Online Security and Privacy

Printer-friendly version

security.pngPrivacy, Anonymity, Passwords and Security

We pay very careful attention to your data privacy and security. We don't share your details with any other third party and regularly review the security of our systems to protect user information. We encrypt data and use secure connections where we are able, and try to ensure no "personally identifiable" information is kept on systems.

We strongly advise that access to details and security of your account, is only as good as the strength of your password. Below are some tips to help you devise a strong and memorable password plus take steps to secure your data and computer. Quite useful for general internet use.

Password Policy

Use the guides below to develop a strong complex password. You password should be:

  1. a minimum of 10 characters or greater.
  2. Alphanumeric - both letters and numbers
  3. a combination of UPPER and lower case characters.
  4. include special symbols or characters such as * $ ( .dot  #  > etc
  5. never use the full words found in a dictionary or common names
  6. never use the same pwd for more than one account
  7. change your pwds regularly, monthly if possible, or every 6 months or yearly at a minimum.

 

User Security: 6 steps to build a strong password

The strongest passwords look like a random string of characters to attackers. But random strings of characters are hard to remember.

Make a random string of characters based on a sentence that is memorable to you, but is difficult for others to guess.

  1. Think of a sentence that you will remember
    Example: "My son Aiden is three years old."
     
  2. Turn your sentence into a password
    Use the first letter of each word of your memorable sentence to create a string, in this case: "msaityo".
     
  3. Add complexity to your password or pass phrase
    Mix uppercase and lowercase letters and numbers. Introduce intentional misspellings.
    For example, in the sentence above, you might substitute the number 3 for the word "three", so a password might be "MsAi3yo".
     
  4. Substitute some special characters
    Use symbols that look like letters, combine words, or replace letters with numbers to make the password complex.
    Using these strategies, you might end up with the password "M$8ni3y0."
     
  5. Test your new password with Password Checker
    Password Checker evaluates your password's strength as you type.
     
  6. Keep your password a secret
    Treat your passwords with as much care as the information that they protect. For more information, see 5 tips to help keep your passwords secret.

Qualities of strong passwords

Length

  • Each character you add to your password increases the protection it provides.
  • 10 or more characters are the minimum for a strong password; 15 characters or longer are ideal.

Complexity

  • The greater variety of characters that you have in your password, the harder it is to guess.
  • An ideal password combines both length and different types of symbols.
  • Use the entire keyboard.

Easy to remember, hard to guess

  • Change your password every 6 or 9 months. Even a minor change to your password every 6 months is advisable.
  • The easiest way to remember your passwords is to write them down in a secure and very-private location.
  • It is OK to write passwords down, but keep them secure and very secret and private (like in an encrypted file) and not easily recognizable.
  • Never write the login-name and password in the same location if possible.

Password strategies to avoid

To avoid weak, easy-to-guess passwords:

  • Avoid sequences or repeated characters
    "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not make secure passwords.
     
  • Avoid using only look-alike substitutions of numbers or symbols
    Criminals will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd".

    These substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case.
     
  • Avoid your login name
    Don't use any part of your name, birthday, social security number, or similar information for your loved ones.

    This type of information is one of the first things criminals will try, and they can find it easily online from social networking sites, online resumes, and other public sources of data.
     
  • Avoid dictionary words in any language
    Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, profanity, and substitutions.
     
  • Avoid using only one password for all your accounts
    If your password is compromised on any one of the computers or online systems that use it, you should consider all of your other information protected by that password compromised as well.

    It is critical to use different passwords for different systems.
     
  • Be careful with password recovery questions
    Many Web sites offer a "password " service that lets you provide the answer to a secret question. If you forget your password, the service will send it to you if you can remember the answer to your secret question.

    The questions are often random, but sometimes the answers to these questions are freely available on the Web. Choose your questions carefully or make up the answers.
     
  • Avoid using online storage!
    If criminals find your passwords stored online or on a networked computer, they have access to all your information.

 

Computer Security

Communications Security

The following is strongly recommended for relatively secure computer communications across the internet:

  • Alternative e-mail address using a pseudo-name, different from your personal or work e-mail for activist work.
  • A "strong" secure Password: adhering to the password policy and guide in this document.
  • Basic Computer Security: as per the section guide in this document.
  • Enhanced Computer Security: as per the section guide in this document
  • File encryption:
  • Always encrypt all documents you attach and send via e-mail.
    • Never send passwords via e-mail. Send them verbally, on a piece of paper which is destroyed after transfer or using secure chat.
  • Anonymous Internet Surfing: https://www.torproject.org
  • Video Conferencing/Chat (to replace Skype): https://jitsi.org/
  • Secure Chat & File Transfer: https://crypto.cat

 

 

Basic Computer Security

For a basic peace-of-mind, you should ensure you have the following on your computer:

  1. Anti-Virus: Good anti-virus software which updates "daily".

    • Anti-Spyware: ensure your anti-virus software includes anti-spyware which stops programs recording your computer use and stealing your passwords.

