Experienced Points

Experienced Points
How Do You Know If A Web Site Is Secure?

Shamus Young | 24 Feb 2015 19:00
Experienced Points - RSS 2.0

NOTE: This column was written before the Lenovo horror story broke. So no, this isn't directly related. It's just a case of really fortunate timing. Also, I'm a programmer, not a security expert. My paranoia is the source of my knowledge in this column, not my profession.

More than any other hobby, gamers have to maintain a lot of accounts. We're constantly creating new accounts, logging in to stuff, and authenticating things. Tabletop roleplayers might have a few forum accounts, but you don't need to log into the Wizards of the Coast website before you can sit down with your friends and run a game of D&D. Maybe you need a login to watch anime on Netflix, but it's not like you need a different login for every anime, or every anime studio. Same goes for all those hobbies where people go outside and do ... whatever it is sports people do outside. You just don't need that many logins to run around and get all sweaty.

But if playing games is your pastime of choice, then you likely have a heap of various logins. Steam, Rockstar Social Club, UPlay, GFWL, Origin, Xbox Live, Playstation Network, at least one gaming site, a couple of forums, the Nexus Mod database, Good Old Games, Gamestop, that one site where you play all those dress-up and hidden object games, the four or five accounts you use for review-bombing things on Metacritic, and a handful of MMO's. (All of this is on top of the email, Twitter, and Facebook logins that most people have.)

Steam was hacked in 2011. So was the PlayStation Network. Also that same year, Ubisoft had an intrusion of unknown severity. (2011 was apparently a terrible year for security.) Battle.net was hit in 2012. In 2013 Club Nintendo was hacked.

If these major corporations with their billions of dollars can't keep hackers out, then what are the odds that some smaller enthusiast site can? Can we really trust all these sites with our sensitive information?

Remember that a data breach is not always about stealing credit cards. You can still be hurt by a hack, even if you've never given the company in question your payment information. When they steal a user database, they gain tons of personal info. Account name. Email. Address. Phone. Secret question. (More on that below.) If the company is grossly incompetent, the hackers might even gain your password. They can use this information to gain access to other accounts at other companies that do have your credit card info. It might even be enough to commit identity theft. If someone called up support at my favorite MMO (or worse, my bank) and said they were Shamus Young, and if they also knew my home address, email, birthday, and account name, they might be able to swindle access to my account, even without the password.


This is not a plea for all of us to delete our accounts and move off the grid in a fit of paranoia. Having accounts and protecting your info is just a normal part of modern life now. But that doesn't mean that all sites are equally safe. Some sites are softer targets than others, and most it depends on how up to date their security knowledge is.

There's no single test that can tell you if a site is secure or not. (Unless of course you're a hacker, in which case you could just try to hack the site and see if you succeed. Protip: Not recommended.) But even if you're not the technical type, there are a few things you can look for in a site before you decide how much you want to trust them. So here's a quick list of red flags to look for in a site. Remember, none of this means a site is insecure, but it is a sign that it might not be well designed.

You should be a little uneasy if a site has...

1. Tyrannical password requirements.

You know those sites that require your password to have an uppercase letter, a lowercase letter, a number, and a symbol, and be less than N characters long? That's not just annoying, that's a sign that people who designed the system have outdated ideas about security.

In the old (pre-internet) days, the big security threat was that someone would guess a user's password and gain access to their account. At the time, it was rare for anyone to have more than one login. So having good gibberish passwords was reasonable.

But now? Hackers are not "guessing" your password. They're attacking the server as a whole. The threat isn't to your account alone, but to the entire system. Moreover, some of us maintain at least a dozen accounts. It's impossible (or extremely difficult and inconvenient) for the average person to remember more than one password that looks like "jgWjt1s&pXn", much less dozens of them. So the vast majority of people will re-use passwords, and that makes everything less secure. You can whine all day that they shouldn't, but that's how it's going to be.

A tyrannical password policy makes it harder for us to make passwords that are useful. Worse, it's a massive red flag that the people who designed the system have very old, outdated ideas about security and aren't hip to the whole social engineering dimension to the problem.

Yes, "jgWjt1s&pXn" is a good password, inasmuch as it's hard to crack. But "Dancing hodunk dolphin flangers!" is an even better one, and it is far easier to remember. If I was attacking a site, I'd rather know that all the passwords will be short gibberish than worry that some portion of them have longer ones like my example. (If you do the latter, make sure to throw a non-dictionary word like "hodunk" in there. It's important.)

Comments on