We all hear about it: “Big Company X was hit by Hackers and Stole all the Passwords and / or Personal Information (like Credit Card info) over the weekend…”
Why do we here this especially from big company X??? Good question, this day and age with all the information we have about crypto and have access to especially that applies to technology like passwords and credit cards numbers stored on web sites today.
Again why do we here about big company X???
Based on Web statistics found on most security sites today (which are freely accessible to both website administrators and hackers alike):
- Sites still use poor security when it involves passwords.
- Some sites still allow only one character minimum for passwords.
- Most sites do not discourage Brut Force or Dictionary Attacks on web logins.
- Sites still allow common known passwords to be used without cautioning the user using the password.
Software already written on hacker sites allow the most common user access to Brut Force or Dictionary Attacks. No longer does the would be hacker need to know how to program. All they need is to grab a version of the two most used hacker programs and follow the built-it instructions to use and manipulate them. Then the would be hacker launches a web attack to the not-so secure web site to acquire the administrator access of that web site. Once having the administrator password the hacker can then grab any information stored on that web site.
If the web site security was done more secure and up-to date then the would be hacker would come across more problems than they thought they would. The web site would recognize the login attack and shut down the access attempt from the would be hacker. Also the site would encrypt the passwords and important information in case of file copying attacks (like ssh or FTP).
If the site allowed users to use common passwords that one can get from a list (just as easily on the web) then all a hacker would do is try the common list and 6 times out of 10 (as the ratio suggests) the hacker would acquire the targeted user’s password (hopefully not the administrator’s password for that site).
If you want to protect your site and your user’s security information then the experts suggest:
- you keep your web site software always updated.
- you always encrypt (with non common seeds) your critical information.
- you don’t allow the users to use common used passwords.
- you force the users to use hard enforced passwords (like upper, lower case with numbers) that are hard to remember.
- force the lowest number of characters to be used to 8 or more.
- hashing all the passwords with non common seeds.
- always check for hackers trying to guess a password and stop them.
If all web sites out there used the above suggestions then we wouldn’t here the comments “so and so lost their passwords to hackers” as much.