Experienced Points: How Do You Know If A Web Site Is Secure?

By Shamus Posted Tuesday Feb 24, 2015

Filed under: Column 81 comments

So I did a column encouraging more user paranoia, like I promised last week. I’m not happy with how this turned out. It’s one of the longest pieces I’ve done in the history of the column, and I feel like I barely scratched the surface. It was too big a topic to ram into a single column but I didn’t feel like it was wise to make it two or three parts long. (I didn’t want to embark on an epic three-part series and then after part 1 realize that nobody cared. I’d end up with the Too Human of articles.

I should have just replaced the whole column with a link to the comments section last week. That was a pretty cool discussion. I find the social engineering side of security so much more interesting than the technical side.

 


From The Archives:
 

81 thoughts on “Experienced Points: How Do You Know If A Web Site Is Secure?

  1. Zantaros says:

    One trick someone suggested to me with regards to the recovery questions is to make your answer to the question not actually an answer to the question.

    For instance, if the question is “What is/was the name of your first pet?”, then you set the answer as something other than a name for your first pet (or any pet). For Example:

    Your Name
    A backtalk phrase (ex: How should I know?)
    The punchline to an unrelated joke
    The setup to an unrelated joke
    Supercalifragalisticexpialidocious (I may have misspelled that)

    A better solution is for the site not to have recovery questions, but I find that this is a good way of dealing with them (especially since I’m probably never going to be answering the question myself anyway).

    1. David says:

      The best solution is to make the answers to your security questions a 50-character-long random string, and then store that in your offline, encrypted password safe, alongside your 50-character-long random password.

      (You are using a password safe with randomly-generated, unique passwords for every site you use, right?)

      1. nm says:

        Hah, that’s actually what I do for my security questions.

      2. Mistwraithe says:

        It doesn’t provide much of a back up then though does it? If your offline encrypted password safe gets lost/destroyed somehow then you have lost both your password, and the method to recover your password.

        1. Bryan says:

          Well, no, but it’s not a backup. It’s the primary. :-)

          If you need a backup, use a second offline, encrypted safe. I’m not sure on whether I’d recommend using the same master passphrase for the backup safe as the primary one though. Using the same key makes it less likely that you’ll forget the master passphrase when you most need it (when the primary password safe gets destroyed somehow). But using a different key makes it less likely that you’ll forget both keys. Admittedly, not very *much* less likely…

          So yeah, probably the same master passphrase is a good idea.

          (Personally, I use a file per site, with each file encrypted with my GPG key…)

          Of course, I do agree that the security question as auth required to reset the password for the site is a bad idea in this setup. But then, I don’t think it’s a good idea anywhere, so … yeah. :-)

    2. Tizzy says:

      This is a little tricky, though. Providers who think they’re smart will ask you only a subset of those questions, so it’s very important to remeber not only how you answered, but the exact mapping of questions to response. Instead, of, say, remember the order in which you provided your sassy answers.

  2. Phill says:

    I’m going to guess that since the column is drawing on the extended discussion here last week, there’s not really going to be all that much to discuss for twentysided readers…

    1. Dahud says:

      Let’s talk about spaceships instead.

      1. Shamus says:

        Controversial opinion incoming: Spaceships are nice.

        Discuss.

        1. MichaelGC says:

          Total thread derailment incoming: do the Reapers count as spaceships?

          1. Dahud says:

            For that matter, does HAL 9000? He wasn’t very nice, either.

            1. modus0 says:

              Hal was the ship’s A.I., the vessel was the Discovery One.

              So no, the Hal 9000 is not a spaceship.

              1. Trainzack says:

                Useless statement with no evidence incoming:

                I disagree.

            2. Tektotherriggen says:

              HAL, SHODAN or GLaDOS: Who’d win in a fight / philosophical discussion / passive-aggressive argument?

              1. krellen says:

                SHODAN, HAL, GLaDOS, in that order.

              2. ehlijen says:

                Where does the computer of the Heart of Gold fit into this fight?

                1. swenson says:

                  In my opinion, it’s really impossible to tell. We have no data on the tea-making capabilities of SHODAN, HAL, or GLaDoS, so there’s no objective way to compare them all.

                  1. ehlijen says:

                    Does that also disqualify the computer of the Enterprise D then?

                2. Decius says:

                  It fits randomly into the results.

            3. Alexander The 1st says:

              At least he was polite.

