{"id":25961,"date":"2015-02-17T12:57:35","date_gmt":"2015-02-17T17:57:35","guid":{"rendered":"http:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25961"},"modified":"2015-02-17T12:57:35","modified_gmt":"2015-02-17T17:57:35","slug":"common-security-failings","status":"publish","type":"post","link":"https:\/\/www.shamusyoung.com\/twentysidedtale\/?p=25961","title":{"rendered":"Common Security Failings"},"content":{"rendered":"

I’m planning the column I’m going to write for the Escapist in a couple of weeks, and I’m looking to do a kind of public service-y kind of piece on how to judge the security of a website from the position of a user. If you play videogames then you most likely have a lot of accounts: MMO’s, gaming sites, DRM systems, etc. That’s a lot of data entrusted to a lot of idiots, and obviously it doesn’t always work out.<\/p>\n

So I think it would be good to encourage a little more security-savvy among the masses. Normally I wouldn’t crowdsource my columns like this. I realize this probably comes off as rude and lazy. It’s my job to write stuff, not yours. But this is for a good cause and I’d rather beg for help than get it wrong on this topic. And I’m not confident enough in my knowledge to write this without some input and half-assed peer review.<\/p>\n

I really want people to read this, so I want the list to be breezy and easy to digest. This is not a technical column. I might even make it a top N list. The whole point is to come up with things that should cause concern when a website does it. Here is what I have so far:<\/p>\n

Security sins:<\/p>\n

    \n
  1. Has visible data in the URL: www.gamesite.com\/user\/shamus@shamusyoung.com\/profile or whatever.\n

    (I know Xbox had a problem with this, but I can’t remember how it worked. I’ll read up on this before I write the column, obviously.)<\/p>\n

  2. Sites that limit password length. (Dude, do you even hash?)\n
  3. Sites which SEND YOU YOUR PASSWORD IN PLAINTEXT FOR ANY REASON WHY DIDN’T I MAKE THIS #1 ON MY LIST?\n
  4. Sites that require uppercase, lowercase, a number, and a symbol in the password.\n
  5. Also: Are sites supposed to store the number that comes from the BACK of your credit card? I always thought that short number was so that it would be safe(ish) to store the CC# and Exp date on their site (so you don’t have to type it in every time) but still make it so that you need to enter SOMETHING to make a purchase happen. The security code is short so it can be entered even on a console or a phone without too much pain. But I see sites (including Steam) remember the security number along with everything else. Am I misunderstanding how this is supposed to work?\n<\/ol>\n

    Anything you’d add to the list? Remember that I’m looking for ways that a typical<\/strong> user can spot bad security policies. “Has open ports on the server” might be a sign of trouble, but it’s not the kind of thing the average person can detect. (And even if you teach them, it’s not the kind of fooling around people want to do when creating an account. Also, probing for open ports is dangerous and not something I’d teach Joe and Jane Internet.) Likewise, while “Asks for too much personal information” is a sign that a breach would be more damaging, it doesn’t necessarily mean the system is inherently insecure. <\/p>\n

    So if we could just have a general discussion on horrible security policy, that would be great.<\/p>\n

    Also, this is my favorite security story. It’s not the most destructive (not even close) and it didn’t make headlines, but it is a glowing display of incompetence and stupidity. Tom Scott describes what happened at MoonPig:<\/p>\n