Securing your data and password online
Quite often I get into conversations with people about the security of their personal data when they put it online. This often stems from the fact that I do not use my real name in my facebook account. ‘Why?’ they ask and the conversation starts. The answer for me is obvious but many people are oblivious to the dangers of throwing their data around the internet.
Have you ever Googled your own name?
Try it and see what comes up. I search names all the time. Web spiders crawl the internet consistently and the data they can extract is incredible. Some people may not mind Google knowing everything about them, but personally is rubs me the wrong way as I have never given them permission to collect my data.
So what is the problem?
Well there are 2 main issues I would like to discuss here. The security of your personal data and the security of your passwords.
The more personal data you place on the internet the more at risk you are of it falling into the wrong hands. Some websites want phone numbers, full names, addresses, date of birth, country of residence, etc. These all being quite common information for websites to request. As you may see, with this information and your back account/credit card details, someone might be able to access your banks accounts over the phone.
These are consistent issues and the more places on the internet that you add your personal data the more chances you have that is will end up in the wrong hands. Often you should be asking yourself..
Why is this website requesting my information? Why do they need it?
If you cannot answer this question then do not add in your personal information. If it is mandatory, put in random data or data that does not make sense. Data added to a site almost can always be edited in the future and I have yet to find any consequence for inputting incorrect data. This will protect your personal data by only adding it to sites that ABSOLUTELY need to it for an obvious reason.
It is also quite common for people not to sign up to website that requests too much personal data. So you as a user, may be reluctant to signup, or test a service, that requests too much personal data. In these cases you would miss out on using the service. Putting in random data would prevent this issue.
Ok so many people would like to be honest and trust all websites that request their data. But in reality it can be quite dangerous. Have you ever had your credit card number compromised? Would you want these same people to have your personal details such as name, address and date of birth? I would think not.
It’s important to be aware that you have no control over your data once you have submitted it to a site. Even if they sell it to another party and are found guilty in a court of law for selling your data, it is too late. Your data could have been passed around to hundreds of other entities and once it is unleashed there is no stopping it.
So please keep all this in mind every time a website requests data. Ask yourself if it is in your best interest to provide the correct data the site is requesting. Personally I’ll only submit my real data if I cannot find another way around it. And even then I will have a quick peek at the piracy policy and terms and conditions. Also I’ll find out where the website is located, who owns it and look for anything else that seems wrong or out of place. A website in English that is registered in Australia is generally going to be more trust worthy that a website in English that resides in Russia. So be careful.
Passwords potentially have the same issues as your personal data. Please read the above section for more info. The difference is that your password is used to protect accounts and it being passed around the internet can cause incredible issues.
The fact of the matter is that if a website’s user system is built correctly the password would be stored in a database after irreversible encryption has been applied to it. What is that you ask? Well it means that your password is converted to a random text string (EG. Uwe*@48s#l;08$kjjwi23nys7), using various unique keys (salt) for the specific site. So looking at this text is it not possible to decipher the password. In addition this is not encryption but hashing. Meaning that it is not possible to reverse the process. So if someone gets this text string they cannot attain your password from it. Checking your password during login the site will run the same conversion on your inputted password and see if it matches the text string stored in the database.
More information on this process can be found on the internet for storing password using salt and hashing. But for now just be aware that the password should be stored in a fashion where is cannot be retrieved and used on other websites.
Now the issue is that anyone can build a website. Whether they are 14 years of age and self taught or they are a formally train veteran. Meaning that the above password protection process may not occur. Your password may be stored in an insecure database in an insecure fashion. So not only can the owners of the website see your password, if the information was to leak somehow you can be in trouble. Many people use the same password for multiple logins, so in a sense you could be providing an all access pass to all your online accounts!
As you can see this in is incredibly dangerous and can really easily become a reality. Really you have no idea how your password is being stored and if a developer of the site will use it for their own purposes. It is a risk but similar risk exists all the time. For example providing your credit card details to the pizza delivery person. He/she could use this data to make another purchase for example.
How can I protect my passwords?
Fortunately there is something’s you can do to protect against such a thing. The common problem is that people use the same email/password combo and an insecure password. This is quite common and the source of many of these issues. People do not want to have to worry about passwords and cannot remember different login details for every website. There are some things you can do and here are a few tips that can get your accounts much more secure.
Have a secure password
This will prevent robots from guessing your password. These days having an insecure password is not as much as a risk as it used to be. Guessing a password is purely based on luck and sites that are built correctly will detect a robot trying to guess the passwords and block them with a human check. However not all websites are built correctly do it still does pay to have a secure password.
A secure password consist of at least 6 characters. You should have:
- at least one capital letter
- at least one lowercase letter
- at least one number
- at least one symbol
So for example. Lets say your password was ‘angel’. You could on convert this to ‘Angel84!’. However this is an obvious conversation. So to be extra sure you could convert it to ‘a$n8G4el’. But then it is harder to remember. You need to create the password so you remember it. But again personally I believe it is better to have a password you can remember rather than super secure. As guessing a password is still very random and many sites have robot checks.
Based the password on the website it is used for.
This is a really great method that I discovered when I was discussing this issue with another developer. The method is to have some formula that you use to create your password based on the website it is being used on. This can create a unique password for all websites.
For example, let’s say you add the first and last characters for the website domain name to your password. So if you password was ‘angel14’ and you were using it on ‘www.3xsdesignstudio.com. Then you password could be converted to something like ‘angel143O’ Adding a ‘3’ for the first character of the domain and a capital ‘O’ for the last character.
With this method it does not matter if your password is compromised as it was created to work on the one site. It’s possible to get into situations where the domain has the same first and last characters as another sites so the password would be the same. However this is very unlikely. And does not change this method as an affective password protection system. Besides you can come up with your own method of using the domains in your passwords.
What happens if the domain name changes? If this happens and you cannot remember your password you can just reset it. Simple. All website have a reset or forgot password link.
Have multiple passwords
This is similar protection method to the above but a little simpler. It is nowhere near as secure but is a bit easier to use. Basically your create a series of passwords that you use for various sites. And basic example would be to have 3 passwords. One that is used on sites you know are secure and store your sensitive data. One for sites that you do not care if it gets hacked or sites that you’re unsure about. And another password for sites that are in-between. In this way with a website that you believe can potentially compromise your password; you can use the password that you do not care about. So if it is compromised they cannot access your accounts on sensitive website because you used a different password.
The issue with this method is if your secure password for sensitive sites is compromised then allowing for access to all sensitive sites. So it is not the best method but much better than one password.
Don’t give out your passwords
Obvious but needs to be said. You cannot control how others will use your password.
Do not use obvious password
So do not create passwords that are easy to guess. For example using your pets name and your date of birth. EG fido1984. That is easy to guess if someone was to gain general information about the user.
Some websites will have security questions. These are created to provide an extra layer of security beyond your login details. However please keep in mind that many of the questions are easy to answer. For example ‘What country were your born?’. Someone does not need to know much information about you to answers this. So really it is a poor question. When setting up this security feature always choose a question that is easy for you to answer and one that others cannot guess from knowing basic information about you.
Always be aware of your personal data on the internet. Do not take a website’s security for granted and take various measures to prevent such data form getting to places it should not. If you’re unsure check the information about the website and any legal document/agreement. Most people do not have time to read them all but showing some interest can help in making a safe decision.
At the end of the day it’s your own account security and it’s your decision how well you guard against threats.