Guest Post: Beef Up Your Security and Rip Hackers a New One
This post is by Thomas Frank, a junior at Iowa State University who runs a college blog of his own called College Info Geek. As long as you’re not a vacuum salesman, you can connect with him at his website or on Twitter.
As a college student, you’re getting to the point in your life when you have a lot to keep track of online. School email accounts, online banking, FAFSA information, social networks… the list goes on. As you get older, your online life just keeps expanding.
Now that you’re in college and have this expanding online life to keep track of, your online security becomes ever more important. In high school, most of the people in your network were your age, and you probably didn’t have a lot of resources. Therefore, you probably weren’t much of a target for malicious attacks. However, now that you’re in college and most likely over 18, a lot of sensitive data becomes yours instead of your parents’. You can get things like credit cards, and loans are now in your name. You’re also probably a lot more visible on the internet.
I’m going to expose myself to a potential foot-in-mouth situation here and make what’s called a “blanket statement”:
Your online security sucks.
In fact, if we were to somehow personify your online security, it would probably look something like this… On the other hand, I can tell you that, at the present moment, my online security looks a little more like this. I say it looks like this at the present moment because, as recently as two weeks ago, I too had terrible online security.
What I’m talking about specifically in this article are passwords. Most of us, including me, are or were at some point guilty of using the same password on every site we have an account with. Some of you might even use a really bad password like your name spelled backwards or something with nothing but lowercase letters.
In the past, I used to think it was OK to use the same password everywhere as long as it was really secure. Using that line of thinking, I created one really long, complex password, set it on all my accounts, and settled into a false sense of security.
It wasn’t until I started learning about web security that I knew how stupid of an idea that was. Now that I know, I’ve fixed my security problems. In this post, I’ll show you how to do the same thing easily and painlessly. However, before I do that, I want to give you a short primer on why using the same password is a bad idea, even if it’s a really good one.
Essentially, there are two potential pitfalls involved with non-diversification in the security world:
- Screw-ups by you, yourself, and thou
- Screw-ups by the owners of the websites you use
Of course, the potential screw-ups that you could cause are pretty obvious: letting someone look over your shoulder while you type your password, getting drunk and telling it to an attractive lady because you think she’ll be impressed by its complexity, or visiting a sketchy website and netting yourself a nice little keylogger. There are multitudes of ways to accidentally give away your password, and if it’s the same for every account, your screw-up will have given away the keys to the kingdom. One slip-up and you could end up with an empty bank account and a Facebook status that says you’re in a relationship with Russioczechoslavian Yak.
However, the danger of your password being accidentally compromised by the websites you visit is just as real. Let’s look at it this way: you know (with a fair amount of certainty, at least), that reputable sites like Facebook, Twitter, your bank, and the Playstation Network (psych) have built their infrastructure with enough security to protect your password. But how do you know the same is true for the other sites you visit? What about that site you signed up for last week – SuperAwesomeTacoCostumes.com? How do you know the stuff they’ve got on the back end is taking care of your information the right way?
When Sony Pictures was hacked, over 1,000,000 passwords were stolen. Yes, that number is staggering, but two other facts about the incident are even more appalling. First, the passwords were stolen via a simple SQL injection, and secondly, they were stolen in plain text. This means that Sony was either too stupid or too lazy to even salt users’ passwords.
Essentially, for all the money Sony has, they couldn’t hire a web developer with the sense to write something as simple as this into the code:
$password = mysql_real_escape(trim(strip_tags($_POST['password'])));
$password = hash(‘sha512′, $password);
In case you don’t understand this PHP code, let me explain:
- The first line strips text entered into a web field of all special characters and programming commands. This beats SQL injection.
- The second line “salts” the password – that is, it appends a big, random number to it.
- The third line turns the new password into an even bigger, more random string of characters. This means that even if it’s stolen from the database, it couldn’t be turned back into your real password. It’s just jumbled text.
If you’re using a website that isn’t smart enough to take security precautions like these, then your password could be at risk. If your password is the same on every site, then your whole online life is at risk.
Let’s Fix It!
Ok, so now that you know why you shouldn’t use the same password, let’s look at how you can beef up your online security without needing to beef up your memory.
First off, yes, you do need to have a different password for every site. However, trying to memorize each password would prove impossible. That’s why it’s necessary to use a password manager.
My manager of choice is Passpack, which is an online manager. There are other choices out there, such as KeePass and LastPass, but I prefer Passpack for a few reasons:
- It’s online – I don’t need to install anything to access my passwords
- It offers an auto-login solution that makes logging into websites super-quick
- It’s never been hacked like LastPass has
Passpack uses industrial grade security, and it also uses triple-authentication to log in to your “vault” – after logging in with your username and password, you have to pass a spam check by clicking a black box among a group of white boxes, and then you have to enter your “packing key”. The packing key is the most integral part of Passpack – it’s how you (and you only) decrypt your Passpack vault. Only you know it – it’s completely invisible to anyone else, even Passpack employees (which means you can never forget it).
Once you log in, you can start adding entries to your vault. This is standard password manager fair – you create entries with a name, username, password, link, notes, and so on. If you want to log into a website, you can click that site’s entry, find the field with the starred-out representation of your password (so no one looking over your shoulder can see it), and copy it over to the site you’re logging into. Even better, though, is the auto-login feature.
Passpack lets you add a “Passpack It!” bookmark to your bookmarks bar. Then, when you’re on a site that you’ve made an entry for, you can click the bookmark and be automatically logged in.
Since this feature works on almost every website (except, curiously, Twitter), and since you can log into Passpack from anywhere, it’s not actually necessary for you to even know your passwords. I certainly don’t – since finding out about Passpack, I’ve put ridiculously long and complex passwords on most of my online accounts. Passpack even has a mobile site, so you can use it on your smartphone as well.
Hopefully this article has convinced you that you need to beef up your online security. Get to it – if you don’t, you’re just asking for trouble!