![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Security? What security?
Apr. 2nd, 2011 08:25 amAs webmaster for various sites over the years, security has frequently been a question from users. I receive three or four emails (sometimes very strident) about the security of the IAGSDC site each year. After 35 years in the computer industry, I think I should simply say this:
No, there is absolutely no way whatsoever that I can guarantee the security of information you enter online.
There, that should cover it. The fact is, people are more intelligent than computers. Any protection one person invents can, with enough effort on behalf of another, be circumvented. No site is safe from being defaced, or hacked to obtain information. All the biggies have faced this embarrassment at some point - Google, Yahoo!, CNN and the rest.
I pretty much buy everything online. In the past couple of days, I've received legal notifications from two different national stores letting me know their computer systems were hacked, and my name and email address have been stolen. I already guessed, by the sudden flood of email bounces I'm getting, supposedly to emails I wrote, that were actually sent by a spammer. From experience, I know that will die down as they move on to using someone else's email address as the supposed 'sender' of their ads; and there is nothing I can do to stop it. Thankfully, ISPs are normally smart enough to check the actual source of spam before applying any blocking, so it shouldn't affect my legitimate emails. (Well, AOL isn't that smart, so maybe they'll block me from emailing their customers for a while).
I was also reminded that passwords are not a good way to protect online accounts - at least, not the way passwords are implemented by many web designers. That's because no-one ever told them how to do it right. I use a lot of different passwords online, and sometimes have to ask for a password reset. I don't actually mind that at all; it is adding some security to my account. But in two instances recently, I've requested a reset, and the company has SENT ME MY PASSWORD. The all-caps is because I'm just horrified that they could do that, for two reasons. First, it appears they are storing my password in their system, so that means someone who hacks their system can obtain it - and their own IT staff can too. And second, sending a password in email, which can be intercepted by a hacker, is a no-no. I immediately assigned those two accounts different individual passwords, so that if the passwords are hacked, only those accounts will be accessible.
Now imagine what this means to someone who uses the same password for their email, amazon, online banking, and credit cards. Only one company has to actually store the password and get hacked, and then ALL those accounts are exposed to the hacker.
The non-IT folks reading this are probably wondering at this point - how are companies supposed to use a password, if they don't store it somewhere? The answer is that there is a specific way to handle passwords for websites so that no-one other than the account owner can ever see it; it's called encryption, and the details are too complex for this post - but believe me, I cannot see the password for any account on any website I maintain, even though I have complete access to the data in the system.
What SHOULD happen when you ask to reset your password is that you should get a new temporary one assigned to you. That password should only be good for one login, so that you can change it to something only you will know. This minimizes the risk of anyone hacking your account through a password exploitation.
So remember, if you ask for a password reset on an online site, and they send you or display to you your old password, that site is incorrectly designed and open to exploitation; give that account a disposable password that you'll only use on that one site.
No, there is absolutely no way whatsoever that I can guarantee the security of information you enter online.
There, that should cover it. The fact is, people are more intelligent than computers. Any protection one person invents can, with enough effort on behalf of another, be circumvented. No site is safe from being defaced, or hacked to obtain information. All the biggies have faced this embarrassment at some point - Google, Yahoo!, CNN and the rest.
I pretty much buy everything online. In the past couple of days, I've received legal notifications from two different national stores letting me know their computer systems were hacked, and my name and email address have been stolen. I already guessed, by the sudden flood of email bounces I'm getting, supposedly to emails I wrote, that were actually sent by a spammer. From experience, I know that will die down as they move on to using someone else's email address as the supposed 'sender' of their ads; and there is nothing I can do to stop it. Thankfully, ISPs are normally smart enough to check the actual source of spam before applying any blocking, so it shouldn't affect my legitimate emails. (Well, AOL isn't that smart, so maybe they'll block me from emailing their customers for a while).
I was also reminded that passwords are not a good way to protect online accounts - at least, not the way passwords are implemented by many web designers. That's because no-one ever told them how to do it right. I use a lot of different passwords online, and sometimes have to ask for a password reset. I don't actually mind that at all; it is adding some security to my account. But in two instances recently, I've requested a reset, and the company has SENT ME MY PASSWORD. The all-caps is because I'm just horrified that they could do that, for two reasons. First, it appears they are storing my password in their system, so that means someone who hacks their system can obtain it - and their own IT staff can too. And second, sending a password in email, which can be intercepted by a hacker, is a no-no. I immediately assigned those two accounts different individual passwords, so that if the passwords are hacked, only those accounts will be accessible.
Now imagine what this means to someone who uses the same password for their email, amazon, online banking, and credit cards. Only one company has to actually store the password and get hacked, and then ALL those accounts are exposed to the hacker.
The non-IT folks reading this are probably wondering at this point - how are companies supposed to use a password, if they don't store it somewhere? The answer is that there is a specific way to handle passwords for websites so that no-one other than the account owner can ever see it; it's called encryption, and the details are too complex for this post - but believe me, I cannot see the password for any account on any website I maintain, even though I have complete access to the data in the system.
What SHOULD happen when you ask to reset your password is that you should get a new temporary one assigned to you. That password should only be good for one login, so that you can change it to something only you will know. This minimizes the risk of anyone hacking your account through a password exploitation.
So remember, if you ask for a password reset on an online site, and they send you or display to you your old password, that site is incorrectly designed and open to exploitation; give that account a disposable password that you'll only use on that one site.
