Workers' Edge

The list of PC security products never ends. For every name that drops off, two more jump on. In fact, determining the best security hardware and software is a full-time job. Sometimes, you just want to throw up your hands and take your chances.

Maybe I'm just a cockeyed optimist, but I think you can stay safe without spending all your spare time doing research, installing updates, and generally becoming a PC-security expert. Here are five relatively easy ways to improve your security.

Use the firewall that's closest at hand
In the computer industry, the reputation of a product, service, or Web site is just about worthless. Yesterday's best firewall, ad blocker, spam buster, virus spotter, or spyware cleaner is today's bust.

Maybe the product got bought and the new owners aren't as conscientious about updates as the previous ones. Or the service's management team decides to go for profits and skimp on support, updates, and enhancements. There are lots of reasons why a good product goes sour, and the computer industry has seen nearly all of them.

So if you can't go by reputation, how do you choose a security product? One way is to go with the tools you've already got. Windows' security is roundly criticized, but the fact is, it's better than it used to be, and third-party security products have their own shortcomings.

Last February, I recommended that you use a third-party firewall rather than the one built into Windows. Six months earlier, I suggested that you pass on the third-party tools and stick with the Windows Firewall despite its shortcomings.

So which side of the fence am I on now? The simple side. The fact is, any third-party security tool complicates your setup. It's not difficult to find weaknesses in the Windows Firewall, but it's safe enough for most PC users, and it's much better than using no software firewall at all.

My previous post included links to information on Microsoft's TechNet site providing technical details of the Windows Firewall, tips for customizing the Windows Firewall, and help troubleshooting the firewall in XP and Vista.

Don't hesitate to try another free antivirus program
Just last week, I switched antivirus programs on my XP test system--for the umpteenth time. Something was slowing the system down, and after defragging the hard drive and doing other standard maintenance tasks, the machine's performance didn't improve as I expected it to.

Rather than go through a bunch of diagnostic tests, I simply uninstalled the system's antivirus tool and downloaded a competing package. The old and new programs were both free, and the switch didn't take much time to complete. The topper? The XP machine's performance perked up immediately.

Two antivirus programs that are free for home use and that are currently highly rated are Avast Home Edition and Avira AntiVir. You'll find a list of dozens of antivirus programs for Windows on this Download.com page.

Change your password...again
I hate those "your password will expire in x days" warnings as much as you do, but one of the simplest ways to protect yourself is by keeping your passwords fresh. Last year, I described the Ten Password Commandments, one of which was to devise a password-creation strategy that's all your own.

Just two months ago, I complained about the shortcomings of passwords as our primary security option, though I concluded that there's nothing better, for now. Lots of people swear by password managers such as RoboForm, but then you have yet another third-party app complicating matters.

For me, it's simpler just to devise a new password based on my unique, inimitable password-creation system, which I share with no one. No need to write it down, enter it in an online form, or encrypt it in a master-password file. Temporary amnesia, well, that's another matter.

For secure e-mail, use encryption
You would think that encrypting e-mail would be a breeze, but doing so is anything but. You and the recipient have to deal with digital certificates, public and private keys, and any number of other time-eating preparations and precautions.

The simplest way I know of to encrypt your e-mail is by using the Mozilla Foundation's Thunderbird with the Enigmail extension. Jason Thomas provides step-by-step instructions in this tutorial on the Lifehacker site.

Gmail users can secure their e-mail communications by enabling the service's built-in encryption. To do so, click the Settings button at the top-right of the main Gmail screen, scroll to the bottom of the General tab, select "Always use https," and click Save Changes.

Select "Always use https" under the General tab in Gmail's Settings to encrypt your messages.

(Credit: Google)

Keep your browser up-to-date
Most people will tell you that the Mozilla Foundation's Firefox browser is the safest way to surf, but a recent report from Google Switzerland and the Swiss Federal Institute of Technology found that "(u)sing the most recent version of a browser will lower the risk associated with drive-by-downloads and other Web-based attacks, which start by targeting the browser."

The report cites Google Chrome's silent updates as the best way to ensure that your browser is protected. The researchers also laud Chrome's lack of a way for users to disable its silent-update feature. Some people will object to software being downloaded to and installed on their system without their knowledge, but the fact is, these behind-the-scenes updates are the best way to keep you safe from the Internet bad guys.

Personally, I'm starting to rethink my choice of default browser. But as I mentioned earlier, you can't put any faith in a computer security product's reputation. And you can't be afraid to switch.

Last week, Steve Bass described in his TechBite newsletter how someone cracked into his PayPal account, hitting him up for $400. Fortunately, Steve caught the theft in time to have the bogus charge reversed, but reading about Steve's experience made my blood turn cold.

