I used to kid Laura about her obsession with computer security. She was constantly trying new firewall programs and could flawlessly rattle off settings to make a wireless router safe.

She earned an A in the technical part. But on a visit to her house, I saw something that changed her grade. There was a big yellow Post-it note on the front of her computer. In nice legible red ink, passwords were listed for various Web sites and online accounts.

Since you read this column, I'm sure you would never do something crazy like leaving your passwords out for all to see. After all, you realize that such a list is fair game for everyone from repairmen to carpet cleaners to casual friends.

We won't dwell on passwords today. But there is a way to test the one you use, to make sure it is secure. Go to this site — www.securitystats.com/tools/password.php — and enter a password. You'll be told just how secure that password is. If the bar turns red, the password is bad. If it's yellow, the password is weak. If it's in the green, so are you.

You'll also get some advice on creating a good password at the same site.

I used Laura's letdown in security as a good example of the most important risk points in being secure online. While a good firewall and technical awareness help, the most common cause of a computer breach isn't some high-tech hacker. The greatest risk comes from what you do.

Let's look at some ways you can go wrong.

I've known several smart people who have been fooled by phisher attacks. The e-mail seems to be from your bank or some trusted online company such as eBay or Amazon. You are given various good reasons in the e-mail to log on to the site and change your password or enter credit card information. But it's a fake Web site — even though it looks like the real thing. That site records your personal data and uses it to swindle you.

You may be thinking that only an idiot would fall for this. But I know of a wife of a federal law enforcement agent and a physician who did just that.

Since these attacks —called social engineering by the security gurus — take several forms, the best thing to do is this: If you are asked for any information, decline. If you worry that the request is real, call the business or independently (not using the address given in the e-mail) go to the Web site and use the contact e-mail address to ask if the request is real.

Another frightening scam that's becoming very popular relies on the fact that everyone loves a bargain. Here's how it works.

You want to schedule a long weekend for yourself but need to find a bargain. As you search the Web, you find a site with such a good deal to Taos, N.M., that you'll almost make money after buying the airline tickets and reserving a room. There's no number to call, but there's a way to make the reservations online.

Unfortunately, the ad was a fake. Web sites that offer prices too good to be true — whether it is a ticket or a new summer sports coat — sometimes are simply efforts to get your credit card information. You don't receive the products, but the crooks get your personal information.

If something sounds too good to be true, listen to your brain instead of your heart.

A really ugly scam involves so-called free anti-spyware and anti-virus programs. Here's where it makes sense to stay with brand-name products such as Windows Defender, Ad-Aware and — for viruses — Grisoft's AVG or Avast.

There are programs that pretend to check for spyware but are actually spies themselves. To make things more complicated, there are malicious programs that use names similar to a legitimate one.

That's especially true with one of my favorite anti-spyware programs, SpyBot Search & Destroy.

The solution? Do a Google search for articles from sources such as CNet (www.cnet.com), PC Magazine (www.pcmag.com) or PC World (www.pcworld.com). These articles will either have direct links to the download site or will at least list the address.

Today's message is a simple one: Your common sense is the world's best firewall. Just make sure that you turn it on.

— Bill Husted writes for the Atlanta Journal-Constitution. E-mail: bhusted@ajc.com.