          2. Jexter says:

            No. They obviously count as Giant Space Squid, which are a type of Space Cthulhu. Space Cthulhu eat ships, but Reapers don’t eat themselves and therefore aren’t ships. Q.E.D.

        2. Trix2000 says:

          WHAT HAVE YOU DONE

          Spaceships are not ‘nice’, they’re SHINY!

        3. Joe Informatico says:

          Spaceships, yes. Space fighters, no.

          1. nm says:

            I know we’re being silly, but space fighters are just super silly. People can’t react at relativistic speeds and little tiny ships are just as hard to hit from crazy ranges as the big ships that carry them around. Better to have the economies of scale that come with big ships with big power plants.

            1. ehlijen says:

              If you stress the ability and need for areospace operations in your setting, ie both space and atmospheric action, you may want smaller, areodynamic fighters after all.

              But I put space fighters into the same box as mecha and scifi super tech long swords: I’m willing to accept almost any half decent justification as long as you make them have cool fights.

            2. swenson says:

              Semi-autonomous space drones, on the other hand…

        4. nm says:

          Have you given KSP a look recently? They’ve made big strides in career mode, and while I thought I would be a sandbox player for life, the tech tree thing is actually a pretty nice concept. It lets you ease your way into the huge number of parts and gives you interesting challenges. Meanwhile, the missions give you a REASON to set up that awesome Munbase.

          Disclaimer: I haven’t played in a few months, so they may have more/better things now. Last I heard, they were working on multiplayer.

          1. Shamus says:

            Yeah. I really enjoy it. I was the same way: Sandbox all the way until they introduced science points.

          2. RTBones says:

            Have to agree with Shamus – I also really enjoy it in career mode. I hadnt played in a while and picked it back up a couple weeks ago. Science points and the fact that you have to fund your own explorations by performing contracts have given career mode a huge boost.

  3. MichaelGC says:

    A little surprised ‘plaintext password reset’ didn’t end up at Number One in the, er, end.

    I’m looking at you, Marvel Unlimited! For a site which takes your payment info, I’m surprised it’s even sodding legal! All I wanted to do was re-live my entire childhood through the medium of digital comic books, but noooooo. *sobs*

    Still, I have to admire their Customer Support. Verrrry persistent. They were not going to let my emails go unanswered, dammit, however long it took. Even if it took months!

    (Which it did. Five months, in fact. Five.)

    1. Tizzy says:

      Coincidentally, I created an account on a website today. Somebody is paying someone good money to maintain this service.

      What is the first thing that happened? I received an email confirming the creation of the account, with login and password in plain text.

      I didn’t realize this was ever a done thing. Still too stunned to be quite furious enough.

  4. Eric says:

    No mention of HTTPS at all?

    While HTTPS is no sign of perfect security, it is a good thing to check for on any web site that requires payment details. If they don’t use HTTPS or don’t have a valid security certificate, don’t do business with them.

    (Coincidentally, The Escapist and most other forums etc. do not use HTTPS.)

    Another note on point 1. Tyrannical password requirements – you kind of skirted over the most obvious issue involved, which is that sites that have such strict, limited requirements for passwords probably don’t hash and salt your password and store it in plaintext instead.

    1. Attercap says:

      “Another note on point 1. Tyrannical password requirements ““ you kind of skirted over the most obvious issue involved, which is that sites that have such strict, limited requirements for passwords probably don't hash and salt your password and store it in plaintext instead.”

      While often true, this is not always the case. A lot of the clients my company develops websites for hashes or encrypts a user’s password, but then gets the request from the client to add what they believe is additional security even if it’s not always the case–this is typically mandated by a CEO or other non-IT-savvy individual and it’s rarely worth the effort in arguing than it is to just throw in some idiotic validation.

      Personally, I get more worried about sites storing plaintext passwords when the character limit is arbitrarily low (especially if set to 20 or 50 characters, which are default string lengths for some databases).

    2. guy says:

      Yep, just used wireshark to check The Escapist. On logging in, the username and password are sent in plaintext via standard HTTP. That is… not good.

  5. David says:

    There’s actually an easier answer to your question:

    “How do you know if a web site is secure?”

    It’s not. I don’t care what website it is, I don’t care whether they have the best security people hardening their firewalls and salt their passwords and whatever else is “best practice.” If it’s on the Internet it’s not secure. There’s always a hole, always a bug, always a way to exploit it, and if someone really wants to get in, they will.

