Are we putting too much trust in websites to hold our personal information securely?

password In the second half of 2010, Gawker, a blog network based in New York City, posted several articles criticising well-known hacking groups, including 4chan and Anonymous.

They became embroiled in a mud-slinging battle with the hackers, at one point even goading the hackers to attack them, including their home addresses. Finally, on 13 December 2010, a group known as Gnosis hacked into Gawker’s servers, downloaded their database (containing 1.3 million user records), decrypted over 200,000 of the passwords, and then made everything publicly available.

Gnosis claimed to have acted due to the arrogance of Gawker towards hacking groups, but this was not Gawker’s only flaw. Gawker used outdated software, an insecure encryption routine (it had been compromised in January 1999), and their database was public facing. It turned out that their arrogance was not deserved.

After the attack, they were forced to post an embarrassing confession to their users, urging them to change their passwords immediately. Understandably the websites run by Gawker suffered falling user numbers. Many users, myself included, not only had to change their password on Gawker, but on all websites that they had used the same password on.

For me, this included Amazon, eBay, my bank, PayPal, Google, Facebook, and many others. I never realised how much of my life is lived through the internet now, and how vulnerable I would feel when this was potentially compromised by others.

Admittedly, this was partly my fault. My password was simple, but it wasn’t the worst: over 3000 of the users whose passwords were decrypted had used ‘123456’. My main fault was that I had used the same password on multiple websites, putting all of my eggs in the same basket.

So what should I have done? The simplest suggestion is to use a different password on every website that you register with, but considering that the average internet user has 25 different online accounts (and I have many more than this), this is just not possible.

The best suggestion that I’ve heard is to use a secure password and then append a couple of characters on to the end that relates to the website that you’re on. For example, suppose your base password is ‘sh3dC4stle’ and you choose to use the second and penultimate letters of the website name on the end of the password, then your password for Amazon would be ‘sh3dC4stlemo’.

When we submit our information to a website, we are putting our trust in that website to hold this information securely. For this reason, website developers should treat user data as if it were their own (often it is).

They should keep up with the latest technologies and techniques relating to security and ensure that they use these. Also, they shouldn’t needlessly risk the security of the data, either when it is stored or when it is in transit. Gawker was guilty of neglecting these simple rules, by using outdated software and by inviting attack. Let us hope that their experience has convinced other developers to raise the drawbridge.

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Thomas Coles co-founded MSM in 1998 and is the largest shareholder with 44.7%. His key achievements so far include growth from 2 to 40 FTE; high levels of customer satisfaction and retention, as well as surviving the sector downturn from 2001-2003 and growing the business in the 2008-2009 recession. Thomas’ business acumen was apparent from a young age. As a child (aged 8) he was already budgeting his pocket money on a spreadsheet. His passion for technology was also evident, as, aged 10 he was writing programmes for his Amstrad. Thomas started the MSM business soon after graduating with his father, who remains a non-executive director today. A strong believer in applying common sense to any situation, Thomas says his objective is to continue to be criticised for being too honest. Away from the office Thomas enjoys family life with his wife and three children and likes to take part in half marathons, going to the gym and watching Formula 1 motor racing. Thomas is also a trustee of a local charity.