We often talk about web security because we believe it is an extremely important topic that will remain relevant for as long as the internet is around. If you missed it, we touched on it in our article on the next 25 years of the web. One of the most important aspects of security is password security.
Let’s dive into what security actually means. If you look at an environment like Moodle, your username and password are not only encrypted, but they are also encrypted with a salt value. A unique string of numbers, letters, and special characters are added, which is fairly long. And that is used to encrypt your username and password to begin. So when you log in, the data store retrieves the salt value, takes what you typed in, and marries those two together in a rather unique manner. It then encrypts it and compares that value to the value stored in the Moodle database. If they match (bit for bit), you’re in. And if not, you can’t get in. That in itself is a fairly high level of security. It is as close to military-grade security without two-factor authentication.
Here at the Web Professionals Organization, we maintain information in our learning management and certificate testing system. However, we are careful not to keep track of personally identifiable information. We only keep the student’s first name, last name and email. This is the minimum we need to allow students to self-enroll. We do not allow users to attach any phone number, address, social media links or profile names. In some cases, schools will ask that we completely anonymize the accounts, and for this we will create complex passwords and dead drop emails for each user.
If a hacker were to actually steal our data store, it would be useless because they would need to know the salt value. The salt value is stored in a different place—not in the database. The hacker would then have to be able to do a reverse lookup by using a rainbow table or something similar. And it would be impossible to do a binary reverse lookup. It’s just not possible today to crack those username and password combinations—and that’s by design.
How do hacks happen?
Let’s imagine we have a WordPress site that uses a MD5 hash. MD5 is a message-digest algorithm and cryptographic protocol that can be used for authenticating messages, content verification and even digital signatures. MD5 is quite secure. To hack it, you could create a rainbow table and start with lowercase “a” as the password. You would then encrypt that. Then you would store the value that you started with and the encrypted value in two separate columns. And then go on to lowercase “b”, “c”, “d”, and encrypt each of those. Then go on to uppercase “A”, “B”, “C”, and so forth. And then 1, 2, 3, and continue on (for example, a1, b1, c1). Obviously, the table gets larger and larger as you get more and more characters. For even eight characters, you are looking at a significant amount of data—multiple gigabytes, if not a terabyte.
So now you have these two fields—one field contains the safe value, and the other contains the encrypted value. Then you can download a data store from a WordPress site that’s been hacked. You would be able to see that there is an encrypted value and do a binary search on that encrypted value. Once you have the encrypted value, it can be found in the large table. And as easily as that you could have the username of “admin” and password of “123456” which you can use to log in.
Ensuring password security
It’s important to make it as difficult as possible to hack your accounts. Many people like to use their initials or identifiable information so that they remember the password. However, you can use random letters, numbers and characters in your usernames and passwords. In fact, many security experts recommend 15-20 characters. You can even go up to 40 or more these days. Sites like Correct Horse Battery Staple are helpful to create randomly generated passwords and allow you to set parameters. And encrypted password vaults like NordPass and LastPass are a good way to ensure password security without needing to write them down and keep track of each one.
There are all sorts of bad actors out there who have wide-ranging hacking capabilities and could likely hack into any of your accounts. However, most hackers will have trouble hacking into your accounts if you use unique passwords. It’s like someone walking down the street at night and trying to open car doors. If yours is locked, it’s likely they will move on to the next car that is open and leave yours alone. That’s what you’re doing by making it more difficult for people to get into your website or your information. You can even put your list of passwords on a USB stick or hard drive and avoid connecting it to the internet, thereby creating an extra level of security.
You can also make up answers for password security questions—for example, your mother’s maiden name—to make your accounts even more difficult to hack. Alternately, you could add a word like “flower” to the answer to each security question. For example, make of car “fordflower.” And you can use passphrases that you will remember (unrelated to your personal information), which can be helpful when utilized correctly. It should be said that you should be careful about revealing sensitive information anywhere on the internet—including social media. And you can use two-factor authentication and authentication apps for an added layer of security.
We should mention that we have never—and will never—sell student and member information to anyone.
Whatever happens in the coming years in the world of security, the Web Professionals Organization will be here to help web professionals however we can. If you are interested in learning more about our mission, contact us today.