Security in Computing (Part 1)
In the 16th century, Mary, Queen of Scots, was plotting against Queen Elizabeth. She was planning to assassinate the queen. Mary communicated with her lackeys through a basic cipher – she simply replaced the letters of the alphabet with new symbols. Using this cipher, Mary communicated her treasonous wishes. Queen Elizabeth’s spymaster, Francis Walsingham, suspected Mary’s treacherous intentions and intercepted some of her messages. To decipher the messages, Francis had to use a technique known as frequency analysis. Basically, alphabetic languages tend to have a certain distribution of letters. For example, here is the frequency table for all of the letters in this paragraph:
Using this technique, Francis noticed that one of Mary’s symbols occurred far more often than the others, so he figured that symbol must be representing “e”. Using frequency analysis, Francis was able to decipher Mary’s messages and prove her murderous plans. Mary was sentenced to death because she used a crappy cipher. Luckily, in the 21st century, we have more complex ciphers and forms of encryption. Unfortunately, these security measures aren’t used as often as they should be, and even when they are used, there’s a decent chance they’re not being used properly.
The basic mainstay of web security is the password. I know… you all hate passwords. They’re annoying, unwieldy, and often have bizarre requirements that make them damn near impossible to remember. They’re also completely necessary.
In today’s day and age, there are so many different softwares that require passwords that it’s virtually impossible to remember a unique password for all of them. Naturally, humans default to using the same password for everything. Picture your favorite password and all of the services you log into with that password… it’s a little bit scary. If any one of those services handles your password improperly, it could be compromised, giving anyone and everyone access to all of your accounts. One look at Plain Text Offenders will give you an idea how common it is for companies to completely ignore industry best-practices and put your passwords at risk.
It’s unreasonable to expect people to remember all of their passwords. So, what should you do? Personally, I use KeePassX, a wonderful piece of software that manages all of your passwords. I currently have 112 unique passwords for all sorts of things in there. For the most part, they’re at least 24 characters long with all random characters (for example YkAF.~hje\B5O6P2<vo*8[4n might be one of the passwords KeePassX generates). I can’t remember a single one of them, but that’s fine!
Any time I need to log in to something, I open KeePassX, type in my master password, select the password I want to use, and then use the Auto-Type feature. KeePassX automatically types the username and password into the field, and I’m in. This process isn’t much harder than just typing a password in directly, and it’s infinitely more secure.
You may ask, “why not just save my passwords in a spreadsheet?” The answer is encryption. When I save new passwords into KeePassX and close it, those passwords are completely locked down with 256-bit AES encryption, so it’s practically impossible to get at the passwords without my master password. This is a great feature because it lets me comfortably store my password database in unsecure locations (though it’s still ill-advised). For example, I have my password database syncing with Nextcloud between my devices, so anytime I add or update a password, all of my devices receive the change.
KeePassX is one of many password management options out there. LastPass is another great option I’ve used in the past. Do your research and choose the password manager that’s right for you! I know it’s a huge pain in the ass to change all of your passwords and adjust your habits, but it’s also a pain in the ass dealing with identity theft… so balance your options.
One last thing to mention here is that if a site uses OpenID and gives you the option to log in with your Google or Facebook account, you should probably do that! If you think about it, Google and Facebook probably protect their users’ passwords better than the site you’re accessing. You should be wary of what data the site access from your account though… give sites the bare minimum they need to operate.
If you’re a web developer creating a user account system, please consider using OpenID! Security is extremely hard to get right, so in my opinion, it’s best left to the pros.
You see that little green lock next to the URL at the top of this page? What that basically means is that any data that is transferred between my site and your device is encrypted. Imagine that this blog post was sent to you in the mail. Anyone who handled the letter could potentially open it up, read it, then send it along to you. Of course, this isn’t a huge deal for a simple blog post (in fact, it’d be nice to have more readers! :-). This gets to be a problem when you want to send data to me. Say I set up an online store and ask for your credit card details; the digits of your credit card have to reach my server somehow.
Using SSL encryption is similar to sending a lock box containing your letter to me. Only you and I have the key to the lockbox, so any nosey postman who wants to see your letter is out of luck. When you first visited my website, we securely exchanged keys, and now all of the data we exchange is kept safe inside a virtual lockbox!
Outside of protecting your data, SSL also ensures that the site you’re accessing is authentic. For instance, imagine Wells Fargo didn’t use SSL. In our letter analogy, Wells would send you a letter asking for your username and password. It looks authentic… hell it’s printed on Well Fargo letterhead. Unfortunately, there’s no way to prove that the return address where you’re sending your data is actually the bank. Luckily, you can be comfortable sending a letter with your bank login information out into the world if it’s placed inside a lockbox that only Wells Fargo has the key to. In simple terms, if a site uses SSL, you know that you’re actually connecting to them and not an imposter.
HTTPS Everywhere is a wonderful browser extension that forces sites to use SSL if they are able to. For web developers, LetsEncrypt has made a huge difference by acting as a free certificate authority. Removing the price tag from SSL is encouraging more and more sites to use encryption. With no cost associated with a certificate, there’s no real reason not to encrypt your site’s traffic!
That’s all for now! My next post will be a little more technical and will focus on server-hardening.
Do you have a favorite password manager or another advantage to using SSL? Let us all know about it in the comments section below!