On an almost daily basis, we hear about this hack or that data-breach, but what does this really all mean and more importantly how does this affect YOU.
This is NOT meant to be a technical article, but you might need to read it a few times for it all to sink in.
A hack [slang term nowadays] is really a security attack on a web-site, e.g. a big social media site. This isn’t going to affect YOU directly as you are not the Social Media site, but the goal of the hack is to get hold of the site’s data [the data-breach] or disrupt the site. The latter is only an inconvenience [sic.] to the site and possibly an irritation to you if you engage with them.
A data-breach on the other hand is more significant and although a web-site may well have their data hashed [or encrypted] this doesn’t mean that your personal data can’t be compromised and here’s why:
- This is probably best explained by way of an example and the most common form of a login | password is the user’s e-Mail address and then a so-called cryptic password which no-one can ever remember and most people change to Rover123 or something like that !
- We’ll use the example of a fictitious web-site called socialmedia.com and they have a list of subscribers all held in a web-database [probably using something called MySQL, but that’s #technical and the hacker doesn’t care].
- The hacker gets hold of said database and that’s what you’ll hear on the news.
- socialmedia.com issue a statement saying that all is well, because their systems are secure and blah blah blah…!
- But for additional security, you should change you password.
All sounds rather familiar doesn’t it ?
So Johnny Hacker [sorry Mr Hacker, first name John] has this database, but some of it is all gobbledygook or more importantly the passwords are. That’s not really going to be a shocker and you’ll probably breathe a sigh of relief. Alas NO.
- What Johnny Hacker wants is your e-Mail address and the hashed or encrypted password.
- If the e-Mail address is encrypted then no cigar and you are quite safe.
- How do you know if socialmedia.com encrypt your eMail Address ? You don’t and most don’t. Hashing is a one way system and too complex to explain here, but if they haven’t encrypted your e-Mail, which they almost certainly haven’t done, then Johnny Hacker knows your e-Mail and some rubbish string which is a password.
Well so what ?
Just to recap: Johnny Hacker has your e-Mail address and some #hashed string, e.g.
You might think that was the end of the story, because the above string is quite unintelligible, but not necessarily ? This above nonsense is actually the password letmein [‘Let Me In’] and if Johnny Hacker runs this string of ‘rubbish’ through his own database, then he’ll find your password. As you’re pretty unlikely to use a password of ‘letmein’ or ‘hello123’ etc and most sites insist on one Upper Case character and some numbers and symbols, you should be OK, so ‘LetmeIn765!’ which is case-sensitive will or should be very safe.
So has it sunk in yet ?
If you have a very easy to remember password then Johnny Hacker is likely to crack it and his database will have millions+ of permutations to test your gobbledygook string against and if he gets a hit or a match then he [or she] now knows your e-Mail and password combination.
So why is this a potential problem ?
Most people use the same password for a lot of sites they visit and with the use of ‘bots’ Johnny Hacker can easily try your e-Mail | password combo on 100s of possible sites you might be registered with.
And, in a nutshell, that is what a hacker is really trying to achieve. He, or she, couldn’t really care less about socialmedia.com, but just your e-Mail and password combo. Armed with that, they could do YOU a lot of damage.
Use cryptic passwords for sites which use or store your e-Mail address [almost all]
Use a secure password site which encrypts your e-Mail address to save a password list. This might need a bit of explaining, but this is, in effect, a table of sites and passwords which is stored on the cloud, but your e-Mail and password to this site are BOTH encrypted, so even if this site is hacked it is useless to the hacker. That can be a difficult nettle to grasp !