The hacking of websites...

[Acacia Sgt]

I don't know how many have heard already, but it seems that several Pokémon sites were hacked just recently, all done by the same person/group.

Quite personally, I'm worried just how seemingly easy is for someone to break in and steal data. I always make sure to have different passwords for everything and change them at the slightest sign that they could be in danger, but sometimes even with all those precautions I don't feel quite safe...

[idioticidioms]

as well you shouldn't. Your password is only as secure as the website that protects it, same as any other information. It's nothing new, you're just hearing about it more often.

[tushantin]

Which brings to mind.... why don't most websites, especially forums (like ours), invest in SSL encryption? Wouldn't it be a safer alternative to go https than the traditional http?

[utunnels]

Some special case, for example, if you are a guy that always uses the same password for everything, you should be warned.

http://english.caixin.com/2011-12-29/100344138.html

[idioticidioms]

I'm not sure exactly how it all works; I'm having trouble finding the website on computer security that I read a while back. From what I understand, most internet companies; most companies that have a computer system that can be hacked; aren't as secure as they'd like to be or as they think they are.

banks, as an example, have less computer security than Facebook, because they use an inferior security system.

Ah, here we go (thinking of banks and facebook helped me find it ): http://www.dailyfinance.com/on/bank-security-two-factor-authentication/


here's another article, too: http://www.computerweekly.com/news/2240045294/Poor-security-leaves-Web-sites-open-to-hack-attacks

[alfadorredux]

SSL doesn't stop site hacking. SSL does two things (in theory, anyway—the second one can be iffy): 1. it prevents anyone from eavesdropping on the messages being sent back and forth between your computer and the server and 2. it proves that the server is in fact who they say they are. It doesn't prevent damage from being done to the site itself.

There are really two types of site breaches/hacks. The first involves the web server itself being compromised and vandalised (either overtly, as Anonymous likes to do, or subtly, by planting a redirect or a trojan download). This kind of attack need not lead to passwords being compromised (unless part of the vandalism includes hijacking of the site's login form, which it could).

The second type of attack goes straight through to the database behind the site, often through what's known as an SQL injection attack. This is how passwords usually get stolen—by lifting them en masse out of the site's backend.

It is normal practice for any website to store, not actual passwords, but the output from running what is called a hash function (think of it as a type of one-way encryption, or if that's too technical for you, as a word-fingerprint) on each password. However, a modern gaming PC can run the simpler hash functions billions of times per second, and many sites do use weak hash functions (often MD5, which was never meant to be robust). That means that it's practical to just throw a really long list of common words and popular passwords discovered in other password breaches at the list of hashed passwords from the website—unless every single user was very, very careful, sooner or later, something is going to match. Any password of six characters or less can be guessed pretty quickly by simple brute-force methods.

Banks can be particularly vulnerable if whoever's running their website is required to use the same authentication scheme as was built into their 1960s-era COBOL backend.

Further reading for the terminally bored: http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

[Prince Janus]

I'm sure there's a few people still around who remember what happened to me in 2008. Truth be told, this is the only remaining site where I even use this name, and I don't post often.