    That’s not paranoia, that is the unfortunate reality of computers.

    Edit: Sorry, not to say that the points in your article are wrong, but just that they’re addressing a different issue. The name of the game as a user of the Internet is not “Only give your info to sites that are perfectly secure” — instead, it’s all about risk mitigation, which your article speaks to pretty well.

    You’d also be surprised at how many gaming sites and other “register to get this thing” are perfectly OK with flat-out lies. There are a lot of sites I’ve registered at as John Doe with [email protected], and a zip code of 11111.

    1. Wooji says:

      One of the first things we learned in my network security classes was that the question is never “Can our security be cracked/hacked?” the questions are “How much work is required to crack/hack our security?” and “How can we minimize the amount of information that will be stolen?”

      1. krellen says:

        It is in fact possible to make a system that is completely, 100% hackproof. It is, however, impossible to ever USE that system.

        1. RTBones says:

          Agreed. Security, by definition, is not user friendly. If it were, more people would use it, less people would be scared of it, and people might wonder if the secure site really is well secured. One thing for sure – if security *were* user friendly the folks working in the area of security would have less job security and be less secure … in their futures.

          Apart from the first (two) sentences (which, one could securely term them – ‘the real post’), you can rest secured that I am securely trying to use the word ‘secure’ and its maybe-not-so-secure derivatives as much as possible.

      2. ehlijen says:

        I was taught the question was:

        How valuable is the thing we want to protect and how much do we need to spend to make it so secure that it costs more to break in than a successful break in will gain the attacker?

        Ie, how much money do you have to throw at the problem until it’s not worth it for anyone to try and exploit the problem anymore?

        At that point, you only really have to worry about insane attackers or those who attack only for the challenge (and against those, you can’t effectively defend). That’s as good as internet security can really get.

        The problem is, many security decisions instead go “let’s not spend more than the thing we’re protecting is worth to us”, and a customer’s payment details sadly don’t rank all that high to some, it seems.

        1. Tizzy says:

          There is another factor to keep in mind. The old: I don’t have to outrun a bear, I just have to outrun you.

          Just be more secure than your competitors out there.

    2. Tizzy says:

      Registering with completely fake data is fine so long as you really couldn’t care less to lose access to your account at any given moment. Because, if you lose your password, how can you possibly reset it if everything you entered is false.

      Which is all well and good, but, in that case, I don’t even bother to sign up in the first place.

  6. Pretty good article Shamus, it didn’t get too tech heavy.

    Though as noted by Eric above, a mention of HTTP vs HTTPS might have been nice. (that could probably be a article on it’s own especially if you throw in WiFi and public nets/Lan/hotspots in there too).

    I do wish though you had highlighted “If you use the “I forgot my password” option and they send you back your old password in plain text, then this site is 100% trash” in big red letters and made it its’ own bulletpoint really, that is all kinds of wrong on it’s own.

    Not sure you could do much better with the article though, not without exploding peoples heads in the process at least.

  7. burningdragoon says:

    I end up doing this weird dance every month when I pay off my power bill (because I’m not going send a check every month like some kind of savage)

    Enter my username, go to next page
    Confirm that the image on presented is the one I chose at sign up.
    Click the forgot password link, because the site has not once remembered it, even when I save it to a text file and copy paste. (ewww)
    Answer easy security question (ewww)
    Get temporary plaintext password in email (ewwwwww)
    Enter temp password, create new gibberish password that won’t matter next month.
    Die slightly on the inside because this is terrible.

    It’s either horrifying or a very convoluted way of have a two-factor authentication system.

    1. Tizzy says:

      I’m the savage who sends a check every month. Gotta keep the postal service in business, too.

    2. Ivan says:

      I have a password I keep forgetting, so I keep having to have it reset. More annoying than that though I hadn’t actually forgotten it, I had just managed to mistype it three times in a row and gotten locked out. Then when I went to reset it I used the same password because I must have obviously mistakenly been using a different password. The site responded with “your new password can’t be the same as any of your previous passwords”.

      So yeah, I was kinda annoyed, because now I have to change the password and i’ll probably forget the new one. Anyway 3 trys is an annoyingly small number of attempts, especially if the site makes you have a convoluted password. I mean if someone is trying to brute force my account they’re going to need a lot more than three tries to get it right.

      1. Richard says:

        Not to mention that “Total lockout after n incorrect tries” is a very effective enabler of denial-of-service.

