Database breach alert! Yet another high profile website that had its user account details leaked. How do we stay safe?
How To Store User Details And Keep Them Safe
Here we are again, this time with ClixSense - an online service that pays you for completing surveys - which has had a database breach leaking not only usernames, email addresses and real names, but also plain text passwords.This has been followed by a data breach at MoDaCo, a mobile technology review site, also revealing email addresses, usernames and hashed passwords. We’ve talked about how these breaches highlight the importance of not reusing passwords, but what if you are running a web service yourself, what are the recommendations for storing user details?
Our Security Recommendation Checklist:
1 Obviously the first thing is to not get hacked. Which is somewhat easier said than done.
2 The key things here are to make sure that all services that should not be public facing are locked down using your firewall.
3 If and when you retire hardware from your platform make sure it is shut down or locked down, and that it can no longer communicate with the rest of your platform.
4 Regularly perform at least some basic penetration tests against your own system to see if something has been mistakenly left publicly accessible due to a configuration change. Also, be sure that you keep your software up to date in order to patch against security vulnerabilities.
How To Safely Store Passwords?
Number One Rule: Never ever store the passwords in plain text in your database. Passwords should be stored salted and hashed using a secure hashing algorithm.
Hashing is a method of encrypting data to a unique string of characters such that it is impossible to decrypt, and the original data can only be deduced by repeating the hash and comparing the hash values.
Salting means that you add a randomly generated string of characters to the password before hashing it in order to make password guessing a longer and slower process.
Rainbow Table Hash and Salt
If your database is breached, then an attacker will generally compare the hashes in the database to what is called a “rainbow table”, a list of pre-hashed words and phrases to look for matches and therefore find users’ passwords. If each user’s password is hashed using its own unique salt, then the attacker will need to generate a unique rainbow table for each user, massively increasing the workload for the attacker and slowing down the process of finding the users’ passwords.
When choosing your hashing algorithm it’s important to choose one that makes the brute force attacks difficult, for this reason MD5 should never be used and SHA is also not recommended. Bcrypt, Scrypt and whirlpool are recommended.
DDoS Attacks On The Rise
In other news, Akamai has reported that the number of Distributed Denial Of Service (DDoS) attacks in the last year have doubled over the number recorded in the previous year, with gaming and software sites being the main targets of attacks.
HTTPS Alert on Google Chrome
Google have announced that starting on New Year’s Day that their Chrome web browser will start highlighting websites that don’t use HTTPS as not secure. Similar to the green padlock icon that is familiar when viewing websites secured using HTTPS, in the future sites using HTTP will find that icon a red exclamation mark, warning that the connection to the server isn’t encrypted. To begin with, this warning will be used on pages that collect password or credit card information, but it will later be extended to include all pages using HTTP connections as part of the push to get all website administrators to move over to using SSL certificates and HTTPS encryption.
Trademark Battle Leads To Updates Failing
Finally, Let’s Encrypt, the free automated SSL certificate for all Certificate Authority, has won a trademark dispute with Comodo over the Let’s Encrypt name. A downside to this is that in order to protect the trademark they are having to prevent the Let’s Encrypt name being used by third parties. This means that third party tools such as the LetsEncrypt.sh script that can be used to help automate the use of the authority’s certificates have had to rebrand. So if you have scripts using automated tools to renew your certificates, you may find they get renamed as they update which could lead to your updates failing.