Personal Computing Security Part 1

Published:
Updated:

This is the first in a series of posts about personal computing security behaviors, habits and controls that you should strive to implement. If you compute within a corp or org environment, then your internal security policy applies over what I post here.

I chose the topic of device or operating system login because I view it as the second line of defense, after securing physical access. If you can’t limit access, then all other security measures will be much less effective.

Which ‘Login’ Are We Talking About?

The term ‘login’ can be confusing because we hear the term so frequently. The login this post is referring to is the user interface (UI) prompt (e.g., username & password) that appears just after you turn on a device or just after the device “wakes up” from hibernation, sleep or a screen saver.

For clarity, the following images are computer and phone operating system login prompts (screens), which this post is about.

Windows 10 Screen Lock Login UI.

Windows 10 Laptop Login Prompt (above)

Lubuntu Screen Lock Login UI.

Lubuntu Laptop Login Prompt (above)

Android Phone Swipe Pattern Screen Lock Login UI.

Android Swipe Pattern Login (above)

Which Devices Should Require Login?

You should require login on any device that you rely on, and especially those which do or may contain your personal data, or avail access to other systems (eg., websites). This includes devices in your home, car, school, work, etc., such as desktop computers, laptop computers, mobile (cell) phones and game consoles. Heretofore, “device(s)”.

If anyone can gain physical or online (network) access to one of the computing devices listed above, you should implement the spirit and specifics presented in this post.

Devices such as wireless routers, smarthome (IoT) devices, etc., are just as susceptible and should be secured. However, this post will not discuss those further.

The Login Rules to Live By

The following rules may appear overzealous or extreme, but it is your responsibility to take seriously the security of your devices if you want to mitigate threats of information and identify theft.

  1. If your device’s operating system does not offer the ability to define individual accounts (eg. logins), one account per user/person, stop using that device. Spend the money, time and effort to upgrade your operating system to one that supports login.

  2. Configure your device’s operating system to require login every time the device is turned on, rebooted or wakes up from hibernation, sleep, or a screen saver.

  3. If other people must use the same computing device, each person must have their own login account. A “login account” is often the combination of a username and password.

  4. Do not use passwords or PINs that are preset. If a password or PIN is preset by the manufacturer, developer or vendor, change it to one you create and only you know. Read the documentation or contact the vendor to learn how to change any preset passwords or PINs.

  5. Do not share login accounts. One account per person and don’t share.

  6. Use a login on all of your computing devices (desktop computers, laptops and cell (mobile) phones). A login account is usually a combination of:

    • username (AKA userid) or email address

      AND at least one of:

    • password

    • biometric (eg., fingerprint, eye retina map, face scan)

    • PIN / numeric sequence

    • swipe pattern

  7. Do not use the same password, PIN or swipe pattern on multiple devices.

  8. Make passwords, PINs and swipe patterns difficult to guess. For example, do not use your name, username, pets and other common names for passwords.

  9. Change your most important passwords on a yearly basis. All other passwords, every 2 years.

  10. When changing or resetting passwords, do not reuse current or old passwords. Make the new password strong and very different than the previous password.

  11. Do not share your passwords with anyone, including friends, family members, grandkids, nephews, neighbors.

    Exceptional Case
     If you have an IT support person, you might have to share passwords with her or him in order for them to help you. Discuss the handling of your password with her or him. Do not share it if you do not get a sense of trust. Also, you can always change the password after they have provided the necessary support to you.

  12. Do not let anyone use your computing devices while your account is logged in. At the very minimum, do not let kids use your computing devices.

  13. Where possible and applicable, utilize a password storage vault to retain your strong passwords. A paid, commercial product password vault I’ve seen people use with good experience is 1Password.

  14. Do not enter your personal login credentials on a shared public computer at a coffee shop, cafe, mall, kiosk, etc. The exception might be at work or university, if the computer is managed by a trusted IT or Security team.

Thanks for reading. If you have questions or feedback, please reach me at mike@bionicbytes.com.