NOTE: This column was written before the Lenovo horror story broke. So no, this isn’t directly related. It’s just a case of really fortunate timing. Also, I’m a programmer, not a security expert. My paranoia is the source of my knowledge in this column, not my profession.
More than any other hobby, gamers have to maintain a lot of accounts. We’re constantly creating new accounts, logging in to stuff, and authenticating things. Tabletop roleplayers might have a few forum accounts, but you don’t need to log into the Wizards of the Coast website before you can sit down with your friends and run a game of D&D. Maybe you need a login to watch anime on Netflix, but it’s not like you need a different login for every anime, or every anime studio. Same goes for all those hobbies where people go outside and do … whatever it is sports people do outside. You just don’t need that many logins to run around and get all sweaty.
But if playing games is your pastime of choice, then you likely have a heap of various logins. Steam, Rockstar Social Club, UPlay, GFWL, Origin, Xbox Live, Playstation Network, at least one gaming site, a couple of forums, the Nexus Mod database, Good Old Games, Gamestop, that one site where you play all those dress-up and hidden object games, the four or five accounts you use for review-bombing things on Metacritic, and a handful of MMO’s. (All of this is on top of the email, Twitter, and Facebook logins that most people have.)
Steam was hacked in 2011. So was the PlayStation Network. Also that same year, Ubisoft had an intrusion of unknown severity. (2011 was apparently a terrible year for security.) Battle.net was hit in 2012. In 2013 Club Nintendo was hacked.
If these major corporations with their billions of dollars can’t keep hackers out, then what are the odds that some smaller enthusiast site can? Can we really trust all these sites with our sensitive information?
Remember that a data breach is not always about stealing credit cards. You can still be hurt by a hack, even if you’ve never given the company in question your payment information. When they steal a user database, they gain tons of personal info. Account name. Email. Address. Phone. Secret question. (More on that below.) If the company is grossly incompetent, the hackers might even gain your password. They can use this information to gain access to other accounts at other companies that do have your credit card info. It might even be enough to commit identity theft. If someone called up support at my favorite MMO (or worse, my bank) and said they were Shamus Young, and if they also knew my home address, email, birthday, and account name, they might be able to swindle access to my account, even without the password.
This is not a plea for all of us to delete our accounts and move off the grid in a fit of paranoia. Having accounts and protecting your info is just a normal part of modern life now. But that doesn’t mean that all sites are equally safe. Some sites are softer targets than others, and most it depends on how up to date their security knowledge is.
There’s no single test that can tell you if a site is secure or not. (Unless of course you’re a hacker, in which case you could just try to hack the site and see if you succeed. Protip: Not recommended.) But even if you’re not the technical type, there are a few things you can look for in a site before you decide how much you want to trust them. So here’s a quick list of red flags to look for in a site. Remember, none of this means a site is insecure, but it is a sign that it might not be well designed.
You should be a little uneasy if a site has…
1. Tyrannical password requirements.
You know those sites that require your password to have an uppercase letter, a lowercase letter, a number, and a symbol, and be less than N characters long? That’s not just annoying, that’s a sign that people who designed the system have outdated ideas about security.
In the old (pre-internet) days, the big security threat was that someone would guess a user’s password and gain access to their account. At the time, it was rare for anyone to have more than one login. So having good gibberish passwords was reasonable.
But now? Hackers are not “guessing” your password. They’re attacking the server as a whole. The threat isn’t to your account alone, but to the entire system. Moreover, some of us maintain at least a dozen accounts. It’s impossible (or extremely difficult and inconvenient) for the average person to remember more than one password that looks like “jgWjt1s&pXn”, much less dozens of them. So the vast majority of people will re-use passwords, and that makes everything less secure. You can whine all day that they shouldn’t, but that’s how it’s going to be.
A tyrannical password policy makes it harder for us to make passwords that are useful. Worse, it’s a massive red flag that the people who designed the system have very old, outdated ideas about security and aren’t hip to the whole social engineering dimension to the problem.
Yes, “jgWjt1s&pXn” is a good password, inasmuch as it’s hard to crack. But “Dancing hodunk dolphin flangers!” is an even better one, and it is far easier to remember. If I was attacking a site, I’d rather know that all the passwords will be short gibberish than worry that some portion of them have longer ones like my example. (If you do the latter, make sure to throw a non-dictionary word like “hodunk” in there. It’s important.)
2. Putting personal info in the URL.
Once you’re logged into a site, look up at the address bar of your browser and see if there’s any personal into in the URL. If your web browser shows the current site is www.gamingsite.com/[email protected]/accountinfo/ then it’s a pretty big cause for concern. The site should not be putting your username or email in the address. It’s only a minor security risk to you. (Someone can look through your browsing history and see that info, which gives them a starting point for attacking your account specifically.) But the real problem is that it’s just not needed. There are better ways of doing this and anyone designing a site in this decade should know better.
3. Limits on password length.
Here is how passwords are supposed to work: I type in my password when I create my account. That password is run through a hash function that spits out a string of gibberish of fixed size. (It’s always the same length, regardless of how long or short your password is.) It’s basically using my password as a random number seed to make the gibberish. Then the gibberish is stored in the database. The next time I login, the password I type in is run through the same hash. If you get the same string of gibberish, then I must have typed in the same password.
The beauty of this system is that the site never stores my password. If the database is compromised, the hackers can’t see my password, they can only see the gibberish. This also means that there’s no need to limit password length. If my password is the first chapter of Harry Potter, that’s fine. It still takes up the same space in their database.
If a site limits you to 8 or 12 characters, then it might mean they’re not doing this.
More serious warning: If you use the “I forgot my password” option and they send you back your old password in plain text, then this site is 100% trash. Do not trust them with personal info. It’s a huge red flag that their security is decades behind the times.
4. Required use of secret questions.
What is your mother’s maiden name? What is the name of your first pet? What street did you live on as a child?
These are awful security questions to begin with, and they’re made all the worse by the fact that sites keep re-using them. The idea is that I should be able to get access to my account if I know the password OR the answer to the secret question. So if the secret question is easy to guess or figure out, then it negates the security of the password. Why would a hacker waste time trying to attack one of those letter-number-symbol passwords when they can probably find the answer to the secret question on Facebook? Or from another database they stole years ago which used the same question?
I don’t mind having the secret question as an optional convenience, but requiring users to fill it out is demanding that they expose private info and thus make this account – and every other account they maintain – potentially less secure. Again, this reflects a very old-school approach to security that pre-dates the days of Facebook and laser-focused Google searching.
5. Sites that ask for too much information.
Don’t sweat it if there’s optional profile stuff that you can fill in after registration. Some people like this. But if account creation wants to know your home address, phone number, full name, website, and a link to your Twitter, then you should be extra careful. (This is a really common habit of software companies who are looking to “connect with their customers” by spamming you with crap.) Even if you don’t fill that info out (or you fill it in with crap) the policy will still make the site a juicy target for hackers. Moreover, if a company carelessly collects more info than they need, then they might also be careless with the information once they have it.
Again, these points are all guidelines more than rules. But if you see a site violating a lot of the items on this list, then be careful and consider taking your eyeballs elsewhere. Companies won’t care about security until we care about security.
Shamus Young is a programmer, critic, comic, and crank. You can read more of his work here.
