Tip & How-To about Computers & Internet

Security and the Internet

In most cases, the Internet is a safe place. However, there are places that we need to be safer than others. We do everything from banking and online purchased on the web to more mundane things like gaming and Tweeting. All of these activities require a password. However, how we need to handle these password varies.

This tip is intended to make your life easier, yet more secure on the web. In Part I, we will discuss the concept of levels of security. Part II explains how passwords are stored on service providers. Part III introduces the concept of passwords and trade offs that you can make in deciding a password. Part IV is the conclusion.

Part I: Levels of Security
Think about how you treat your valuables. Do you treat all of your valuables the same? No. For example, if you have a cheap watch, you might leave it your locker at the gym without a lock. Suppose that you have a nice, expensive watch; you might put it in the locker with a lock. Suppose you have a gold Rolex; you might leave it at home. Finally, suppose you have a diamond-encrusted, solid-platinum Rolex. You might leave that at the bank.

So, you need to think about you, your identity, your valuable information, your reputation, and your bank account differently.

Of course, the safest thing to do is not to get on the Internet. However, that is unreasonable. So, instead have a plan for how you are on how you will use the different resources and how you will protect them.

I suggest the use of rings or grouping of trust. See Figure 1 for a possible relationship of resources you might use on the Internet.

Figure 1: Levels of Security

Clearly, our bank is important to us. If a hacker broke into the bank, we would lose money. The same is true of our broker where our retirement fund might be held. These need high security.

Our mail and blog are also important to us. They represent our face to the world. If our blog password is stolen, our content may not represent us. If the mail is stolen, false information could be sent out. Intimate thoughts might be exposed. However, compared to our retirement accounts and bank account, these are less important but are used more frequently. So, we want a password that is easy to type and remember.

We all have accounts that we may never use again or not for several weeks. These passwords are important. However, if they are not protecting my credit card information. I'm not so worried if they get broken into.

Part II: Password Verification
If you ever use the same password, you need to be aware how your password is stored on a server. In most case password verification is the only mechanism a server uses in determining if you are who you say you are and if you are permitted to perform some action.

There are other methods of verification. For example, you have seen retina (eye) scans to see if you are person allowed into a particular room. There are finger print analyzers to determine if you can login to your laptop.

Since passwords are most commonly used, you need to be aware of the two ways that your password might be stored:

  1. plain text: the password is stored exactly like you typed it in
  2. hashed text: the password is converted into a form that is undecipherable
Plain text passwords are a bad idea. However, they are the most common. If you can request that your password be sent to you, it is stored in plain text. However, what if someone gets a hold of the database of plain text passwords? If you use that password on another machine, the robbers now have your password on other machines. Figure 2 shows the storage of the plain text password ("password") in the data base for later validation of the password. A user who enters "password" will be verified. A user who enters a wrong password, like "drowssap", will not be logged on.

Figure 2: Plain text passwords

A hashed text password is a password that under goes a mathematical conversion. The conversion makes it impossible to decrypt the password. So, even if someone gets into the database, it is impossible to know what your real password is.

In Figure 3, the password is entered as "password" but the processor ('the light bulb') use a mathematical algorithm to convert it to "3vxeXW". This unusual value is all that is stored in the database.

Figure 3 Using Hashed Passwords

So, how is your password verified when you login? Well, the password that you enter goes through the same mathematical conversion as your real password did. If the mathematical conversion of your typed password matches the converted (or hashed) password, you are allowed to logon. If the two converted passwords do not match, you are denied.

In Figure 3, notice that the stored value in the database is not "password" but the mathematical converted value. So, the only way to verify that the password entered by the user is to compare the mathematical converted value the user enters. So, note that of course "password" again becomes "3vxeXW". If the user enters a wrong value, the mathematical function will not return "3vxeXW" but some other value and the values will not match.

