In the last few days about 8 million user accounts from LinkedIn, eHarmony, and Last.fm were compromised by hackers. The users' passwords were posted in their protected, encoded form but many of them had already been cracked.
The reality is that hackers can probably work their way into any system if they put in enough of a concerted effort. That's scary.
But access is just the first step. They can steal all the passwords they want, but if the passwords are properly encrypted, your information might still be safe.
Unfortunately all of the hacked sites this week were horribly irresponsible in how they handled users' passwords.
If you want to get into all the gory details, you can read my in-depth post on the hack and on password security in general on my ยต-Dev Blog (a separate blog I've created for items of interest to high-tech entrepreneurs).
But the short version is this: EssayTagger's password encryption follows all three best practices mentioned in the post above: hashing, salting, and iterating. LinkedIn and the others only used the first method which left their users' passwords essentially unprotected.
I've even built-in an extra layer of protection for student information. A hacker would have to work thousands of times harder just to decrypt a student's name or email address.
No site's data can ever be considered completely secure. But we have taken the basic, no-brainer safety measures that LinkedIn and eHarmony incomprehensibly ignored or (is it possible?) were completely ignorant of.
What can I do?
The best thing you can do to protect yourself is to always use strong passwords and different passwords for each site. I know this is a pain and difficult to do (software tools like 1Password can help a lot in this regard - I have not been paid to make this endorsement; I just think it's a good product). And there are plenty of tips for what makes for a good password out on the web.
Also make sure you convey this to your students. Any site they create an account on - especially facebook and their email accounts - better have strong passwords.
The reality is that hackers can probably work their way into any system if they put in enough of a concerted effort. That's scary.
But access is just the first step. They can steal all the passwords they want, but if the passwords are properly encrypted, your information might still be safe.
Unfortunately all of the hacked sites this week were horribly irresponsible in how they handled users' passwords.
If you want to get into all the gory details, you can read my in-depth post on the hack and on password security in general on my ยต-Dev Blog (a separate blog I've created for items of interest to high-tech entrepreneurs).
But the short version is this: EssayTagger's password encryption follows all three best practices mentioned in the post above: hashing, salting, and iterating. LinkedIn and the others only used the first method which left their users' passwords essentially unprotected.
I've even built-in an extra layer of protection for student information. A hacker would have to work thousands of times harder just to decrypt a student's name or email address.
No site's data can ever be considered completely secure. But we have taken the basic, no-brainer safety measures that LinkedIn and eHarmony incomprehensibly ignored or (is it possible?) were completely ignorant of.
What can I do?
The best thing you can do to protect yourself is to always use strong passwords and different passwords for each site. I know this is a pain and difficult to do (software tools like 1Password can help a lot in this regard - I have not been paid to make this endorsement; I just think it's a good product). And there are plenty of tips for what makes for a good password out on the web.
Also make sure you convey this to your students. Any site they create an account on - especially facebook and their email accounts - better have strong passwords.