        If somebody wanted to completely shut that website down, all they have to do is log in wrongly 3 times to as many accounts as they can guess and it’s down for days at very little cost and very low risk.

        Rate-limiting is the only sane way to do this – only allow a given IP address to attempt to login once every x seconds, and only allow a given account login attempt every y seconds. For bonus points, increase them on each attempt up to a reasonable maximum, resetting after a successful login.

        If you choose good values for x and y, no real users will ever notice, because they can’t type that fast.

  8. Sean Riley says:

    I admit, I could use some explanation on a few points, as someone who occasionally attempts to explain security basics to patrons but isn’t a pro myself.

    1. The Correct Horse Battery Staple idea. I’d always thought that this was a technique that had since been strongly combated with new versions of dictionary attacks (as discussed here: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/3/ ) while strongly randomised passwords remained the most secure, though the memory issue remains true. (I’m a big fan of the Schneier scheme that creates passwords like Mfm,BJM,i112ml! out of phrases like “My favourite movie, Being John Malkovich, is 112 minutes long!” and no, I don’t use that particular password.) What do you mean when you say they’re attacking the whole system? I thought the goal was steal the hashes and start trying to brute force from there.

    2. How does a limit on password size imply a lack of hashing?

    1. guy says:

      1. Yeah, it is vulnerable to dictionary attacks. You can get around that a bit with non-dictionary words and intentional misspellings, though more sophisticated dictionary attacks are wise to common misspellings and stuff like a->@.

      2. The thing with hashes is that they map inputs of any size to outputs of a given size. Meaning there are more possible inputs than possible outputs*. That helps make them more secure, because it means there is no inverse function; functions map inputs to exactly one output, so if a function maps multiple inputs to the same output you cannot create a function that maps outputs to the input which produces them. It also means that your password takes up exactly as much space when hashed no matter how long it is in plaintext and so if they’re doing length limits for storage reasons it means they aren’t hashing. However, there are other reasons to limit length. If you can only type in 30 characters, they don’t have to worry about you typing in 7 million characters and stealing root access because the hashing program ran out of memory and overflowed.

      *Yes, this does mean that there exist a theoretically infinite number of other passwords with the same hash value as your password. That usually isn’t a big deal.

      1. Athan says:

        Re: Hashes… the point is more that it is very computationally expensive to find a plain text, any plain text, that will hash to the known hash value. If this wasn’t true then the “many inputs for this one output” would actually be a weakness.

        1. guy says:

          But if there were only one possible input for an output, it would be possible to create an inverse function and map hash values to plaintext. Most probably in about the same time it takes to map plaintext to the corresponding hash value, though that does depend on the function. But still much faster than “map plaintext to hash values until you find one that works”. Which is ideally the only way to find one.

          As for the collision thing, that’s not a problem if you’re trying to stop people from finding a particular plaintext (namely, if they’ve stolen a database of hashed passwords and want the plaintext to use at other sites) unless there’s some predictable relationship between plaintexts that map to the value.

          Now, it is a problem for securing logins in that it means someone just needs to blindly guess a password with the exact same hash as yours instead of guessing your exact password. So they make hashes large enough that isn’t particularly likely.

    2. Trix2000 says:

      1) Part of the idea I think would be to make the password long enough (or have enough variable parts) such that even a dictionary attack that can pick apart words in it would take far too much time to break through. That and making one or more parts of it made up or unconventional can further strengthen it without adding too much complexity to remembering it.

      No password is perfectly safe, but you can make it too much trouble to bother with.

      2) Might have to do with space – if all stored hashed passwords are the same length, you know exactly how much space to allocate to them regardless of what they are. So to the database, the contents of the actual password wouldn’t really matter and thus the length is irrelevant – all it cares about is the resulting hash.

      Unless there’s a limit to how long a string the site can parse into a hash – in that case I could understand it – but I’d expect the limit on that to be fairly large, to the point where it might as well not be a limit.

      So if the site has a small limit (like 8-10 chars), it could be that they do it to limit space. No idea if this is actually the reason (someone want to enlighten me?), and I’d still expect something larger to be honest. Could just be an indication that they don’t care about password complexity (if they did, they’d allow long passwords), and it wouldn’t be surprising if they also didn’t care about hashing (which is a somewhat more complex concept).

      1. Richard says:

        Given how cheap hashing is, there shouldn’t be a limit that a human could hit by typing.