The fact is, people get their online accounts pilfered every day. But this is Steve Bass we're talking about. I learned more about PC security from Steve while we worked together at PC World than I have picked up from any other 10 so-called experts. I know how careful he is when making purchases at the corner grocery store, let alone on Web sites.

If Steve Bass can have his virtual pocket picked, it can happen to anyone--and I mean anyone. When I finished reading Steve's tale of woe, I was left thinking, "There's gotta be a better way."

Well, for right now, maybe there isn't a better way to protect ourselves online than using strong passwords that we change regularly. About a year ago, I presented several tips on using passwords. Steve's article goes that blog post one better by including links to Microsoft's password checker and instructions from the company on how to craft strong passwords.

I'm willing to accept the fact that passwords are the best data-security option today, but they're far from perfect, primarily because of the human factor. Either our passwords are too easy to guess or we're too willing to share them, whether inadvertently (by writing them down where others can find them) or on purpose.

My notebook computer (which is currently in the shop; more on that later this week) has a fingerprint scanner embedded in the case. I used this scanner to log into my Windows account for many months, but then the reader started to flake off, refusing to accept my finger swipes and requiring that I type in my password anyway.

It didn't take long for me to abandon the fingerprint reader entirely. I have a feeling that other password alternatives--biometric or otherwise--have similar shortcomings. It might be possible to make one of these access-control technologies more reliable, but doing so could make the cost prohibitive for PC vendors.

Since we'll likely be relying on passwords to secure our systems and data for some time to come, we need to keep in mind that cyberthieves are getting trickier and trickier in the techniques they devise to coax our passwords out of us. Even as we become more mindful of the attempts to steal our passwords, we have to prepare for the day when ours will fall into the wrong hands.

Keep a close eye on those credit-card statements and charges to online accounts. Don't hesitate to contact the financial institution involved if you suspect you've been victimized. Don't think that a strong password--or even a world-class password-management utility such as RoboForm--is all the protection you need on the Web. (You can read more about RoboForm and Siber Systems' other password-management products in Steve's newsletter.)

Your first--and sometimes only--line of PC defense is your password. Even the most carefully crafted password can be rendered useless if you don't keep it secret. This is not such an easy thing to do, especially considering all the clever tricks data thieves have come up with to grab it, with or without your knowledge. More dangerous is the lackadaisical approach many people take to creating, using, and protecting their passwords. Here are 10 ways to use passwords to best effect.

1: Don't write it down. Ever. Either it will be so easy to find that you might as well not use any password at all, or you'll forget where you put it and somebody else will find it and use it to access your system. You may think your password is safe on that sticky note inside the third appendix of "Mastering OS/2, Second Edition," but that's the first place your larcenous pet walker will look (apologies in advance to all pet walkers for disparaging their noble profession).

2: Devise a password-creating system that's all yours. There are dozens, hundreds, maybe even thousands of Web pages and other resources offering advice on how to craft strong passwords. Of course, these are the first places the people in the business of cracking passwords look for tips. It's not difficult to come up with your own system that combines a variety of methods. One possibility is to start by reversing an inactive phone number from your past, then convert the numbers to letters, so "213-555-1212: would become "bm-eee-ll" (remove the hyphens, if you wish). Make it even stronger by adding the street name of your childhood home converted from letters to numbers, which would change "Maple" into "13-1-15-12-5". Now really mix things up by placing the numbers inside the letters: "bme13115125eell".

The benefits of having your own system over using a random password generator is memorability: If you remember your system, you'll look at the above sequence and see the phone number and street name, not just the actual letters and numbers. No, I won't tell you the password-creation system(s) I use, but they don't have anything to do with old phone numbers or street names. Honest.

3: Don't send your password via e-mail or give it out over the phone. OK, there are exceptions to this "rule," such as when your company's help-desk staff are troubleshooting your system over the phone, but even in those rare instances, it's a good idea to change your password immediately after you give it out (see more on changing your password below).

4: Disable AutoComplete for user names and passwords. Yes, this feature of Internet Explorer, Firefox, and other browsers can save you time when you're online, but it also lets anyone who gains access to your Windows login, or to your PC when you're logged in but away, to visit all the secured sites in its database, change the passwords, and otherwise act in ways you may not appreciate. To disable this feature in IE, click Tools > Internet Options > Content, and choose the Settings button in the AutoComplete section. Uncheck User names and passwords on forms (you may also want to uncheck the other two AutoComplete options: Web addresses and Forms). Click OK, and then choose the General tab, and click Delete > Delete Passwords (and any other options, or Delete all to wipe your browser clean). Click Close and OK.

Uncheck User names and passwords on forms in Internet Explorer's AutoComplete Settings dialog box.

In Firefox, simply click Tools > Clear Private Data (or press Ctrl-Shift-Delete), check all the items, and click Clear Private Data Now.

Erase personal information from the Mozilla Firefox browser by checking items in the Clear Private Data dialog box.

