Online security
Following up on Tom’s post about Passwords I have noticed that there is an increasing amount of poor security online. As his post shows, people still use really insecure passwords.
I’m signed up to a website that sends me an email every couple of weeks to tell me about their latest offers and they attach my username and password ‘Just in case I forgot’ I wouldn’t be surprised if this the same website that Tom talks about and really there is no excuse for it.
The same goes for websites that will send you your password after running through the forgot your password wizard on the site. If they are able to send you it then they are doing it wrong. Any programmer who has made a login function for a system, has probably stored the passwords in plain text at some point. The main reason for this is probably laziness. I know that I have done it before. It was the first login system that I made.
It’s not even hard to make your database more secure. Store hashes of the password, MySQL has an MD5 function that will do it for you. Since there are online databases for looking up hashes then add a long random string to the password before hashing it, this is known as salting. That will make it almost impossible that it could be in the database. When the user tries to login, add the random string to what they type and hash it. If it matches the stored hash of their password then they must have entered the correct password.
This means that even the user has really bad password like ‘password1’ then the hash that a hacker might get hold might be of ‘password1ReallyLongAndRandomSaltForThePassowrd’. In reality it would probably be better to generate a random string to use for each user as a unique salt for them. Then store that in the database as well.
There are few more things you need to do, especially on the public websites, but as for passwords that is one of the easiest ways to keep them secure. Since the passwords aren’t in the database then a hacker wouldn’t be able to get hold of them. The random salt drastically reduces the chances of being able to look up the hash. It doesn’t help against a brute force attack though since they would have the salt so it is still important to use good passwords.
I started using KeePass a few months ago to store my passwords. It will generate random passwords for you if you want, but then it can save all your account details in an encrypted database. Then you only need to remember one password. I use the portable version of the software and keep it in my Dropbox along with the database. That way I always have the latest version of the database whichever computer I am on. I also have it on my pen drive for when I am out.
It might be more of a security risk to have them all together behind one password but I find it is much more likely that some hacker would get into my account by hacking the websites and not stealing the password safe and then trying to crack that.
A few years ago I had an insecure password and a forum that I was an admin of got hacked. The hacker found some exploit in PHPBB and was able to gain access the database. Once there, he was able to look up all the users passwords, wasn’t a very busy forum, only 40 members or something. We restored the forums from a backup and then carried on as normal.
The next day he did it again, we had updated to the latest version of PHPBB by this point that fixed the bug he used to gain access last time so we didn’t know how he got in. He then emailed every user a list of every other user’s passwords. We had kept the same admin passwords and he had just logged in. On his last attack he had saved all the hashes and since we all had really insecure passwords he had just looked them up. He started to login as us on MSN messenger and things, just generally being annoying. I, like a lot of the users, had the same password on most of my accounts and he had my email address and most common username so he had basically unrestricted access to everything. I was quite worried about this since some shopping sites save your card details, he could have easily logged into them and spent all of my money.
I, and the other users probably, spent the best part of that evening changing all of my passwords to something more secure, still mostly the same but I checked that it couldn’t be found in a hash database.
Although I was one of the admins of that site though, I could just have easily been a user with no control over how secure my data was. Just one forum that wasn’t updated unlocked the key to my entire online identity. Since then I have learned that you can never be too safe and until someone comes up with a better method of identification than passwords we will have to put up with remembering them and trying to have ones that are secure.