        Hashing many KB of data is effectively instant.
        Nobody is going to have a password that’s anywhere near 500 characters long, let alone thousands.

    3. Wooji says:

      If the goal is to get access to as many accounts as possible as fast as possible the more likely route is to steal the hashes and then use rainbow tables to find the passwords instead of brute force since brute forcing passwords take a lot of time compared to a good rainbow table.

      We tried this in a security class, finding the password for a some given hashes with rainbow tables took about 1 hour compared to a bruteforce that our professor had set up 18 months earlier that still wasen’t finished.

      1. Sean Riley says:

        Yeah, ‘brute force’ was the wrong term there “” meant it as an umbrella term for a bunch of routine approaches. But the same basic idea: Steal the hashes and start churning possibilities, using whatever tricks you can to eliminate the improbable and speed up the process.

      2. Phill says:

        As I understand it, rainbow tables are pretty much the same as brute forcing a password when you are attacking a single password (actually slightly worse due to has collisions). The advantage of a rainbow table is when attacking multiple passwords.

        But it is still essentially brute force – you are still basically trying a vast number of passwords until you happen across a match.

        1. Sean Riley says:

          That’s nearly always the scenario; though. It’s very rare for a hacker to be trying for one specific password “” the goal is cracking very, very large numbers of them.

    4. Bryan says:

      On 1 — no, I think their setup does *not* actually help with Correct Horse Battery Staple style passwords, if those were properly generated.

      The way to properly generate such a password is to find an enormous word list, and *randomly* pick N words out of it for some N. Then make up something to get you to remember those words. The bigger N is and the bigger your word list is, the harder it is to find, even if someone is using this combinator attack.

      If the source dictionary is 100k words, and you’re choosing five of them at random, then either the combinator has to try 10**25 words, or they have to get lucky somewhere. (If one word happens to be in a smaller attack dictionary, then they might. On the other hand, cutting one dictionary down by a factor of 10 still gives 10**24 required attempts.)

      Having a word that isn’t in any attack dictionary does help a lot more, but just forcing 10**20-mumble attempts still helps a lot…

      1. Decius says:

        Overestimate by a factor of two.

        Assuming that you choose the words randomly, you expect that the attacker will test half of the possible combinations before finding your password.

        That’s still 100,000^5/2, or 10^5^5/2, or 5e9, assuming five random words from a 100k word dictionary.

        I suggest using dice , because opening a dictionary to an arbitrary page is not nearly random enough.

  9. Thomas says:

    From the way you’d described it, I thought your article was going to be kind of rambly and inconclusive.

    And instead it was to the point, very readable and gave the nice feeling you get when you’re absorbing information through pop culture osmosis. (It also didn’t feel long, even if it was)

    I guess you were talking it down for not covering everything people need to know? But it was still a nice short list of some good thing that people need to know.

    1. Trix2000 says:

      Yeah, I was expecting a three page article or something. YOU LIED TO ME.

  10. Bloodsquirrel says:

    What I wonder is- who the hell still designs systems that will let you try enough times to guess even a weak password?

    It shouldn’t matter if your password would take ‘only’ 100 million guesses- anyone guessing more than 10 times should get locked out for ten minutes. Unless you’re using one of the top 100 passwords (like 12345678) random guessing should be a complete non-issue.

    1. Shamus says:

      The idea in this case is that we’re trying to minimize damage to the user when the site itself gets hacked. If a hacker grabs your database and runs off with it, they can LOCALLY attack the passwords. (That is, trying to crack the passwords on their own machine.) These solved passwords can then be used to steal credit cards, gain access to the same user on other sites(for people who reuse passwords), or grant the hacker admin access to the site. (If they solve the password of one of the site admins.) The attacked site will often have NO IDEA they’ve been hacked, so “quiet” attacks like this can result in future damage.

    2. krellen says:

      No one brute forces a password on the site the password is on. They steal databases; poor databases given them plain text passwords right there, good databases give them an array of hash values to then brute force and compare to on their own servers.

    3. guy says:

      Well, you might not want to lock it out because that would make it easy for a malicious user to seal out legitimate users. And it’s usually not a problem over the internet because it takes too much time per guess. And is really obvious in the server logs.

    4. ehlijen says:

      But how does the system know the same person tried more than 10 times?

