Spammers have one objective: to make money by posting targeted content that links back to a spammy website. They can do this in several ways but the easiest and quickest route is to breach into companies databases.
Lately there has been an increase in hackers getting into websites and stealing account information. We all heard about Adobe, LinkedIn and others.
Companies do their best to protect the passwords but this is often weakened by the way people use their passwords. One of those major break-ins divulged that 15% of the people had used ‘123456’; the 15% translates into a staggering 1.9million people!
It is common for people to have three passwords levels:
- A simple password for sites like Farmville or Candy Crush.
- A moderate password for site like Twitter, Facebook, Gmail.
- A strong password for their bank, although strong can be a misnomer.
Users will often use the same password for several sites, making the hijackers life really easy once they have the password for one of them.
Humans are not the only problem. Sometimes the way the passwords are stored is not ideal. It cannot be guaranteed that the database cannot be hijacked, but the greatest care should be taken to make the hijackers job as difficult as possible. Not always the case as has been seen in the recent leaks.
What are the solutions open to us?
The human element
Human behaviour is difficult to change. Forcing your customers to use a password of certain strength may put them off to sign up; just showing the password strength as an incentive may work for some.
Certain sites offer ways to use your Phone-As-Your-Identity, others use a single sign-on option where they manage user authentication so you don’t have to. The human element is taken almost out of the equation so they can’t use simple passwords or the same password for several site.
Storing passwords properly
There are a few common ways in which passwords are stored:
This is the worst possible situation. Passwords being stored as plain text with no encryption, no hashing.
1-way cryptographical hash
Cryptographical hashes were not meant to security but for error detection in transmission and storage, meaning they are fast to compute.
They converts your password into a very long string that should be very hard, if not impossible to reverse, except there is something called rainbow tables that allow computing back to the original password in little to no time.
1-way cryptographical hash with salt
Slt enhances the flavour of the food, for our enjoyment. For our security, password salting adds an extra bit of data to the password before protecting it. This makes creating a rainbow table nigh impossible.
Salting passwords can be done using Bcrypt, Scrypt and PBKDF2.
Taking security seriously, we use the Bcrypt method on our websites and have updated our servers to SHA-2 (see previous posting on POODLE)