Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

Security: It’s a Spectrum, Not a State

I often get questions that amount to “If I do X, will that make me secure?”.

Well, no. No matter what “X” is, it will not make you (or your computer, your accounts, your whatever) secure.

You can get more secure, but there’s no such thing as absolute security.

And that confuses many.

Become a Patron of Ask Leo! and go ad-free!

Black and white is comforting

I know that absolutes are what people crave.

And that’s true not just for the security of their data, but in just about every aspect of life. It’s what drives political and religious arguments, after all.

Shades of gray are more difficult to deal with. They require some amount of thought and understanding of the topic at hand. It’s easier to be able to say, absolutely, things are one way or another without needing to think about the in-between.

Unfortunately when it comes to security1 we need to think.

100% Secure?The fallacy of ‘best’

One of the most common questions I get is “what’s the best …”, followed by “anti-virus”, or “anti-spyware” or other security tool.

Heck, there are plenty of comparison sites out there that will try to give you an answer. Be it via experiences, or some kind of detailed testing or analysis, products will be compared and one will emerge a winner.

The problem, of course, is the illusion that it’s all objective. Different tests prioritize different factors. Different review sites often have biases – sometimes explicit, sometimes not so much.

And as a result, different sites will give you the worst possible answer of all: a different answer than each of the others.

There is no best. There’s good. There’s perhaps even better, depending on what you’re looking for as you compare one against another.

But there is no “best”.

Products love to promote “best”

Naturally, each product that receives (or generates) some kind of “best” designation will promote the heck out of it, even though ultimately it’s pretty meaningless.

And I get that they have to. It’s a competitive world, after all. If product “A” says that they rated “best” in some test, then it’s important for product “B” to respond somehow – usually with a “best” of their own.

Unfortunately, it all only serves to confound and confuse the average consumer. And more importantly, it doesn’t help them actually make an informed choice.

In search of perfect passwords

Passwords are another realm where we keep wanting absolute security when in fact there is none.

Yes, a 12 character password is harder to crack than an 8 character one. That does indeed make it better at preventing a particular style of attack.

But both are equally vulnerable to keylogging or provider database hacks, particularly if the provider does a poor job of storing the password-related information.

A long, random, password is important. Without a doubt it makes your account more secure.

But it doesn’t make your account absolutely secure.

Move to the more secure side

The goal is not to be secure. That’s a state that doesn’t exist. A search for a black and white answer to a shades of gray question will only frustrate and disappoint you.

The goal is to be more secure. The goal is to be as secure as is practical for your situation.

The goal should be to continually evaluate what you do and the decisions you make in the light of security risks, and keep making more secure decisions.

And that means having a good, basic understanding of what the risks are, what the trade-offs are, and what the ramifications of a security issue might really be for you.

The basics are a great place to start:

  • Choose better passwords.
  • Use reputable services.
  • Install good basic anti-malware protection and security software.
  • Don’t upload sensitive information without encrypting it.2
  • Be skeptical.

Basically, develop good habits that have you avoiding risky things, identifying potential pitfalls, and just generally taking ownership of your security.

“Secure” is an unreachable destination – but we can absolutely make decisions and take actions that get us closer – or further away.

Footnotes & references

1: And politics and religion and a raft of other topics as well.

2: Even here the shades of gray get even more nuanced – there’s sensitive information and there’s very sensitive information – it’s a spectrum as well. As a result the approaches you might take could easily vary depending on just how sensitive things are.

5 comments on “Security: It’s a Spectrum, Not a State”

  1. If you want to approach total security for your computer, simpley disconect it from the internet and all power sources. Then lock it in a fireproof safe. Place the save in a bomb shelter capable of withsatanding a direct nuclear strike. You now have a nearly secure and totaly useless computer.

    • No, it’s still not “totally secure”. (Okay, I see you say “nearly secure”.) What happens when the guy in charge of the bomb shelter gets a call from someone claiming to be you, asking him to reconnect it, so that “you” can log in?

  2. As I see, Security and Comfort are inversely related. That an action / inaction might promote or demote your security level. And, it is all a trade off – I mean when an action eliminates some risks, may times it makes you vulnerable in new ways! You might lose some of the existing benefits and convenience. Since, there is no such a state as ‘Absolutely Secure Position’, we must respect the fact that any solution/advice given has inherent risks, and we should never demand any guarantee. Asking guarantees only keeps you in problem, and prevents others from helping you.

    Thank You Leo!

  3. I think your comments require slight qualification. My take is a variation on Barnum — you can’t have all security on all things, but it IS just possible to have complete security in limited areas or with regard to particular items. A particular encrypted WinZip file (which uses AES encryption), upon which a long and complex passphrase has been employed, may be corrupted, or otherwise lost or destroyed; but unless someone breaks AES, or brute-force attacks can be speeded up immeasurably, its actual SECURITY cannot realistically be broken within the foreseeable lifespan of the known universe. In this rather limited sense, therefore, “complete security” IS possible, but even then there will always be points of weakness (when you actually go to decrypt that file — it sure ain’t of much use to you in its encrypted form, now, is it? — are you SURE no one is looking over your shoulder as you type in that passphrase? No keyloggers active? No NSA surveillance warrants served on your computer? Etc., etc.) by which your security can — at least theoretically — be compromised.

    As for passwords, you are quite correct — there is are no such things as “Perfect Passwords.” In spite of that, I have in the past, do still, and will continue in the future, to recommend a book with that very title:

    “Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($20.09)

    (…also available on Kindle!). Although you cannot get a “Perfect” password, some are most definitely better than others, and the best possible passwords, IN ADDITION to being both UNIQUE and MEMORABLE, also have as many as possible of the follow eight (8) characteristics:

    1. They use UPPERCASE letters (ABC…).
    2. They use lowercase letters (def…).
    3. They use numbers (123…).
    4. They use spaces (” “).
    5. They use punctuation (.,:;-!? and the like, that are usually found in sentences).
    6. They use symbols (@&+=>$#*^~ and the like, that are usually NOT found in sentences).
    7. They use respelling (i.e., no words that can be found in a dictionary — for example, using “kwean”, and not “queen”).
    8. They use more than 15 characters, and the more characters, the better!

    Mere LENGTH can make up for the absence of most of the other items on this list — a very long passphrase of only lowercase letters and spaces, is better by far than a short password that contains all eight of the above elements, if only because the passphrase will be far easier to remember!

    In short, with certain very limited exceptions, all security is relative, and this should always be borne in mind.

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.