      Be it botnets or IP/MAC faking, if you can convince the server you’re someone new, you get 10 new tries right away, and since identification on the net will always depend on information the target to be IDed needs to provide, perfect disguises are always possible.

      And if the server is set to give 10 tries regardless of source, you will have no one able to log in if even one botnet looks at it funny.

  11. Eric says:

    Furthermore:

    If you are using passwords you remember for everything, just stop right now.

    Get LastPass or 1Password if you want the “easy way”.

    If you want the slightly harder but slightly safer way (i.e. you don’t trust any third party/non open source software), get KeePass and use that along with optional browser plugins and mobile apps.

    There is absolutely zero reason to use anything other than lengthy 100% random passwords on all web sites, when the convenience and speed of using a password manager these days actually exceeds that of trying to type them in and keep them memorized.

    If every one of your passwords looks like this:

    E:eKC9I,rV,/bF0JI=”MaU1Ta+#^RhLl
    IX7QL~”y@29d6qFn2i!qoP=uTS|XO%o6
    oI$0ug08pt^Zo@0bg”PiN6c9r`tw,k^

    and is unique for each site you sign up for, then the chances of any security breach on one site affecting you on any other site are practically nonexistent.

    For even better results, get an email service that offers email aliases and use different addresses on different sites (or extensions like +address if your provider supports it).

    1. Decius says:

      Put all your trust in one juicy basket that stores ALL of your passwords in a decryptable manner?

      1. That depends, if the encryption is good and the master-password is complex enough then trying to crack it would take ages (exception being the likes of the NSA etc which can brute force most things given enough time & resources unless they have shortcuts they can use).

        So offline solutions like KeePass or similar online solutions allows you to be more secure than if you use “simple” passwords.
        Then again this assumes all the sites you use allow long hexidecimal or Base64 or UTF8 passwords, not all sites do sadly.

        Some people advocate single signon, in theory it’s good but in reality if it goes down then the dozen (or more) sites you use are suddenly useless as you can not log in to any of them.

      2. Eric says:

        If someone needs physical access to reach my database and then also long enough with it to crack the password… yes, I’d say that’s secure enough.

        Security isn’t an absolute. A single fixed failure point you know about is better than many, many failure points you don’t.

  12. Steve C says:

    I thought the Lenovo link was going to take me to a story about the Gemalto SIM hack. A few billion SIM cards have had all of their encryption keys stolen the day before by the Equation Group. The Lenovo stuff was new info to me. That’s going to sink them.

    1. Thomas says:

      The Equation Group is probably a national spy agency though right (*coughNSAcough*). These days you just assume they have access to everything anyway :p

      1. guy says:

        There’s a reason why whenever I read an article about how people are switching to non-US software or services to keep the NSA from hacking them I just start giggling. The SIM card thing was discovered a few days ago but apparently happened in 2010.

  13. Tizzy says:

    I remember 15 years ago being pressured into creating an account that I really didn’t want or need. When I was prompted for a password, I reacted in a predictable fashion, and when I entered it, I was met with the message: “profanity detected”.

    Really? That’s the best use of your programming skills, parsing a password for embedded swearwords?

    I’d rather you didn’t require me to create an account every time I want to do something online!

    1. Decius says:

      That “predictable fashion” is a really insecure password from the point of brute force. It shouldn’t let you use it.

      1. Ivan says:

        I don’t know, do you really want to put a lot of effort into protecting accounts of people who are obviously not taking their security seriously in the first place?

        In any case I like to think that this particular site stored their passwords in plain text and that the filter was a misguided attempt to make their database look more professional.

        1. “do you really want to put a lot of effort into protecting accounts of people who are obviously not taking their security seriously in the first place?”

          Yes you should do as much as possible to protect the ignorant or stupid. Usually because they either #1 give you money for a product, or #2 are directly or indirectly your revenue stream.

          If you are the reason that the password of 12345 for [email protected] is leaked then the responsibility falls on the site/system and not the user.
          Sure the password is stupid and easy to guess but if salted hashes are stored then a cracker may not know that.
          If it’s plaintext or unsalted then you essentially helped the cracker, especially since salted hashing is so easy to do.
          You gotta secure your users.

          You would not want a bank to say “No point locking the cash vault at night, our customers use the money for stupid things anyway” which makes no logical sense, so websites should not do it either.

          A site should be designed with the potential for a database theft in mind so that when/if it happens the damage and fallout is at a minimum.