5: Change your password often. Even if you haven't had reason to share it recently (as mentioned above), get into the habit of refreshing stale passwords. The more important the data your password protects, the more often you should update it. One way to force yourself to change your Windows login password is by using the password options in Local Security Policy (it's called "Local Security Settings" in Windows XP). In XP, click Start > Run, type secpol.msc, and press Enter. In Vista, press the Windows key, type secpol.msc, and press Enter. In both versions, select Password Policy under Account Policies. Double-click Maximum password age in the right pane, enter the number of days you want to go between passwords, and click OK. The other options in this dialog box let you enforce password history, set a minimum password age or length, require that the password meet Windows' complexity requirements, and store encrypted passwords.

Force Windows to require a new login password after a set number of days via the Local Security Policy dialog box.

6: Clear the cache after using a public PC. If you log into a Web site from a PC other than your own, make sure you wipe out all traces of your use by deleting the browser's personal data. See the steps described in "Disable AutoComplete for user names and passwords" above.

Note that many public PCs reset to the defaults as soon as you log out, but don't trust them. In fact, it's good practice to change your passwords whenever you use them in a public setting, even on your own laptop after attending a conference or other event, for example. Snoops love to hang out at such places, whether using a keystroke logger, or simply looking over your shoulder as you log in.

7: If it's too valuable to lose, don't keep it on your PC. If you just discovered the secret to changing marshmallows into gold, you may not want to trust the formula to any hard drive, whether or not it's password-protected, or connected to a network at all. In addition to the threat of data-crackers, the drive could fail, leaving your fate in the hands of some data-recovery service. If you have to store a digital copy of some important file, place it on an optical disc designed specifically for archiving, and store that disc in a safe place, such as a bank deposit box. And--of course--make a copy that you store in a separate, secure location. When optical drives are replaced by some new-fangled storage medium, copy the data to a secure version of that medium, but you probably don't have to worry about this for at least a couple of years.

8: Create a password-reset disk. It doesn't have to be a floppy, which is a good thing since few new PCs even have floppy-disk drives. But a reset disk is the best protection against a bad memory--yours more likely than the computer's. Log into the account you want to protect, open Control Panel's User Accounts applet, select the account, and in XP, click Prevent a forgotten password in the left pane. In Vista, click Create a password reset disk in the left pane. Step through the Forgotten Password Wizard, selecting the removable medium of your choice when prompted. Label the removable device appropriately, and store it somewhere safe but easy to remember. It's one thing to forget your password, but quite another to forget where you put your password reset disk.

9: Use a password-management utility. I hesitate to rely on a third party to protect my passwords, but one that has been around for a long time is RoboForm, which comes in free and $30 Pro versions.

10: Ask for some help to reset your password. If you've forgotten your password and don't have a password-reset disk handy, log onto another administrator account on the system, open the User Accounts applet in Control Panel, click Change an account in XP, or Manage another account in Vista, select the account, and change the password. A couple of weeks ago I described how to activate Vista's hidden administrator account.

You can also change the password by booting from your XP install CD and running the Repair option. Vic Ferri provides step-by-step instructions.

Tomorrow: the quick, simple, and free way to embed videos in e-mail.

You trust Microsoft Office with your most important documents, spreadsheets, e-mail, and presentations. Unfortunately, many of the default security settings in Office applications may not provide a sufficient level of protection for your data, your system, and your reputation. Follow these steps to fine-tune the security settings in Office 2003; tomorrow I'll cover the new security options in Office 2007's Trust Center and elsewhere.

Office 2003 lets you encrypt files so that you need a password to read or edit them. In Word 2003, open the document and click Tools > Protect Document. To restrict the styles that can be applied to the file, check Limit formatting to a selection of styles, and click Settings. Uncheck the styles you don't want to allow, or choose one of the other style-restriction options, and click OK. To make the document read-only, check Allow only this type of editing in the document, and select one of the options in the drop-down menu: Tracked changes, Comments, Filling in forms, or No changes (Read only).

Choose an option in Word 2003's Protect Document dialog box to restrict access to the document.

You can also designate the people who can access the file by clicking More users, entering their user names or e-mail addresses, and clicking OK. When you're done, click Yes, Start Enforcing Protection. In the resulting dialog box, choose either Password and enter the password twice that will decrypt the file, or select User authentication, which allows the people you designate to remove the file's protection.

The User authentication option requires Microsoft's Information Rights management, which requires the Windows Rights Management client. This in turn requires a .NET Passport account, and your agreement to the "free trial," though there's no indication if or when the trial will end. Microsoft promises to maintain the privacy of your files, and to make them available for three months after the trial ends, if you maintain the .NET Passport account. There may be a good reason to go this route, but to keep things simple, I stick with the password option. To remove these settings, click Tools > Unprotect document, and enter the password (if you chose this method of protection).

