The recent PSN (Playstation Network) and SOE (Sony Online Entertainment) hacks have been bad. Bad for the average user that uses these things (me), very bad for the users that have purchased things over these channels (me), and very very bad for Sony. But I have little sympathy for them as creating something to hold this information needs the support and security around it to prevent that kind of stuff. While PSN isn’t a paid service (and thus, not directly revenue generating, as opposed to say, XBOX LIVE), I would imagine that they should definitely have had the financial means and resources to prevent against whatever security hole was used.
That said, I work for a large corporation and while we have group(s) dedicated to security, I don’t know how they would fare to the creative hacker. In a recent discussion with a security minded person, he recently told me that he teaches people to hack. My original thought was “as a security expert, why teach people to hack? It seems to enforce what you’re trying to prevent.” but the answer was quite obvious. He said “by teaching how to hack, it helps a developer to develop more secure code”. Duh. Now, I’ve never been one to hack. I mean, truly hack. I can do some creative things with my given skills but I’m not one who knows about <insert what I don’t know about hacking keywords>. I know how SQL Injection works…and thus, I know to code to prevent that type of exploitation. But I don’t know how <hacking method x> works, and thus, can’t code against it.
I’m always up for learning new things, and learning how to hack better is definitely something new on my list. Not to do something malicious, heavens no!. But to become a better developer. Now is a good a time as any to take the first steps towards learning something new.
Anyways, the intention of this post was to discuss passwords. Given the recent exploitation, I’ve been forced to re-evaluate all my passwords. Granted, I’ve been meaning to do this for a while, but this actually gave me a pretty good excuse. While it’s a security risk introducing the following topics, I’ll try to stay vague and not give anything away that could potentially hack me.
I’ve finally made different passwords for everything. I’ve always avoided this because of the obvious limitations to my memory. I used to have about….5-10 passwords which I used for everything. They varied from “password” to “I don’t care if this gets hacked” to “This is my godly, unbreakable password!” but as I sign up for stuff, reusing certain passwords, the passwords blurred. I had “I don’t care if this gets hacked” passwords for important stuff, and “This is my godly, unbreakable password!” for unimportant stuff. This has become a problem.
Up until recently, there was something I hadn’t considered regarding the security around signing up for things. When I would sign up for stuff, I would submit my email, my username, and a desired password. To keep things simple, my desired password would often be my email password. What a ridiculously stupid oversight. Generally, when you sign up to sites, you think they have a secure system. You hope they do. Password hashcodes, security precaution x and y. But what if they didn’t? As the user, you’re no wiser to their infrastructure or security. Suppose they simply had a table with
| Username | Password | warren.shea [ a t ] gmail.com | warrenshea | password |
|---|
and what if the system admin or whoever, just viewed the table and BAM!, gets the email and a password. Granted, it’s the email, username and password for the site they’re the admin of. But technically, that person could try that combination of email and password to “hack” in to the email account. Now, I don’t know what the percentage of people that do this is…but I’m fairly paranoid and even I did it. Granted, I’m quite stupid as well…so it’s hard to say. Still, I imagine that you could probably hack in to 10-20% of the emails….and that’s a lower estimate. I would guess you’d get in to 80% of them. People just can’t remember that many passwords so they reuse them. Again, it wasn’t too much of an issue as I would sign up for stuff with my “bad password” while my email had my “good password” but again, sometimes I’d get stupid or careless.
There’s also the problem that my “This is my godly, unbreakable password!” has certain characters that aren’t allowed by sites. A good site will allow dIFFerEnT cAseS, NUMB345, and C#@RACTERS. But some don’t. And I have to use “I don’t care if this gets hacked” passwords for important stuff….because the system won’t allow a good, secure password. In 2004, I actually had an email rant to Rogers because I couldn’t change my password to the one I wanted….they wouldn’t allow special C#@RACTERS. Sh!tty system.
.
.
.
Anyways, that’s gone now. I’ve modified all my passwords to be something different for each and every thing. Getting “PASSWORD A” will not give you any other access except to “SECTION A”. And that’s how it should be, I’ve just been too lazy to realize and change things. But improving your own security is the first step to becoming secure yourself. Better to fix things like this early than get hacked somewhere down the line for signing up with “I just wanted to download this one thing!” site….but obviously you wouldn’t know which site hacked you because you’re a password reusing fool, so it could be a number of them. Also, you’d have more important problems to deal with…figuring out how to fix things rather than figuring out why you were hacked and who did it.