Last Sunday, France 2, a french national television channel, devoted several minutes of its daily evening news edition to Internet security.
The title, “Do hackers always have a head start?” sounds quite interesting, but in the end the story mainly tells about the capacity of “hackers” to guess passwords used on the web.
Far from reflecting the complexity and dangers related to cyber-attacks, the topic was a useful reminder, though, that the role of users in their own security is very important.
Security is users’ business
The testimonies of passersby interviewed by France 2 are very representative, because they perfectly illustrate statistics calculated on databases of stolen passwords (which are actually stolen by millions, and not “guessed” by hackers).
“I have a password for all my accounts. Because I have a very bad memory, so at least I know I’m not going to fool myself!”
It is convenient, but if someone guesses this password, or steals it from one of the websites, they will be able to hack all accounts of the same user.
Would you use the same lock for all the doors of your house? (outside gate, garage, entrance and interior doors included)
Passerby: “Password? ‘Mickey’ “
Interviewer: “It is your password? Do you tell it to anyone?”
Passerby: “No, but you asked me…”
There are two issues in this second case:
- One can easily guess the password of the user (manually, or by using a dictionary attack)
- One can perform what is called a phishing attack: send a fraudulent email to the user, pretending to be working for the national power company, and ask the user to confirm their password. The victim, not really suspicious, is able to quickly deliver the password to unknown people.
Moral: Personal accountability is paramount in terms of web security. Whatever security measures are in place on a website, if passwords are weak, disclosed or misused, security is compromised.
Some processes like a “two factor” authentication are sometimes implemented, like the one asking for a secret code sent by SMS after entering a first password, but this practice is not currently widespread.
A shared responsibility with companies
France 2 makes a simple observation: “hackers can count on their best ally: the lack of user awareness”
This is true. However, web security issues also relies on the lack of vigilance of website owners and developers.
If we stay on the same technical subject, namely user authentication, companies have responsibilities. For example, they have the ability to:
- hash passwords in their database
- put in place some constraints when users choose they passwords
- encrypt communications between the browser and the company’s servers (HTTPS)
This last point about HTTPS is very important, because many users connect to the Internet through connections they do not own. As an example, the use of WiFi hotspots is very convenient for tourists abroad. These WiFI connections can be easily configured to be malicious and collect emails and passwords typed by users on several Internet websites.
However, if the connection is encrypted with HTTPS, hackers cannot see the web traffic in clear text, and this way will not have access to passwords or emails.
How many of the websites you regularly connect to are protected with HTTPS? This is security fundamentals.
If both users and website editors fulfill their roles, then security is on its way.
In the end, everyone has a share of responsibility in web security. Users, and companies.