Playing the odds.
I often get questions amounting to “Will doing X make me secure?”
No matter what “X” is, it will not make you (or your computer, your accounts, your whatever) secure.
You can get more secure, but there’s no such thing as “secure” in an absolute sense.
Become a Patron of Ask Leo! and go ad-free!
Security isn't Yes/No
We want absolute security, which is unattainable. There is no best and there is no secure — there is only better and more secure. Trying to reach absolute security is an exercise in frustration. Instead, focus on being more secure, making better choices, and stacking the security deck in your favor.
Black and white is comforting
People crave absolutes.
It’s true not just for data security, but almost every aspect of life. Absolutes drive political and religious arguments, after all.
Shades of gray are more difficult. They require more thought and understanding. It’s easier to say things are one way or another.
When it comes to security,1 we need to think.
The fallacy of the best
One common question I get is “What’s the best …”, followed by “anti-virus”, or “anti-spyware”, or other security tools.
There are plenty of comparison sites that will try to give you an answer. Be it via experience or some kind of detailed testing or analysis, products are compared and one emerges as a winner.
The problem is the illusion of objectivity. Different tests prioritize different factors. Different review sites often have biases — sometimes explicit, sometimes hidden.
And as a result, different sites give you the worst possible answer of all: a different answer than each of the others.
There is no best. There’s good. There’s perhaps even better, depending on what you’re comparing.
But there is no best.
Products love to promote best
Naturally, each product with some kind of best designation promotes the heck out of it, even though it’s ultimately meaningless.
It’s a competitive world. If product A says they rate best in some test, then it’s important for product B to respond somehow — usually with a best of their own.
Unfortunately, it only serves to confuse the average consumer. More importantly, it doesn’t help us make decisions.
In search of perfect passwords
Passwords are another realm where we want absolute security when there is none.
Yes, a 12-character password is harder to crack than an eight-character one. That does indeed make it better at preventing a particular style of attack.
But both are equally vulnerable to keylogging or provider database hacks, particularly if the provider does a poor job of storing passwords.
A long, random password is important. Without a doubt, it makes your account more secure.
But it doesn’t make your account absolutely secure.
Moving to more secure
The goal is not to be secure. There’s no such thing. A search for a black-and-white answer to a shades-of-gray question will only frustrate you.
The goal is to be more secure. The goal is to be as secure as is practical for your situation.
Aim to continually evaluate the security decisions you make to keep making more secure decisions.
And that means having a good basic understanding of the risks, the trade-offs, and the ramifications of a security issue.
The basics are a great place to start:
- Choose better passwords.
- Use reputable services.
- Use good security software.
- Don’t upload sensitive information without encrypting it.2
- Be skeptical.
Develop good habits that avoid risky behavior, identify potential pitfalls, and take ownership of your security.
Secure is an unreachable destination. But we can absolutely make decisions and take action to get us closer.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 4:35 — 5.0MB)
Footnotes & References
1: And politics, and religion, and a raft of other topics as well.
2: Even here, the shades of gray get even more nuanced – there’s sensitive information and there’s very sensitive information – it’s a spectrum as well. As a result, the approaches you take could easily vary, depending on how sensitive things are.
10 comments on “Security: It’s a Spectrum, Not a State”
If you want to approach total security for your computer, simpley disconect it from the internet and all power sources. Then lock it in a fireproof safe. Place the save in a bomb shelter capable of withsatanding a direct nuclear strike. You now have a nearly secure and totaly useless computer.
Maybe, but somehow malware will still manage to get installed :)
No, it’s still not “totally secure”. (Okay, I see you say “nearly secure”.) What happens when the guy in charge of the bomb shelter gets a call from someone claiming to be you, asking him to reconnect it, so that “you” can log in?
As I see, Security and Comfort are inversely related. That an action / inaction might promote or demote your security level. And, it is all a trade off – I mean when an action eliminates some risks, may times it makes you vulnerable in new ways! You might lose some of the existing benefits and convenience. Since, there is no such a state as ‘Absolutely Secure Position’, we must respect the fact that any solution/advice given has inherent risks, and we should never demand any guarantee. Asking guarantees only keeps you in problem, and prevents others from helping you.
