Website Safety: Log In, Log Off

third-article-picture

As a frequent user of the Internet, I find myself constantly logging in and logging out of websites.  Whether I’m looking for a flight to my next speaking engagement, booking a hotel room, or purchasing a novel to read, I have to login to a website using my username and password.  The website needs to authenticate that we are who we say we are before it allows us to perform a sensitive action like making a purchase using our credit card.  But it is still our responsibility to protect ourselves using the tools that the website has given us.  To do that, we have to make sure that we are creating passwords that are difficult to duplicate and also making sure that we log out of the website once we are done using it.

Don’t Use “Password” as your Password

One of the mistakes that many users make is creating a password that is easy to remember…and easy for a hacker to guess.  It is important for us to protect our passwords by making them complex and difficult to guess.  The hackers use a method called “brute force” to find passwords that are not complicated.  Our attackers will automate their search for our passwords and will try every word in the dictionary to see if they work.  Many websites have protection from this kind of attack by only allowing a user three tries to correctly enter their password, but there are plenty of websites that don’t have these kinds of limits.  To protect our passwords, it’s important that we use both upper and lower case letters, and at least one number when creating the password.  If possible, it’s also a good idea to add a character that isn’t a number or a letter, such as an underscore or a dollar sign.  If we can create a password with all of these types of characters, it will be extremely difficult for an attacker to guess or “brute force”.

Don’t Eat This Cookie

A lot of attention is paid on creating passwords that cannot be easily guessed when logging into any websites where we may be handling sensitive data.  But it is also very important to make sure that we log out of these websites when we are finished with them instead of just closing the tab or closing our browser. When we log into a website, a cookie is created and stored on our computer.  A cookie is just a small file that holds information that the website uses to keep track of us as we browse its information.   There is a very important piece of information stored in the cookie called the session id.  The session id is a unique identifier that is created when we successfully log in that tells the website we are who we say we are.  Hackers spend a lot of energy trying to steal these session ids because when they can grab our id, they can pretend that they are us.  When we log out of a website, usually by clicking on a “Log Out” button, the website will delete that session id so that it is no longer valid.  This way, even if a hacker uses the same session id, it no longer is our session id, so no harm can come to us.  By just closing the tab or our browser, that all important session id may not be deleted by the website, so we can still be vulnerable if a hacker gets their hands on it.  As long as we click on the “Log Out” button, we continue to protect ourselves and make the hackers work harder.

More Tools For Your Toolbelt

As I mentioned in my first article, we cannot rely on the software engineers who develop the websites we love to protect us.  We have to take security into our own hands and we can do that by educating ourselves about how to correctly use the tools the software engineers have given us when we use their websites.  By creating a complicated password and by logging out of the websites once we use them, it makes a hacker’s job much more difficult.  This is exactly what we want to happen.  Once a hacker figures out that we are following steps to protect ourselves, they will move on to another target that will be much more susceptible to their tricks.

Kevin Poniatowski was a software engineer for Department of Defense contractors for over a decade. He has spent the last two years teaching software engineers, testers, and project managers from around the world how to create more secure software. He currently resides in Nashua, NH and spends his free time speaking to groups about Internet Safety and can be reached at poniatow@securemymachine.com.