    • Avast anti-virus is free for home users. AVG (www.avg.com) is another free option.

  2. Windows Updates: automatically update your windows XP, Vista or Win7 computer with critical security updates. Without these, your computer will become infected and maybe hacked when connected to the internet in just a few minutes.

  3. Firewall: use Windows Firewall or other Firewall software to better protect your computer from hacking. Without it, your computer will likely be hacked. Ensure it is always turned on.

  4. User login with password: ensure when you start-up your computer, you login using a password. For safety, you should never allow you computer to login without entering a password. Always lock your computer (by pressing Ctrl-Alt-Del then Lock), if you leave it unattended.

  5. Use Firefox: for internet browsing. Its generally regarded as faster and more secure than IE or Chrome. Use the add-on NoScript, to disable scripts running on your computer without permission and to avoid websites hacking into your computer and leaving behind spyware or viruses. Add the Firefox NoScript addon for extra security and only allow scripting on the sites you trust.

 

Enhanced Computer Security

For added security and especially if you have a laptop, you may want to add:

  • Secure Wireless Network: Always ensure you are connected using a secure (WPA2 encryption on the router) wireless connection. You should always have to enter a password to access a wireless access point. If there is no password challenge, then its unlikely the wireless connection is secure. So in particular, ensure your home or office network uses WPA2 if you connect your laptop to that network. This avoids your passwords being intercepted during transmission, when you enter them to login to various sites.

    • For Home networks: WPA2 with PSK (pre-shared key) using AES encryption and a strong  password.

    • For Work office networks: WPA2 with PSK or EAP (Enterprise authentication protocol) using AES encryption and a strong password.

    • Example setup of a router with WPA2

  • File Encryption: When sending or receiving confidential files by e-mail, or if you just want to ensure confidentially of some individual files you store on your computer, you need to encrypt them. Many applications have encryption tools built in. Refer to the following guides:

    • Encryption Standard = always at least: AES 192bit or AES 256bit encryption is recommended.  128bit is acceptable, but less secure.

    • TrueCrypt or FreeOTFE : both you and the recipient have to use the same encryption software to encrypt and decrypt files.

    • 7-Zip is like winzip, but is free opensource. It includes encryption and works great!

    • Winzip file encryption: if you have Winzip for file compression, you can also encrypt the file(s) you compress. Winzip is great, as most users are able to use Zip files, but its not free, a trial-ware version exists. For a free Zip tool see 7-Zip.

    • Microsoft Office File Encryption (crackable but suitable for low risk situations)

    • CryptoCat: Encrypted chat & file transfer: https://crypto.cat

  • File System Encryption: encrypts only some files and folders on your windows computer. Usually the 'My Documents' folder or certain files you manually encrypt using Windows encryption.

  • Disk Encryption: which encrypts all data on your entire computer!  It will mean adding a password when your computer starts-up right at the very beginning, and then again if you login to Windows with a password. If you computer is lost or stolen, you can rest assured that the thief cannot access your data and steal information about you; which could lead to identity theft or them being able to access your online accounts to access private data you might have.

 

Advanced Computer Security

  • Anonymous Proxy Internet Surfing: enables you to anonymously surf the internet without leaving a trail of particulars about your browser, your computer system, your country, IP address, location, etc. You should study the pros/cons of each and other systems available, before choosing one.

  • Advanced - Virtual Machine computing: if you have a powerful computer, you can setup a secondary computer called a virtual machine, to run from that, - it's run from just a file, using Virtual Machine software.

    • As well as securing your first "physical" computer, you can setup this secondary "virtual machine" computer to use any operating system (like Linux), secure it as discussed above, encrypt it, run it through an anonymous surfing proxy and even hide the virtual machine file as a hidden volume with plausible deniability.

    • So when surfing on the internet or using it for confidential work and data storage, you use your fully secured and isolated Virtual Machine environment.

    • Because the Virtual Machine is just a file, in some cases it could be copied to a similar hardware specification computer, giving you instant fail-over if your computer is ever stolen.  

    • VirtualBox - free virtual machine software. Use Trucrypt for added security.

 

User Security: Opt-Out

For Privacy purposes, you may wish (we generally recommend) that you "Opt-out" of third parties collecting "non-personally identifiable" information by clicking on the Opt-out button at this link:

 

 

 

 

up