Your enemies fall into these categories: the hacker community, web site developers and you.
Hackers, generally, are very clever people and you should imagine that they will always be one step ahead in the game. Hackers spend 90% of their time working at their craft whereas web site developers spend 90% of their time providing you with a nice experience on their web sites. I would have to say here that the big boys in the eCommerce sector (supermarkets, banks, social media etc.) will also have very talented people working to protect us and most do an excellent job. But, they can't protect you from you! (more later)
Here are some of the ways that website developers manage passwords; that is, how they are stored in their databases:
Passwords are stored in plain text - this is so bad it should be illegal, but some older systems still use this method.
Passwords are stored as encrypted data - this is also very bad as the encryption keys used may be accessible to an insider and quite a number of websites store passwords encrypted.
Passwords are stored using a hashing algorithm. This is still not good (see blog post on 'Hashing'), this makes your password vulnerable to 'Rainbow Table' attacks and is very bad practice.
Passwords are stored using a hashing algorithm, but before performing the hash a 'Salt' is added to the password. The salt is a random number (usually quite big) that makes the stored passwords resilient to rainbow table attacks. This is pretty secure as nobody, even a web site software developer would be able to reveal a password stored this way.
Passwords are stored using a slow salted hashing algorithm and these methods are an effective deterrent against 'Brute Force' attacks where hackers will try every combination of possible password spellings until they get a result and when done properly, the total destruction of the universe would happen first.
Best practice password management in eCommerce web sites has lead to the nefarious practice of 'Phishing' whereby hackers build a web site that looks like a real web page but is in fact a spoof where you are asked to login to your favourite shopping site and, of course, if you do that, you have just given the hacker all he needs to know to impersonate you. These sites can be quite convincing. Below are two real company logos from their respective web sites:
It's scary how easy it is to spoof a corporate web site and create a link from an email containing authoritative language that compels you to go there.
So now you should be able to understand why having one password for many web sites can lead you into trouble. However good a job that Ocado do to protect you, if your Ocado email and password is the same as a poorly put together or old website where hackers can feast, the hackers can 'be you' on Ocado.
Comments