Web Applications in Bournemouth & Front End Development in Bournemouth

Celebrating 15 years of design and development

Security on the Internet – Passwords

Introduction

Ok, we’ve all heard the recent reports of lots of E-mail accounts having been hacked recently and their user names and passwords broadcast on the web. It’s something we all want to avoid happening to us since not only can it cause a major disruption for us, it can result in identity fraud, loss of communication with important people as well as your account getting blocked due to it being used to send spam everywhere.


How they get your password

As recently shown, a fair number of the passwords revealed on the list of hacked e-mail accounts where ‘12345’, ‘123456789’ or similar passwords which are not only very easy to guess but they are also very easy to attack using automated programs. Its best to use a password that isn’t a word.  This is the best defense against these automated attack programs which generally just run through a list of common passwords followed by running through the dictionary. Then just keeps making guesses till it gets it right, runs out of words to guess, it gets recognised as a attack and the server blocks that computer’s IP address or the operator gives up and switches it off.

The next way to get someone’s password is using a virus or similar to put a ‘keylogger’ onto someone system. This simply logs all the key presses you make then sends them on demand to the hacker. This allows them to simply read the log of what you typed.  Your passwords are normally fairly easy to identify from the information they are fed from these viruses.

The other main technique that you can do something about is known as Phishing (from fishing). This is where you set up a fake website and/or e-mails to deceive the users into entering their user names and passwords so that they can be recorded. Some of these can be VERY VERY sneaky. A good example is one I’ve encountered before that looks identical to the correct website and when you try a user name/password, no matter what you put in, it will say that you have got it wrong and then load up the REAL website that you were trying to go to. If you don’t notice that the address has changed your next log-in will work normally and you’ll never even know that you have been hacked. The links to these websites are normally in E-mails sent to you although they can sometimes be found via the search engines.


Brute force attacks – The counter

The simplest way to have a password that a ‘Brute force’ attack can’t break (I.E. trying thousands of passwords to try and get lucky using an automated program), is to have a password that the program can’t guess. If it can’t guess it then it can’t get in.  There are other server based methods of stopping these attacks as well but they can be bypassed, if the server blocks the attacker’s IP address for example the attacker can simply switch IP address and continue on, then you’ve got an innocent person who has taken up the old IP address that now can’t connect to the server.

Best passwords are completely random, my normal password generation is simply to hit the keyboard with two open hands, this normally produces something like:  apowiert

Now passwords like this can be a pain to remember, but there is a easy solution for this as well, make your password into a phrase. For the password above (Not this isn’t a real password I use by the way 😉 ) I would remember ‘Anti protesters overpower white idiots eating random toast’ or something along those lines and simply use the first letter of each word. Its best to include a combination of numbers and letters as well as uppercase and lowercase to make this password even harder to crack.


Key loggers – The counter

While there is no way to be 100% safe from key loggers, there are steps you can take to be as secure as possible. Make sure your system has loaded onto it a firewall, a anti-virus and a anti-malware tool. These will help protect your system from these nasty viruses although they may slow your system down slightly, on modern systems you have enough spare resources that this is unlikely to be noticeable. Unfortunately there is no such thing as a perfect defense, no matter how good the protective software that you install on your system is, it can be beaten by a newer virus or key logger simply because it’s newer than your software to prevent it. Anti-virus can only protect your computer from software it recognises so if the virus is new then it won’t be recognised. Thankfully most ‘new’ viruses are actually just remakes of old viruses which means the anti-virus will still pick them up and block them.

The best way is not to get attacked in the first place. Most viruses come from websites, often legitimate websites that have been hacked themselves to implant the virus there. These often ask you if you want to install their product/upgrade to one of your programs which actually just allows the virus to install. The most common one is a video that when you click on it, it asks you to install an update to your flash player. This is actually the key logger  trying to install itself if you let it. Basically if you don’t trust a site, don’t click any links and whatever you do, don’t download and install any software from their site. Be careful about what you are browsing and where it is and if you trust the website or not. Run an anti-virus and spy ware scan on a regular basis and you should be ok! Almost all of the viruses I’ve found on people’s computers in the past (from a long history of working IT support for home users) have come from dodgy websites, the remaining few have generally come from people with a virus burning a CD or putting the file onto a flash disk and spreading the virus through there.


Phishing – The Counter

The simple answer to Phising is CHECK EVERYTHING before entering any password. Never e-mail someone your password, the businesses that might need it can bypass it, anyone else shouldn’t have it!

Links are one of the main ways to get people to enter their passwords. A link can say anything it wants, a good example is this link: www.yourbank.com

While this link claims to be going to www.yourbank.com (and the page it links to will normally look exactly like your bank) there could easily be a fake site which looks exactly like your bank’s site here. They can simply harvest the user name and password from here. This has been done for banks, e-commerce sites and things like Paypal and Google so you need to check this on every link you click really. If you however your mouse over the link you should see where the link really goes appear in the bottom left hand side of your browser window. When you get to the page where its asking you about your user name/password, check the domain is correct in the address bar at the top of your browser.
The domain is the first part of the address, everything before the .com or .co.uk for example. This is the only bit of the address you can trust to show you where you are really going when you click the link. If the domain matches that of where you wanted to go then you should be safe, some of the phishing sites have pages like www.bank.com/barclays.html for example. The first part before the .com isn’t correct so you shouldn’t trust it. If you aren’t sure if the domain is correct then Google search the company you are after and check!


Summary

Basically you want to be careful on the web, it can be a dangerous place if you stray off the really popular and common websites. If you keep your eyes open and your wits about you and follow simple safety advice then you will be relatively safe. Just remember, no defence is ever perfect so always have a backup plan in case everything does go wrong.


One Response to “Security on the Internet – Passwords”

  1. Hi, unfortunately our addons are specific to the type of blog we use. I think Blogspot has it’s own system which has it’s own security systems.


Get in Touch

If you would like information on any of our services, with no obligation, call us on:

0800 180 4566