Keeping your data safe online can seem hard since some of the biggest news in the technology world recently involves stories around hacking. The most infamous stories are about Sony and their lack of security when it comes to managing their client’s accounts for it’s services. Other stories include the hacking of the FoxNews.com Twitter account to the CIA. The hacking groups behind the hacking have published user names and passwords of thousands of individuals once they have received the data from various hacking attempts.
When it comes to security, the responsibility not only lies with the corporations managing the data, but also with the clients of the corporation. Each company must ensure that they do what is necessary to keep the data of their clients secure. At the same time, each client must also take necessary steps to protect themselves in the event of a security breach.
Keeping Your Data Safe – The Company Perspective
While I do mention the company in the title of this section, this can pertain to anyone who maintains data for clients, whether it is a large organization, or someone owning a web site. If you collect client data, you must ensure that you take the steps necessary to keep the data safe.
One of the areas that many companies fail is when it comes to passwords. I like to create generated, long passwords for each site that I register with. I use LastPass to manage my passwords, and also use the tool to generate the passwords. Each generated password that is generated is 25 characters in length, and contains letters (upper and lower case), numbers and punctuation. Since I use LastPass, remembering each password is a moot point.
From a company perspective, you shouldn’t be storing passwords as text in a database. All passwords should be hashed with a salt value – preferentially with SHA256 – and then stored in the database. Using a hash prevents unauthorized users from gaining access to the passwords for the users of your system. If a user requests a password reset, simply generate a new password with it’s salted hash, and then send the temporary password to the user.
It is usually easy to determine the companies that don’t use hashed passwords. The tell-tale signs include:
- They put a limit on the number of characters in a password. A hashed password will always be the same size regardless of the number of characters that is being hashed.
- Specific characters, such as punctuation, is not accepted. When hashing a password, any character can easily be hashed.
- When requesting a forgotten password, you are sent your original password. When using a hash, you cannot convert a hash back to its original, plain-text version, so once a password is hashed the company cannot get back the original password.
- If you change your password, and a previous password edit box appears on the screen with the same number of characters as your original password.
When you enter your password on a web site’s form, it is sent to the web server where it is then hashed. This means that the password is sent in plain text to the server. In order to protect the data during transfer, SSL is required. All companies should implement SSL when transferring personal data from the client to the company’s servers. Not keeping
Keeping Your Data Safe – The Client Perspective
As I mentioned above, the client should also shoulder some of the responsibility of keeping their data safe. While a company is responsible for the data in its possession, the client is responsible for their data that they share everywhere.
As a client you cannot prevent a company from being hacked. You can, however, help minimize any exposure your identity has to the hacked information. There are several steps you can do to minimize the risk with the follow points:
- Never use the same password twice. This may seem complex, but it is very important to create a separate password for each account your create.
- Ensure that when you sign up/login with a site that the connection is encrypted with SSL.
- Create long passwords that are at least 10 characters in length. In terms of passwords, longer passwords are more secure.
- If you own an account with a company that has been hacked, I suggest you either close the account or change the password. Regardless if your information has been compromised, you should take action to keep your data safe. For companies that have your credit card information, you should cancel the credit card.
One of the most important points mentioned about is the first point. If you use the same password across multiple sites, the once a hacker has one password from a site, they can easily use the same password on other sites. They would try the more popular sites, such as Facebook, which can be a huge issue with regards to personal identity. It is very important to create a new password for each site you sign up with.
When it comes to security online, there needs to be teamwork between a company and a client to help keep data safe. With both parties working together, then it becomes easier at keeping your data safe online.