SAN FRANCISCO — Every day brings another story about a sophisticated computer hacking operation. Wednesday it was eBay announcing a database of user passwords had been breached.
EBay is recommending users change their passwords on its site and also on any other sites where they might have used the same password.
It's just one more example of something security experts keep trying to tell us: In an increasingly dicey Web environment, consumers need take a more active role in protecting themselves.
Maintaining good password hygiene is a good example. Too many consumers have easy-to-crack passwords, and far too many use the same passwords over and over again on different sites.
Yes, complex passwords are a hassle, but they keep the bad guys out. You should have a unique, complex password for each website you visit. Passwords shouldn't be common words found in the dictionary and should have a minimum of eight characters including letters, numbers and symbols, said Jim Brennan, director of strategy and product management with IBM Security.
If you know you're not going to do this, get a password-management program to do it for you.
In the wake of the Heartbleed bug, Password Managers are an essential tool to keep your passwords safer. But which is the best one? Jefferson Graham offers a guide, in #AskJeffTech.
This is important because consumers aren't the only ones who recycle passwords. If a website is breached and attackers successfully steal passwords, they often try and use the passwords to access other popular accounts.
Most important, users need to realize that the Web isn't the leafy green suburb it once was. Gangs have moved in, and there are a lot more dangerous streets. It's not a war zone, but you've got to keep your wits about you and take responsibility for your own safety.
"Hackers today are not just two guys in a dorm room who are trying to goof on you. They're well-funded, well-organized criminal organizations whose intent is financial gain," said Michael Malloy, vice president for products and strategy at Webroot, an anti-virus and security company in Broomfield, Colo.
Jefferson Graham answers readers questions-on using password manager apps on the go.
There are several things every consumer with a computer connected to the Internet should being doing to protect themselves, experts say.
First, you need a computer security or anti-virus program. Whether you choose freeware, a downloadable program or one you buy in a box at an office supply store, get one and install it.
Several companies offer this sort of all-in-one suite of protections. Some of the more popular are Avast, Bitdefender, Norton, Webroot, McAfee and Kaspersky, but there are dozens to choose from.
These programs offer multiple layers of protection. At their most basic, they look at all the files on your hard drive, checking for computer viruses and quarantining them when they are found.
Anti-virus programs also build a digital "checkpoint" between the user's computer and the Internet. Everything that comes into the computer gets inspected.
This catches things like "drive-by downloads," said Gerry Egan, senior director for product management at Symantec, which makes Norton AntiVirus. These are programs hackers hide in poorly protected websites, say a local sandwich shop.
"Then, when you go to check out what's on special at lunch, you're also being bombarded from their attack website," he said. The anti-virus program monitors your computer for such attacks.
More sophisticated programs also watch the behavior of programs that are running on your computer and stop those that seem suspicious.
"If we were to see a software program that had no user interface, so it's invisible to the user, and it had the ability to collect keystrokes and the ability to send traffic off to a remote location, alarm bells would go off," said Egan.
But an anti-virus program isn't enough. Users also need to pay attention to security upgrades. Hackers are constantly finding ways to subvert popular computer programs. Security teams at companies such as Microsoft and Adobe are equally hard at work writing fixes, which they push out as security patches.
But patches can't protect you if you don't install them.
Run the software updates sent to you, "right when they pop up. Much like a recall notice for your car, ignoring the fix could lead to catastrophic problems," said Darien Kindlund, director of threat research at FireEye, a computer security company.
Finally, don't be stupid. Out on the Web, "There are good neighborhoods, and there are bad neighborhoods," said Malloy.
If a suspicious link comes in, don't click it. Your bank is not e-mailing you a form to fill out with all your account numbers and passwords. Your best friend did not fly to the Philippines for a surprise vacation and then have his passport stolen. No one in Turkey is offering you a sure-thing business deal.
"Even if you had a giant bulletproof vest that protects every portion of your body, you still shouldn't walk into a war zone; it's still just asking for trouble," said Egan.
And by the way? Gaming and porn sites are never in safe neighborhoods. Click at your own risk.
Still, personal anti-virus programs can only do so much. As cybercriminals become more sophisticated, the tech industry must bear some of the responsibility for protecting the customers who use its online products, said Wade Williamson with Shape Security in Mountain View, Calif.
"Consumers," he said, "are starting to demand that the companies they do business with protect them proactively, with security defenses at least as sophisticated as the attacks."