You don't have a choice as to whether the system will store a hashed version or a plain text version of your password. However, you can know for sure if they use plain text passwords if they return your password when you ask for a reminder, etc. You can be more comfortable if they offer to reset your password rather than to send it. While a reset password does not guarantee that your password is hashed, it is a good indicator that a hashed password is used.

Part III: Passwords
I have suggested three levels for my passwords: ones that must remain private, ones that should remain private, and ones that are not critical.

This leads us to think about how to make and maintain the password. Look at Figure 4,

Figure 4: Password Trade Offs

When you think of passwords, consider these three factors:
  1. How complex is your password? Do you use upper and lower case? Do include numbers in your password? Do you include symbols?
  2. How often do you change your password? monthly, quarterly, yearly?
  3. Do you use different passwords? Every account is different? Some accounts are different? Every account is the same?
Many would argue that every account have a different password. While this is admirable, I would guess that I have over 200 accounts. For me to remember that many passwords, I would have to write them down or store them somewhere. Writing them down is clearly bad. Many people have a password locker which allows them to store all of them on the computer (or PDA) with a secure password. This is not a bad solution. However, it can be very inconvenient.

I argue that it is sufficient to have a set of passwords based at the level of security required. So, yes, I might have a different bank and different brokerage password. However, my blog and email password might be the same. When it comes to little sites, I might have only a handful of passwords that I use. In total, I might have as few as ten passwords for my 200 accounts at any given time.

Part IV: Conclusion
If you read this whole article, you know why you should make your passwords in a particular way. However, even if you did not read the article I would like to make the following summary observation and suggestions.

  1. If you want to be the most secure, every website should have a different password. However, this can be very confusing. Use a password locker on your PC or PDA to keep all of the passwords.
  2. If you do share passwords between sites, make sure that you share them with like levels of consequence of a security breach. Don't use the same password for your bank account as for your knitting club. Always decide the cost of a security breach at each site. The higher the cost of a breach the better the password should be, the more frequently the password should be changed, and the fewer sites that should share the password.
  3. Some sites use plain text passwords which means that anyone who has access to the website internals has your password. If you use the same password at the knitting site and your bank, those that have access to the internals of the knitting site can use your password at the bank. While the people at the knitting club may not try to get into your bank account, you should not assume that someone who breaks into the knitting site will not try to break into your account.
  4. It is always good to change your password regularly. However, this can be confusing. Change the high security passwords more often than sites which do not require as much security.
About the author:
Jack Briner has a Ph.D. in Computer Science from Duke University. He has taught courses in networking, network security, PC repair, A+ certification, web design and others. He is the founder of Flowertown Technology, LLC and its PC repair division, FixYaPC.com.

Posted by on

Computers & Internet Logo

Related Topics:

Related Questions:

1 Answer

I want to access on line banking for my account so I can authorize a payment. I need a password but it says I do not have a e-mail on file. How can I do this?

go see your local bank , they will assist you with your setup WRITE all information down and keep in a safe place

Oct 13, 2017 | Computers & Internet

1 Answer

I cannot sign into my on line bank account

Hey Rick,
This is NOT the place to discuss your on-line BANKING issues.. EVERYTHING you post on here is seen worldwide.
Please contact your bank directly.. better yet.. go to a brick and mortar branch and they will help you,,

Jul 18, 2017 | Computers & Internet

1 Answer

placed an order with Sport Threadz on Oct. 27. other than email conformation, no contact with me. No shirt either.

call your credit card or bank where u placed your order with credit card and dispute the charge

Dec 30, 2015 | Computers & Internet

Not finding what you are looking for?

159 people viewed this tip

Ask a Question

Usually answered in minutes!

Top Computers & Internet Experts

Doctor PC
Doctor PC

Level 3 Expert

7733 Answers


Level 3 Expert

102366 Answers

David Payne
David Payne

Level 3 Expert

14161 Answers

Are you a Computer and Internet Expert? Answer questions, earn points and help others

Answer questions