Because I am a brand advocate for F-Secure Key (see disclosure below), I was given the opportunity to interview one of their most prominent security experts, Harri Kiljander.
F-Secure is an international company specializing in a wide complement of security software, including F-Secure Key which is a cloud solution that creates and stores random, unique passwords for all of your accounts.
F-Secure Key is free on mobile devices and costs a little over $2 per month for unlimited device usage. I’m a brand advocate because it has made my life a heck of a lot easier (I’m embarrassed to say how many times I’ve reset my Facebook password), and it’s clear from my discussion with Harri that they have exceptionally intelligent people creating their products.
Harri Kiljander’s CV
Harri Kiljander isn’t a celebrity, but what he lacks in name recognition he more than compensates for in accomplishment. Here’s his background:
Harri Kiljander is the Product Director, Personal Identity Protection at F-Secure. F-Secure KEY, the essential password manager with a friendly face is one our current apps and we are developing new products and services to make it easier for people across the planet to ensure their digital identities and online accounts stay safe and secure.
Harri has been designing and developing digital and physical products for over 20 years. Earlier at F-Secure, he built and led an internal startup, developing and launching the personal location sharing service F-Secure Lokki. Harri joined F-Secure in 2010 after 15 years at Nokia in various design and design leadership positions, his last role at Nokia being the user experience design director for Nokia’s MeeGo smartphones.
Harri holds a PhD in interactive digital media and a dozen patents in the field of human-computer interaction. He is the editor of the book Mobile Usability and a design advisor to the mobile start-up Morelex. On his spare time he goes riding his bicycle or sailing, tutoring Service Design and Engineering students at Aalto University in Helsinki, or shooting architecture photographs.
Harri was gracious enough to answer a wide swath of questions ranging from general security to WordPress and best practices with the F-Secure Key product.
On the security of WordPress sites
How common are brute force security attacks and where are they most likely to occur?
We don’t have stats for unsuccessful attacks. But we can say that if you have a web-facing service it will be challenged. It will be tested. If it doesn’t rate limit, eventually someone will script an attack. So I can’t say how common they are but I can tell you it’s an inevitability. And they will very, very definitely try to crack a WordPress blog.
Do you have an opinion about the security programs that are available for self-hosted WordPress sites?
I don’t recommend any particular host. What you can do to secure your blog is protect your plug-ins. Updating WordPress.org software is relatively easy. It’s third-party plug-ins that are most likely to bite you. Perhaps a vendor has quit and you don’t realize they’re no longer updating. No patch will be coming. So don’t just update and patch your plug-ins, but check to make sure they’re still being supported at all.
What concerns you for the future security of self-hosted WordPress sites? Cloud computing sites? Social media? Webmail?
Many people are hosting these since they are very easy to set up. Very many people do not know of the security vulnerabilities in these platforms and are not installing security updates the platform vendors may be releasing.
General online security vulnerability questions
A smartphone password such as the iPhone’s four-digit password seems like one of the biggest security vulnerabilities that most people have, how should people mitigate this?
People very often choose convenience over security so having a four-digit password is better than nothing, and if entering a very strong but long password is too cumbersome, it’s better to go with the four-digit password. One should obviously use a good PIN and not go with the default 0000 or 1234.
What are some common mistakes that people make when choosing passwords? Are there commonly used phrases or usernames to avoid?
One published list of most common passwords includes entries like “123456”, “password”, “12345678”, “qwerty” and “abc123”. The best thing to do is to use a password manager app to generate strong passwords, and we have built F-Secure KEY, the essential password manager with a friendly face just for that purpose.
When a database is breached, such as the recent release of Gmail addresses on a messaging board, what is the best quick response to a situation like that and what are the biggest vulnerabilities when passwords are compromised?
You should have diversified your usernames and passwords in the first place. When the inevitable happens and one service is breached, then that breach won’t affect all your online accounts, and you can respond by changing your password in that one service only.
What are your opinions on the merits of two-factor authentication? Should people always use it when available?
Two-factor authentication should be used for increased security, when available. You can also activate your mobile device’s security lock feature to have two-factor authentication.
Are there opt-in features such as Find My Phone or geo-tagging that create an additional security vulnerability for smartphone users?
Find My Phone and similar location services increase the sense of security since you can check where your family members are or simply locate a missing phone.
When you take a location sharing service into use, you should check if you can remotely disable it, if needed. If one of your family phones gets stolen and if you cannot locate it, it would be good to be able to block that phone from seeing the location of the other phones in the family.
Would you recommend always choosing the longest password length available for any given login, or are there cases when a shorter password would be more appropriate?
People most often select convenience over security. It’s better to choose a complex short password than to have a very long password if you are so lazy that you won’t be using the long one.
What are the easiest things that people could do right now to make their online accounts more secure?
Segment your accounts per usernames and passwords. Use a password manager such as F-Secure KEY.
On F-Secure Key
What would the ideal F-Secure Key master password be? (Note: F-Secure Key keeps all of your passwords secure and accessible with one master password)
Something you can remember, something that is built so that it cannot be guessed. You can start with a phrase and change letters to acronyms or shortcuts — for example “Later, later, not today” could be changed into “L8r_L8rNot2day”. But now this example is no longer a good password because it’s being revealed here so do not use it! 🙂
Are there security precautions for social media, webmail and web services that you would recommend for people to keep their digital properties more secure?
Segment your accounts per usernames and passwords. Use a password manager such as F-Secure KEY.
–fini–
Many thanks to Harri for his input. You can get the mobile F-Secure Key product for free here. (Here’s my more detailed post on why it’s such a great app and why increased password security is important.)
You can also try out the premium (multi-device) version free for 60 days. Here’s how to get two free months of F-Secure Key:
Android: Go to Menu-Help- Enter PREMIUM VOUCHER
Enter the code PREMIUMKEYOFFER14 for two free months of the premium (multiple device) service.
iOS: Help Menu- Promotional Code
Enter the code PREMIUMKEYOFFER14 for two free months of the premium (multiple device) service.
Disclosure
I am a paid brand advocate and unrepentant fan of F-Secure Key. I’d like to believe that these facts are exclusive but encourage you to try the free app and test drive the premium app to decide for yourself.
