How do they deal with the responsibility of holding this stuff, and what do they do to keep us safe from marauding naughties?
What should they be doing?
They should be storing any personal information securely and safely, and doing everything within reason that they can to prevent it from being taken or edited by anyone other than yourself or an approved person.This means in particular that if you have to log in with a password, that they keep your login credentials in a secure place and make sure your password is not visible to anyone - even the website owners!
The standard way of doing this is that when you create an account (or reset your password) the website ‘hashes’ the password, encrypting it via a one-way process and then storing the result. This way your password is never stored on the website, and no-one can use that hash and reverse the process to find your password. When you come to sign in again the password you submit is put through the same hashing algorithms and the result compared to the stored hash - if it matches then your password must be correct, if not then you’ll have to try again.
How do you know if they are doing this?
Well I suppose you could ask them?Generally though most websites don’t go into lots of details about how they are securing your stuff. That said, there are things you can check...
Firstly, any website that is storing your personal data should be using a secure protocol for transferring your information from your browser to their servers - this is usually the HTTPS protocol, which you can check by taking a quick look at your browser’s address bar.
The other obvious thing you can check is the password reset process.
When you forget your password you can usually reset your password using a process on the site, which will do one of a number of things:
Of these options the one to be seriously concerned about is the first. As I mentioned before the site should be hashing your password using a one-way algorithm. The key part of that is that it should be one-way. They should have no access to your actual password, so if they email you your actual password you should be very concerned as they are clearly not hashing your password.
That’s fine. No worries.
Oh, just one question - you don’t reuse your passwords do you?
A Microsoft study from 2007 suggests that the average person surfing around online has about 25 accounts with various sites, and ONLY 6 or 7 PASSWORDS! Are you one of these?
The other obvious thing you can check is the password reset process.
When you forget your password you can usually reset your password using a process on the site, which will do one of a number of things:
- email you your existing password
- email you a temporary password
- email you a link to reset your password
- something fancy and different
Well it’s not a website that contains much important stuff...
Fair enough I suppose - if the site in question isn’t holding any important or sensitive data on you why should you care if it’s insecure?That’s fine. No worries.
Oh, just one question - you don’t reuse your passwords do you?
A Microsoft study from 2007 suggests that the average person surfing around online has about 25 accounts with various sites, and ONLY 6 or 7 PASSWORDS! Are you one of these?
If you are using the same password on this not-bothered-if-it’s-secure site as your account on eBay/Amazon/email/PayPal... etc. then you really should be concerned about your security.
Password leaks happen more and more frequently online, and the scandalous fellows that perpetrate these things will commonly gather these details and attempt to access higher-value targets with your gathered logins. They may not get much, but it only takes one or two PayPal logins to make it worth their while.
What can I do about it?
Keep all your passwords for secure sites unique!Most of us will admit to reusing some passwords, however I make sure that only the most unimportant sites ever get the same password. I have a couple of basic passwords for those sites that require a login, but contain none of my important stuff. Hardly best practice, but we all have our little ways, right?
If you make sure your high-value sites all have a unique password you will vastly reduce your chances of being caught out by the baddies.
Secondly, if you ever discover a site emailing you your password, or you have any other hints that they might not be playing safe with your details then report them to a site like http://plaintextoffenders.com/ where they can be named and shamed!
In addition you could take a look at their site for the site administrator and then drop them a line - I’m sure they’d prefer to hear about their weaknesses from you than discover it first-hand when their site is hacked and their customers’ data is stolen!
No comments:
Post a Comment