Thank You Leo!
I think your comments require slight qualification. My take is a variation on Barnum — you can’t have all security on all things, but it IS just possible to have complete security in limited areas or with regard to particular items. A particular encrypted WinZip file (which uses AES encryption), upon which a long and complex passphrase has been employed, may be corrupted, or otherwise lost or destroyed; but unless someone breaks AES, or brute-force attacks can be speeded up immeasurably, its actual SECURITY cannot realistically be broken within the foreseeable lifespan of the known universe. In this rather limited sense, therefore, “complete security” IS possible, but even then there will always be points of weakness (when you actually go to decrypt that file — it sure ain’t of much use to you in its encrypted form, now, is it? — are you SURE no one is looking over your shoulder as you type in that passphrase? No keyloggers active? No NSA surveillance warrants served on your computer? Etc., etc.) by which your security can — at least theoretically — be compromised.
As for passwords, you are quite correct — there is are no such things as “Perfect Passwords.” In spite of that, I have in the past, do still, and will continue in the future, to recommend a book with that very title:
“Perfect Passwords: Selection, Protection, Authentication” by Mark Burnett ($20.09)
(…also available on Kindle!). Although you cannot get a “Perfect” password, some are most definitely better than others, and the best possible passwords, IN ADDITION to being both UNIQUE and MEMORABLE, also have as many as possible of the follow eight (8) characteristics:
1. They use UPPERCASE letters (ABC…).
2. They use lowercase letters (def…).
3. They use numbers (123…).
4. They use spaces (” “).
5. They use punctuation (.,:;-!? and the like, that are usually found in sentences).
6. They use symbols (@&+=>$#*^~ and the like, that are usually NOT found in sentences).
7. They use respelling (i.e., no words that can be found in a dictionary — for example, using “kwean”, and not “queen”).
8. They use more than 15 characters, and the more characters, the better!
Mere LENGTH can make up for the absence of most of the other items on this list — a very long passphrase of only lowercase letters and spaces, is better by far than a short password that contains all eight of the above elements, if only because the passphrase will be far easier to remember!
In short, with certain very limited exceptions, all security is relative, and this should always be borne in mind.
It’s similar to protecting yourself and others during a pandemic. For a while, the CDC recommended masks for people who were vaccinated. It makes more sense than it seems at first glance. If, for sake of argument, a vaccine gives you 95% protection, and a mask gives you 85% protection. The combination of the two will give you 99.25% protection.
So, if a system image backup gives you 99% for your data and backing up your data online via OneDrive, Dropbox, or Carbonite offers 95% perfection, combining the 2 backup formats would give you 99.95% protection.
I’ve made those numbers up for the sake of argument, but ig gives you an ballpark figure of how the belt and suspenders approach multiplies to increase protection.
I would just like to add an algorithm that I live by: “Never use ‘never’ or ‘always’ because ‘never’ and ‘always’ are absolutes and absolutes will always get you into trouble.”
An important point : The current «best» anti-malware was probably not in that position a year ago, and will probably not remain in that position next year.
Security is an ever shifting landscape. The spectrum is always shifting in unpredictable ways. It’s a continual race between the bad guys and the good guys. Not only that, but there is a race between the bad guys, and another between the good guys.
Even though I may have found “the best”, I’ve learned the people who created “the best” often start to let their guard down. Why? Because the ones who created “the best” often think they do not have to keep improving. It kind of reminds me of what my English teacher told us back in the 1970’s. If you score 100% on every test, it does not mean you know everything. You only know 100% of what was ASKED of you. If you fail once or twice and go back to the books and study some more, you will likely know more than if you scored 100% the first time.
LEO – Can we use BBCode when we post comments? I wanted to italicize “the best” in my post, but I wasn’t sure if we could use BBCode or not.
Nope, but there should be a limited selection of HTML. <em> should work, for example.