or plugin – do not allow unless you know what that actually is.
    • Do not say yes to saving password via a supposed free addon for managing passwords in your browser.
      • In general, try not to save login information in the web browser.

Be aware of privacy settings on social media
Today’s social media is everywhere, and most people are to be found on or more websites.
Websites like Facebook, LinkedIn, Twitter, Instagram etc, usually have settings where you can adjust your privacy.
This controls what people see when you post, who can look at what you post, and who can look at information in you public profile.

• Do you really want everyone to see what you post?
• Do you really want friends of your friends see what you post?
• Do you really want all your profile information be visible to unregistered users, or people not on your frinds list?
• Looking for a job? Do you really thing people recruiting today, will not look at your public online profiles if available?
  • Do they need to see that picture of that party on that place etc?
• Keep a good mind about what you post on sites like this, when you post, its never gone, even if you delete it moments after.
  • Once a picture is online, it can spread like wildfire, and you can never be sure if someone downloaded or not.
  • Same goes for any other content you put out, think about what you post before you post.
• Take your time and get yourself informed about these settings, they are there for your privacy.

Back to top

Copyright protected by Digiprove © 2017-2018 Geir DybbugtSome Rights Reserved

Geir Dybbugt

Consultant manager & SME @ iteam, localized in Kristiansund, Norway.

Focused on EUC, security, mobility, virtualization, management and a modern workplace. Highly specialized around RDS/Citrix/EUC/Mobility.

You can view my profile over at Credly here

dybbugt.no