Password security is serious

Blair Hanley Frank

I want to take a moment to talk to all of you about Russian male enhancement. That’s right, with the power of the motherland, you too can extend your manhood! At least that’s what my email told all the people in my address book several months ago. My Facebook account was phished, and I inadvertently gave my email and password to a cracker (one who breaks security on a system, from the Jargon File.). That same cracker used the email/password combination to access my email account, and then sent out a massive barrage of advertisements to my friends, family and former teachers.

Of course, that was preventable. Not just in the sense that I shouldn’t have given my Facebook email and password to a phisher, but also, it was pretty dumb for me to use the same password for Facebook and my email. According to Mike Osterman, WCTS IT Security Officer, I got off easy.

“One person had their [online brokerage] account broken into, and they actually had their account emptied out.” So, when it comes to password security, the stakes are pretty high.

Phishing remains the greatest threat to your security, but a new threat has cropped up recently. Firesheep is a new extension for Mozilla’s Firefox browser that uses a security flaw inherent in many popular websites, including Facebook and Twitter, to allow an attacker to determine someone’s password based upon cookies transmitted over an open wireless network (It is a gross violation of Whitman’s Acceptable Use Policy to use Firesheep or other tools like it to sniff out other people’s passwords. If you do that, you are liable to get your network access revoked. So don’t.). Firesheep uses a technique called “sidejacking,” which intercepts browser activity containing unencrypted login credentials.

Of course, with these security threats, it’s important to protect yourself. First and foremost, I highly recommend that you pick up the HTTPS Everywhere extension for Firefox. It forces the sites that Firesheep targets to use Secure Sockets Layer (SSL) encryption at all times, which will foil potential sidejacking attacks. Second, get a password storage utility. These utilities store an encrypted file on your hard drive that you can fill with all of the passwords for the websites you use, and lock with a single master password. In other words, tools like KeePass and 1Password allow you to use different passwords for any given site, but store them in one convenient location.

Of course, HTTPS Everywhere is nice, but it’s really only a patch. According to Osterman, “The real fix for this is for services like Facebook to actually change the way they engineer their sites.” I agree wholeheartedly. The fundamental problem here is that social networks need to stop playing fast and loose with users’ security. I asked Osterman what’s stopping Facebook and sites like it from using SSL everywhere. The short answer: money.

“It generally adds a lot of processing overhead, because it has to encrypt and decrypt the traffic . . . Given the amount of data that Facebook serves per day, that could add a significant amount [of money] to their hosting bill.” Unfortunately, the cost-cutting measures Facebook and other sites are using are costing us our security.

So here’s the bottom line, in easy to follow bullet points:

-Use a password manager, and don’t use the same password in different places.

-Use HTTPS Everywhere to help protect you from sidejacking attacks.

-Ask Facebook, Twitter, and other social networks to start using HTTPS.