Unless you’re part of Google’s “Opt-out”, you probably spend a bunch of time on the internet, and thus give your private information to a handful of websites. The battle of internet security is, for many, constantly finding the balance between convenience and security/privacy — you could have this website store your credit card information for your next visit, but do you want to risk that? Browsing the web safely can be both — but you need to know what you’re up against, and how to protect yourself.
What good is encryption?
Using 128 bit AES encryption — meaning if you use one of the most common encryption algorithms and a “key” that is enormous — it is fairly safe to say that no one could decrypt your message in the foreseeable future. The US government uses 256 bit encryption, which would theoretically take 3×1051 years to decrypt using brute force.
But this all falls apart if your password is “hello”.
Using “brute force” — simply trying all one character passwords, then all two character passwords, then all three, and so on — a typical desktop PC can crack a password of six letters and numbers in a pathetic 36 minutes. Add capital letters and it becomes a day and a quarter. Add an extra character, bringing it to a length of seven, and it would take 2.83 months. Nine characters will take 1.12 millennia.
But the amount of time quickly drops to zero if your password is “hello”.
Suppose you have a really solid password — capital letters, numbers, ten characters, the works — but you use it at an unsecure website. These sites aren’t as uncommon as you may think: forums you frequent, your buddy’s blog, or a newspaper. You don’t give these sites any important data, no credit cards or addresses or private conversations, so you’re not too worried about that site being hacked into.
But suddenly your secure data is available because you used the same password on every other site.
Secure vs Unsecure
Modern browsers make knowing the difference between a secure site and an unsecure site easy. A “secure” site is one that uses encryption to send data between your computer and their servers. These sites get a certificate, called and “SSL Certificate”, through a third party, which assures that the site is who they say they are. A secure site often has a padlock, and the address begins with “https://”; an unsecure site will only have “http://”:
The most important thing to check, with nearly every page load, is the URL, or address, of the page you are looking at. If you receive an email from your bank with a link to provide your login credentials, you should always> check the URL when the page loads. A page can look like your bank’s page, but really be someone malicious trying to steal your credit card number. Never give any information to any page if the URL isn’t one you recognize. Google wrote a great site called 20 Things I Learned with a clear explanation of how to use the web address to stay safe.
The Frightening Reality
You may have heard that earlier this week, Gawker’s servers were breached, releasing all their data to the public, including commenters’ email addresses and password, private internal conversations, and emails. A notification I received from Gawker stated:
This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet.
The attack is theorized to have been orchestrated by someone with the alias 4Chan, who had been feuding with founder Nick Denton, who is increasingly reputed as using unethical tactics to generate web traffic. And while I don’t frequent any of his websites, and confirmed that my information was not released, the attack shook me up, in part because of two oddly timed notifications I received around the same time:
- My Facebook account was accessed from a computer in India
- My iTunes account detected new visits from a “new device”
I had a similar scare a few months ago, which prompted me to change all my passwords and purchase the very much loved 1Password by Agile Solutions, a way to securely store your passwords on your local machine (or iPhone or iPad). I devised what I thought was a good strategy for keeping passwords safe on the internet. I had three passwords:
- One for secure websites
- One for unsecure websites
- One for websites where security is incredibly important, like online banking.
This strategy had two enormous problems:
- As noted above, even secure websites can be attacked
- I got lazy and soon found myself using my “secure” password all the time
And since the Gawker attack, I’ve rethought my strategy.
There are a few rules which I strongly recommend you follow when creating and providing passwords for various websites. Unless you have a great memory, you may consider purchasing something like 1Password by Agile Solutions to store your passwords. They have an iPhone and iPad app too.
- Randomly substitute letter for numbers that look or sound similar. This will be easy to remember, but are much more difficult for a computer to detect. For example, instead of peter use p3t3r, or instead of iatebananas use 18bananas.
- Rather than using words, consider using the first letter of each word in a sentence. These are often easier to remember, and are really hard to find using brute force. Make a password like “mniPur2” for “my name is peter you are too”.
- Capitalize random letters. This increases time to hack a 7 character password from 2 hours to 2 years.
- It’s a pain, but it’s very important to use different passwords for different sites. If this is too difficult to remember, simply take your good, long, weird password, and add something to it for each site. For example, you could prepend the second letter of the site to your password. If your password is mniPur2, when you log in to Google, use the password omniPur2.
- Don’t write your passwords on a post-it note next to your computer. (I can’t recommend 1Password enough.)
Many sites nowadays have a test to show how strong your password is. These are a great way to make sure your password isn’t easily identifiable.
Staying safe on the internet isn’t as difficult as people may say, you only need to remember a few basics. And like anything else, always use care when giving information to someone. Just as you’d never give your social security number over the phone to someone who hasn’t identified himself properly, you shouldn’t give it to a website you don’t trust.
Additional reading at:
December 14, 2010