There’s a lot I have to say in this topic, so I’m going to
spread this over a few posts.
Have you ever signed up to a website and seen this field:
‘Enter your password as an 5 character word, using only
alphabetic lower case letters.’
If so, bad news, the person who created the field has about
as much knowledge of internet security as a brick. Your password and hilarious
pun-based user name is probably now in the hands of whoever could be bothered
to do a quick search.
Let me give you an example – in 2009 there was a rumour that
RockYou, a relatively small online social media gaming company (who utilised
the above password restrictions), had suffered a security breach. In the days
that followed RockYou said absolutely nothing to any of its 32 million customers and when the damage was fully surveyed and released (not by RockYou)
it turned out every single account had been compromised. The passwords had been
stored in an unencrypted form in plaintext. It’s the IT equivalent of writing your
passwords down on a piece of paper on your desk, and the hackers utilised an
SQL security flaw for access that had been common knowledge for a decade.
I have a theory that it was a social experiment to test the
kind-heartedness of the internet, because I can’t quite believe anyone could think
this level of carelessness was a good idea.
So how do you guard against this? Unfortunately it’s not
very easy to know, any company with common sense isn’t going to tell you how
they store information. Interestingly, Rockyou’s privacy policy says that they
use ‘commercially reasonable’ measures (accurate as of 19/6/13); ‘reasonable’
is certainly better than ‘none whatsoever’ but to what that extends to is
anyone’s guess.
If I was them I would be making a big song and dance about
how secure they are NOW.
These 32 million passwords form a large part of how most
hackers decrypt modern day passwords. I’ll explain how this happens in my next
post.