          Infection of the website itself is a whole another matter. But unlike a database theft a hacked site can be more easily noticed, a stolen database can be processed offline.

          There are probably more databases being stolen than is in the news as those who steal them keep it silent for various reasons.

      2. Tizzy says:

        What does any of this have to do with profanity?

        If my password is too easy to guess, then go ahead and say it. (Spoiler warning: it probably wasn’t, given that it was a long string that only happened to contain profanity in the middle.)

        Who the hell thinks in this way? Oh, I’d better not write down any swearwords (probably in plain text) into my database. Who knows who might read it and get offended!

        What a joke!

  14. Zak McKracken says:

    I’d just like to comment on the use of “paranoia”.

    Paranoia, by definition implies exaggerated reactions to perceived threats, and perceiving threats everywhere, that is perceiving and reacting to more threats and more strongly than would be appropriate.

    Proper paranoia is a disorder which will cause a person to alienate their friends, hurt everyone close to them, ultimately hurt themselves.

    You can die of paranoia.

    Now, if people systematically underestimate a certain risk then the actions of some people might seem paranoid to them even if they’re not. Still I wouldn’t encourage people to be paranoid about anything since that implies overreacting, which is never a good idea. In my view, it’s more about understanding why caring about online security and safety is not paranoid, and why not consenting to give my data to anyone who asks is not overcautious but should be common sense.

    1. Paranoia and Paranoid personality disorder are not entirely the same thing.
      People who are paranoid may not suffer from PPD, but people who suffer from PPD are typically paranoid.
      Also if Paranoia/Paranoid is the wrong word to use then what is the correct word to use in this case?
      Shamus referred to the reaction and not the disorder, I understood what he meant despite not using “(not the disorder)”.

      “perceiving threats everywhere” like the NSA having the master keys to your phones SIM card?

      Millions (billions?) of phone users are affected, even potentially some in Norway (at least one phone operator had SIM cards from the compromised company’s systems).

      I’m surprised Norway and other European nations do not see this as a hostile act by the NSA and start sanctions against USA. (If a Middle-Eastern or Asian country did this then the USA probably would sanction them for example.)
      USA need to take responsibility for what the NSA has done.
      Same things goes for the UK and their GHCQ (or whatever it’s called).

      There’s a old saying.
      “Your not paranoid if you are actually being followed.” And right now the NSA is the world biggest (and creepiest) stalker.

      The NSA and the UK equivalent has violated several criminal, civil and human rights laws, I’m curious who if any will have to take the responsibility for that.

      The stuff that keeps crawling out of the woodwork since the Snowden leaks began in earnest is mind boggling. Some of the more extreme fiction written in the past now suddenly looks tame compared to the reality.

      These days everyone should assume that at some point their data/password/bank account details/whatever will be compromised, and you should be prepared to handle it. And if it’s not cracker/blackhat hackers working for profit then it’s the corporate espionage or national espionage and the likelihood of it being the NSA or similar is high as well.

      I also wonder how many politicians are being blackmailed using private data, ensuring they make certain decisions to the liking of those who holds the information.

      1. Zak McKracken says:

        “Your not paranoid if you are actually being followed.”

        …that was exactly my point.

        (although I knew that saying as “that you’re paranoid doesn’t mean they’re not after you, too”)

        You _are_ being followed, and there are real threats against which it is useful, appropriate and possible(!) to protect yourself. No paranoia required.

        A better example of actual paranoia: The US security apparatus treating the entire world population as suspects, complete with alienating allies, their own people, violating human rights and generally worsening their own security situation…

        (and before anyone starts pointing fingers: I think almost all governments worldwide have been developing that way in the last fourteen years — this newfangled internet thing didn’t help, either)

Thanks for joining the discussion. Be nice, don't post angry, and enjoy yourself. This is supposed to be fun. Your email address will not be published. Required fields are marked*

You can enclose spoilers in <strike> tags like so:
<strike>Darth Vader is Luke's father!</strike>

You can make things italics like this:
Can you imagine having Darth Vader as your <i>father</i>?

You can make things bold like this:
I'm <b>very</b> glad Darth Vader isn't my father.

You can make links like this:
I'm reading about <a href="http://en.wikipedia.org/wiki/Darth_Vader">Darth Vader</a> on Wikipedia!

You can quote someone like this:
Darth Vader said <blockquote>Luke, I am your father.</blockquote>

Leave a Reply to Eric Cancel reply

Your email address will not be published.