Choose Password and enter the password that will open the file, or select User authentication to allow the people you designate to read, edit, and/or comment on the document.

To protect a worksheet or file in Excel 2003, click Tools > Protection, and choose your preferred protection method: Protect Sheet, Allow Users to Edit Ranges, Protect Workbook, or Protect and Share Workbook. If you choose the first option, you're prompted to enter a password to unlock the sheet, and you can limit the actions people can take when working on the sheet. The second selection opens a dialog box in which you can specify the ranges that will be unlocked by a password by clicking New and entering the ranges. You can allow specific people to edit, or list the users who can't edit the range without a password by clicking Permissions and entering their user or group names. The third and fourth options are similar to the first, but apply to the entire workbook rather than a specific worksheet.

In PowerPoint 2003, click Tools > Options > Security, enter a password that will let the presentation be opened or modified, and click the Advanced button to select an encryption type. This dialog box also lets you remove hidden data from the file, and adjust your macro security settings (the default allows only signed macros from trusted sources, though this is of questionable value since "trusted sources" is pretty meaningless).

Outlook 2003's security options let you encrypt outgoing attachments, restrict the sites that can send you scripts and active content (the same list that's in your Internet Options), and limit the receipt of images and file downloads. But two of the most important things you can do to protect yourself from malware in Outlook are to turn off the Reading Pane (aka Preview Pane), and to view your mail as plain text. To deactivate the Reading Pane, click View > Reading Pane > Off. And to switch from HTML mail to the safer plain text, click Tools > Options > E-mail Options, check Read all standard mail in plain text, and click OK. When you want to view a message in its original HTML format, click the beige message bar across the top of the message window and select Display as HTML.

Protect yourself from malicious messages in Outlook 2003 by selecting "Read all standard mail in plain text" in the program's E-mail Options.

Protect your reputation with the Remove Hidden Data tool: Maybe you're one of the many Office users who have suffered the embarrassment of sending someone (or a lot of someones) a file that hadn't had its revisions and comments deleted. To minimize the chances of the public seeing more of your files than you intend, download Microsoft's free Remove Hidden Data tool. (I described this program and four other great Office freebies in an earlier post.)

Tomorrow: get more out of the new security options in Office 2007.

You probably know about the "hidden" administrator account in Windows XP. It's the only account on XP systems on which no other accounts have been created.

Until you add a new account, you zip right to the desktop when you boot the OS, with no stop at the Welcome screen. Once you set up one or more new accounts, the default administrator disappears, though you can bring it back in both XP Home and Pro. (More on this below.)

Vista ships with this account disabled, which is not such a bad thing because every user on the PC should have his or her own custom account, even if "every" translates to "one."

Still, this back-up administrator account can come in handy if you encounter some problems logging into or otherwise using Vista. To enable it, right-click the Command Prompt on the Start menu (it is likely listed under Accessories), choose Run as administrator, type net user administrator /active:yes, and press Enter. You should see a message stating that the command completed successfully. Type exit and press Enter again to close the Command Prompt window.

Enable Windows Vista's backup administrator account from the Command Prompt.

When you restart Windows, you'll see a new account labeled simply "Administrator." The first time you log into this account, Windows will tell you that it's preparing the desktop before the system's default desktop appears. Click Start > Control Panel > User Accounts and Family Controls > Change your Windows password > Create a password for your account, enter your password twice, add a hint (if you wish), and click Create password. (If you use Control Panel's classic view, the settings to create a password are in the User Accounts applet.)

To disable this administrator account, follow the steps above to return to the Command Prompt in administrator mode, type net user administrator /active:no, press Enter, type exit, and press Enter again.

Give XP's hidden administrator account a password
This administrator account is a well-documented security risk in Windows XP because by default it doesn't have a password, which means anyone can log into your system via this account, change the passwords for all the other accounts, and perform other mischief. To give the account a password in XP Home, restart the PC, press F8 before Windows loads, select Safe Mode, and press Enter.

The only selection will likely be Microsoft Windows XP. With this option highlighted, press Enter again. You'll see a Welcome screen with an account labeled Administrator. Click this account, choose Yes at the warning, open the User Accounts applet in Control Panel, click the Administrator account again, choose Create a password, enter the new password twice, enter a hint (if you wish), and click Create Password. You may also be asked if you wish to make this account's files private. Make your selection and click Finish.

There's a much simpler way to make this administrator account visible on the Welcome screen in XP Pro: Open the Tweak UI Powertoy, click Logon in the left pane, check Show "Administrator" on Welcome screen in the Settings window on the right, and click OK. Note that you'll still have to log into this account and follow the steps above to add a password for it.

Select the Logon option and check this option to add the hidden Administrator account to the Welcome screen in XP Pro.

Tomorrow: Your options for moving Excel data to a Word document.