Experienced Points

Experienced Points
How Do You Know If A Web Site Is Secure?

Shamus Young | 24 Feb 2015 15:00
Experienced Points - RSS 2.0
website_security

2. Putting personal info in the URL.

Once you're logged into a site, look up at the address bar of your browser and see if there's any personal into in the URL. If your web browser shows the current site is www.gamingsite.com/[email protected]/accountinfo/ then it's a pretty big cause for concern. The site should not be putting your username or email in the address. It's only a minor security risk to you. (Someone can look through your browsing history and see that info, which gives them a starting point for attacking your account specifically.) But the real problem is that it's just not needed. There are better ways of doing this and anyone designing a site in this decade should know better.

3. Limits on password length.

Here is how passwords are supposed to work: I type in my password when I create my account. That password is run through a hash function that spits out a string of gibberish of fixed size. (It's always the same length, regardless of how long or short your password is.) It's basically using my password as a random number seed to make the gibberish. Then the gibberish is stored in the database. The next time I login, the password I type in is run through the same hash. If you get the same string of gibberish, then I must have typed in the same password.

The beauty of this system is that the site never stores my password. If the database is compromised, the hackers can't see my password, they can only see the gibberish. This also means that there's no need to limit password length. If my password is the first chapter of Harry Potter, that's fine. It still takes up the same space in their database.

If a site limits you to 8 or 12 characters, then it might mean they're not doing this.

More serious warning: If you use the "I forgot my password" option and they send you back your old password in plain text, then this site is 100% trash. Do not trust them with personal info. It's a huge red flag that their security is decades behind the times.

dev_web_security

4. Required use of secret questions.

What is your mother's maiden name? What is the name of your first pet? What street did you live on as a child?

These are awful security questions to begin with, and they're made all the worse by the fact that sites keep re-using them. The idea is that I should be able to get access to my account if I know the password OR the answer to the secret question. So if the secret question is easy to guess or figure out, then it negates the security of the password. Why would a hacker waste time trying to attack one of those letter-number-symbol passwords when they can probably find the answer to the secret question on Facebook? Or from another database they stole years ago which used the same question?

I don't mind having the secret question as an optional convenience, but requiring users to fill it out is demanding that they expose private info and thus make this account - and every other account they maintain - potentially less secure. Again, this reflects a very old-school approach to security that pre-dates the days of Facebook and laser-focused Google searching.

5. Sites that ask for too much information.

Don't sweat it if there's optional profile stuff that you can fill in after registration. Some people like this. But if account creation wants to know your home address, phone number, full name, website, and a link to your Twitter, then you should be extra careful. (This is a really common habit of software companies who are looking to "connect with their customers" by spamming you with crap.) Even if you don't fill that info out (or you fill it in with crap) the policy will still make the site a juicy target for hackers. Moreover, if a company carelessly collects more info than they need, then they might also be careless with the information once they have it.

Again, these points are all guidelines more than rules. But if you see a site violating a lot of the items on this list, then be careful and consider taking your eyeballs elsewhere. Companies won't care about security until we care about security.

Shamus Young is a programmer, critic, comic, and crank. You can read more of his work here.

RELATED CONTENT
Comments on