A weak security question and a too easy answer undo the security provided by the best passwords. It is far easier for a marauder to click on the ubiquitous “Forgot your password?” link and guess your favorite high school teacher’s name (perhaps aided by a list of high school teachers at the school you attended, information that is not as hard to get as you might wish) than it is to guess a strong password.

As comforting as it is to have a backup in case you lose your password, the security risk isn’t worth it. There are better ways to avoid forgetting your passwords. Unfortunately, many sites won’t let you avoid using a secret question, so you need to enter something. My advice is to choose any question you like, but enter gibberish for the answer. Something like “dlfkjsldfj fosiuxclewoifu oisfu” would suffice.

To avoid forgetting your passwords, store them in Password Safe, a simple, lightweight program that can help you create and manage all of your passwords. Keep one copy of the database file on your computer and email a backup copy to your email address every time you update it. You’ll never forget your passwords and you’ll never have to rely on the backup security questions. As a bonus, you’ll be more likely to update your passwords every three months when you realize how easy it is to store them.

What Should You Pay to Avoid Viruses and Spyware?

In Consumer Reports’ 2008 State of the Net summary, the odds of contracting a serious (computer) virus problems are given to be 1 in 7, the yearly costs $2.9 billion. The odds of a serious spyware problem are 1 in 14, with a yearly cost of $3.6 billion. (Note that these figures are for both businesses and consumers.)

From these statistics, it is possible to calculate the amount that the typical person ought to be willing to pay, yearly - in the form of insurance or a preventative product or service - to avoid the consequences of viruses and spyware.

If 1 in 7 computer users had major virus problems, it means that 32 million people each suffering expenses of about $90. If 1 in 14 computer users had a major spyware problem, it means that about 16 million people took a hit of $225.

Using these numbers and a formula for expected costs (expected cost = average cost per incident multiplied by probability of incidence) we can conclude that the expected yearly loss per person from virus and spyware threats totals $29. Put another way, each of us should be willing to spend up to $29 per year on insurance, services, or products that would shield us from the costs of viruses and spyware.

The Value of Anti-Virus Software

Of course, my calculations could be wrong. But it’s interesting to note that McAfee and Symantec, two of the most popular anti-virus and anti-spyware providers, price their mainstay products at $40, $11 more than our calculation says is reasonable. Is that extra $11 per year for peace of mind or is it down to overpricing? Or maybe the cost figures that Consumer Reports noted do not include the psychological cost of annoyance and time spent getting rid of viruses and spyware, which could bring the total cost per person higher than what was reported. I’m inclined to give the benefit of the doubt to the millions of consumers who indicate, by their willingness to pay, that a $40 anti-virus solution is worth it to them, but I could be off the mark.

Consumer Reports, in their 2008 State of The Net report, claims that the likelihood of getting phished this year is 1 in 94, or just over 1%. The total amount lost to phishers nation-wide is estimated to be $2 billion.

Worry or Keep Cool?

If 1 in 94 American adults lost money to phishers, it means that $2 billion in costs were distributed amongst 2.4 million victims. From that statistic, we can figure that the average cost per person was about $835. If your chances of getting phished are 1 in 94, you can expect to lose (in statistical terms) $9 per year to phishers.

Now, knowing that you are likely to lose $9 per year in statistical terms is a bit of strange concept. In any given year, you will either lose a large sum like $835 or nothing at all. It might be easier to think of the $9 per year as something each person should be willing to spend to avoid the consequences of phishing.

For example, everyone in the country could contribute $9 per year into a phishing fund and distribute the money to the victims of phishing. Those who contribute but don’t fall victim to phishing get peace of mind out of the deal. The victims get compensated for what they lose. Everyone wins as long as peace of mind doesn’t cost more than $9 per year. Beyond that, it’s best to take your chances!

Is LifeLock Worth It?

Except for the monetary guarantee, LifeLock doesn’t do anything you couldn’t do on your own, and the company charges $10 per month for its services. If you want this sort of protection and you have more money than time, LifeLock may be a good deal. If you have more time than money, it’s probably a bad deal.

But there’s another way of looking at this. You might ask how much money you stand to lose if you don’t take any precautionary measures, by your own efforts or through a service like LifeLock.

The FTC estimated that there were 8.3 million American victims of identity theft in 2005, the latest year for which survey data are available. That works out to about 3.7% of the adult population. However, the typical victim didn’t suffer any consequences - his or her credit card company or bank soaked up the cost. A smaller group that fell victim to the most serious type of identity theft, new account fraud, had to pay a median of $40 and spend ten hours clearing their names. This smaller group made up 0.8% of the survey respondents.

If the survey was representative of the American population as a whole, it is possible to calculate the risk of identity theft, in dollars, to the typical person.

Expected monetary loss per person, per year = risk * (money loss + monetary time cost)

(If we assume that your time is worth $50 per hour, the monetary time cost of spending ten hours is $500.)

Expected monetary loss per person, per year = 0.008 * (40 + 500)

Expected monetary loss per person, per year = $4.32

The Bottom Line

If LifeLock were to set its fees to $4.32 per year, or about 35 cents per month, it would be a pretty good deal. Otherwise, you may be better off taking your chances.

1. Why security is a problem that will, unfortunately, always be with us.
2. Why we can’t expect technology to solve all of our security problems.
3. How to think about security problems as a compromise between security and effort spent getting it.

In September 2007, I wrote that “IE7 seems consistently to have more unpatched vulnerabilities than does Firefox”. Worse, Internet Explorer owned the more serious vulnerabilities.

That’s still true. According to Secunia, Internet Explorer 7 has 27 security vulnerabilities, ten of which remain unpatched. Firefox has 23 security vulnerabilities, nearly as many as Internet Explorer, but only three of them are unpatched.

Microsoft has made IE7 far more secure than the previous incarnation of the browser, but it looks like the Firefox can’t be caught.

The information on this website will always be free, but I’m betting that many of the 7,000 readers of this site will find it more convenient to get all the best tips in a single book rather than having to search through the 70+ posts in the archive.

However you get your security advice, thanks for reading and making this site a success!

(P.s. Want a free taste of the eBook? Check out the first 5 pages.)

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you’re entering the country. They can take your computer and download its entire contents, or keep it for several days.

[…]

Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won’t work here. The border agent is likely to start this whole process with a “please type in your password”. Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.

You’re going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key - even if you also encrypt your entire hard drive - and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt (truecrypt.org) is also good, and free.

The article goes on to talk about the importance of using strong passwords, as well as the limits of depending on strong passwords to protect encrypted data.

Edited to add (19 May 2008): The quoted sections of the Guardian article have been trimmed due to a complaint from one of the editors.

The phone call begins with the cries of an anguished child calling for a parent: “Mama! Papa!” The youngster’s sobs are quickly replaced by a husky male voice that means business.

“We’ve got your child,” he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.

The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.

[…]

Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.