by Jac La Tour
I may be Ministry Banking Guy, but I’m not Banking Security Guy. That title would rightly belong to information systems expert Alan Weisenberger. So I asked him to write this post because this issue is so timely and important.—MBG
The buzz in the information security world this past week sounds like something straight from the Cooking Channel. Data breaches at four major websites including LinkedIn, eHarmony, music sharing site Last.fm, and gaming site League of Legends have resulted in millions of passwords being compromised. The common element is that “hashed” passwords that weren’t “salted” were stolen from their databases and posted on the internet. Say what?
In layman’s terms, hashing is a way to store passwords in an encrypted form. Salting adds characters to a password before hashing to make it more difficult to figure out the password from the hash. So hashing is good, but hashing with salt is better. But even salty hashes aren’t invincible. They just require more effort to decode.
We always have to remember that security is not an on/off switch. “Is it secure?” is a question that, in an absolute sense, nearly always requires a “no” answer. It’s more accurate to ask, “Is it secure enough?” To answer that question, we have to match the security requirement to the value of what’s being protected. A six-digit password might be enough for some things, while others need the better protection of ten or twelve digits. Storing password hashes salted provides more protection than unsalted, but no matter how they’re stored, passwords aren’t enough protection for some things. You’re familiar with this idea. I suspect you would protect a stack of $100 bills more than you would your pocket change.
I’m not too concerned about my LinkedIn account being hacked. I suppose someone could deface my profile or do something that could mar my reputation. But I’m not dependent on LinkedIn for anything critical. (Not to imply that’s necessarily true for you.)
My biggest concern about these passwords being stolen is that many people use the same password for these sites that they use for more critical things, like online banking. If you use your online banking password for anything else in addition to online banking, please change it NOW—then come back and finish reading this article!
The alert on the League of Legends website about their breach contained some eye-opening statistics: “We compared encrypted password hashes and discovered that 11 passwords were shared by over 10,000 players each,” the alert states. “A double-digit percentage of individuals had the same password as at least one other person.” Wow. How common is your password?
It’s also concerning that the League of Legends breach compromised other personal information, including security questions and answers. Could your online banking security questions be compromised by the breach of some other website?
In case you’re wondering, we don’t store your ECCU online password in a database anywhere. While the explanation of how this works is too complex for a blog entry, suffice it to say that your password decrypts a complex key on your PC that is transmitted to us. Your password never gets sent to us so we don’t know it, don’t store it, and never have access to it. That’s why you have to jump through some extra security hoops if you log in from a different computer. So keep your password secure and you can be confident that we will too.
Keep checking back in for more tips on how to chose and manage a secure password. In the meantime, have you experienced the headache of a hacked account? What advice would you offer other ministries?