Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
Log in  ::  Register  ::  Not logged in

Password Insecurities

By Tony Davis,

The age of the password is over; at least that's the conclusion reached by Mat Honan (the now-famous @mat on Twitter), after his well-publicized experience at the hands of hackers. In brief, they gained access to his Apple iCloud account, and used it to wipe his iPhone, iPad and MacBook devices. They then gained access to his linked Gmail and Twitter accounts. They even wrote to him on Twitter, and explained how the hack worked.

Of course, it doesn't help that many of us are lax in our choice of passwords, and share the same password across several accounts. According to results recently published by Gizmodo, based on an analysis of millions of stolen passwords posted online by hackers, "password" is still one of the most popular passwords. On the bright side, some are clearly starting to heed advice, with more complex variations such as "password1" gaining in popularity....

The problem is that while strong passwords – long, alphanumeric, with improbable character substitutions, and so on – are obviously safer, they are still not necessarily "safe". In the Honan case, the hackers got his details not by hacking his strong password, but by persuading Apple to reset the password over the phone (a practice they've now suspended), armed with his address and the last four digits of his credit card.

Likewise, there are countless examples of substandard security practices on the various websites with which we entrust our personal details. Over recent months, Troy Hunt has done an excellent job highlighting security issues he found with the Tesco's website, including passwords not hashed and encrypted in storage, passwords emailed in plain text, and lack of HTTPS. These failings afflict many websites. I'd particularly recommended you catch Troy's video demonstration of how easy it is on many sites to exploit Cross Site Scripting (XSS) vulnerabilities. This is where a hacker is able to inject JavaScript into a URL, on a legitimate website, to "sniff" information that the site stores in the cookies, or pop up an illegitimate logon form and capture username and password details.

So what's the answer? OWASP has provided excellent guidelines for making a site or service too difficult to hack to make it worthwhile, in the vast majority of cases. The Standards and best practices exist to avoid being hacked, but implementing them requires time and investment and often there simply doesn't seem to be the will to do it. We don't want to bother too hard with security and we wait for a "silver bullet" (such as biometric data, as suggested by Mat Honan) to rescue us from a tedious routine. Maybe a silver bullet isn't going to save us this time.



Total article views: 83 | Views in the last 30 days: 2
Related Articles

Deleting Accounts from Websites

I ran across this article about How to Delete an Account from Any Website on the PC Magazine web sit...


Weak Passwords Discovered in the 10,000 Disclosed Hotmail/ leaked accounts

By now, hopefully everyone has heard of the security breach where accounts and passwords were found ...





Please Help:How to change the sql service account password on active/active.

How to change the sql service account password on active/active


SQL toolset to find the SQL service accounts and their passwords

SQL toolset to find the SQL service accounts and their passwords

database weekly    

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones