Posted by: Majicko
- September 22, 2007
Password Security
One of the primary fears of Internet usage is identity theft. As the Internet brings humanity closer together by making communication as easy as typing at a keyboard and sharing visual data via websites, privacy becomes an increasing issue, especially for people who are not accustomed to Internet security and those of us who are just too lazy to make the effort. One of the root causes of privacy violations on the Internet is password security.
One of the most fundamental rules of Internet usage, and the most ignored, is password security. These days, user interactivity is what makes a website. In order to properly regulate user activity, privacy, and website security; website membership/login scripts are used. Each member, upon registration, must choose a public username and a secret password that acts as a key to their account. Of course, most of us all know this. What most of us do not know is how passwords are stored on the websites we go to and how secure their databases are. Contrary to popular belief, it is not impossible to obtain a user's password from some website's database or another. There are hacking methods, like SQL injection, that can be used to acquire a user's password from the database. Webmasters typically do everything they can to encrypt or otherwise secure account information, but there are some website out there that are not secure and users will never know the difference.
Your Responsibility
However, the webmaster is not the only individual involved here. You, the user, have your own duties as well to keep your information safe. If many of you readers are anything like me when I was a kid, you have numerous accounts with various websites across the Internet and you likely choose the same or similar username for each account. This is ok as it sometimes helps to build an identity for yourself online. The problem, however, is when you choose the same password for each of your accounts. This makes the passwords easier to remember, but I can't stress enough how dangerous this is!
Password Phishing
One of my earliest websites had a user registration system with almost no encryption whatsoever. At the time, I knew little about encryption or password security. I could view my database and easily read all of my members' usernames and passwords. I remember one member of my site that joined so that she could place a link with a banner to her site in my archives. I saw that her e-mail address was on Yahoo, her website was on Tripod, and her banner was on Photobucket. I had the password to her account on my website. You guessed it! I tried accessing these accounts with the login information she used on my site and I was in! Her Tripod account information, which was now accessible to me, contained her address, phone number, and birthdate. Her Photobucket account contained pictures of her. If I were a malicious person, I could have easily ripped off her identity. Instead, being the honorable guy I am, I immediately contacted her and told her to change her passwords and don't make them all the same.
This is a shining example of how important it is to mix up your passwords and change them frequently. When you get an account on some website, their password storage system might not be encrypted. The website just might be collecting passwords for this purpose! How do you stop this from happening to you? By mixing up your passwords and changing them frequently!
Choosing Passwords - The Split Key Method
How does one pick secure passwords? It's very simple really if you keep some techniques in mind. I typically start my passwords with a keyword (let's say "majicko" is my keyword). I may convert this phrase into "hacker form" (i.e. "m@j!ck0"). This really confuses many automated hacking systems like dictionary hacks and flooders because they can't possibly try all combinations of odd characters. Now that we have our key phrase, let's add some numbers to it. For one online account, my password might be "m@j!ck0135". For another account, my password might be "m@j!ck0680". I continuously pick random number combinations to mix things up. If the particular website wants fewer characters, then I may pick fewer numbers. I can remember the word "majicko," so I write down only the number combinations and keep them in some safe place for my reference. That way, only I possess both halves of the every password. Clever, isn't it? If one of my passwords gets hacked or phished, I don't have to worry, because all of my accounts have different passwords.
Majicko's Encryption System
Majicko, fortunately, has the most secure encryption system available on the net, just short of having a secure socket layer on your web space (something your server administrator has to put in). Majicko uses a 32-bit MD5 encryption with a randomly generated salt. The webmasters know what the encrypted hash and salt look like, but there is no easy way to unencrypt it. When a user inputs their password, Majicko encrypts it with the random salt which should generate the same password hash as the one stored in the database. If this is so, then your password was right. It's a very secure system and hard to break.
|
|
|
|
Article Posted by: Majicko
