Don't worry, this blog post is hopefully not going to inspire you to wear a tinfoil hat from now on, but cybersecurity is a big issue that is often overlooked in the eventful atmosphere of startups. We want to take a deeper look at the risk factors for young (internet)-companies and some practical steps to mitigate the dangers of using this thing called Internet!
Hackers making the Headlines
Several prominent companies faced big troubles after security incidents. Ashley Madison (the famous hookup website), Sony or Ebay all had their users data stolen. These big companies make the headlines and leave their users in fear (and it get's especially annoying if credit card data is stolen). No one wants to have their friends and family knowing they had an account on Ashley Madison (and Ashley Madison is probably not too happy that everyone else knows that only a few percent of the accounts were women and the rest were bots).
Your passwords are probably compromised
Unfortunately, more often than not, the weakest link of cybersecurity remains the human. Probably all of us had a password somewhere that was looking like "abcdef123" or "myname1204". Furthermore you probably told your (ex-)boy or girlfriend. You can consider this password compromised. Today, you should leave the hard work of generating and memorizing passwords to the computer! There are several great applications that will make your life easier:
- Passpack Passpack is an online storage for passwords. It encrypts your passwords and keeps them safe. An additional benefit is that you can share passwords with your coworkers.
- Lastpass Similar to PassPack and also offers iOS applications.
- KeePassX or KeePass If you serious about your security you probably have to use Open Source Software where you can look at the actual inner workings. Furthermore, KeePass (or KeePassX) is entirely free so you'll never have to pay for an enterprise solution. The passwords are stored in encrypted database files that you can upload to your Dropbox (or even better your own ownCloud instance).
All of the above solutions also have features to generate passwords that are really long and complicated so you don't have to hit the keyboard like a monkey to generate some of the sweet entropy.
Keeping your passwords safe and making them too hard to guess is the first step of keeping your users save!
Your users trust you
If you are running a website or webservice (like we do) your users are giving you the trust that you handle their data with care.
The most important rule is: Never store passwords in plaintext or you'll end up on this list.
Too many people (which haven't read this blog post ;) use the same password for multiple websites. If you assume the worst case scenario and your database is compromised, having passwords in plaintext will make sure that a lot of accounts on unrelated websites will be breached, too (such as mail accounts, amazon, or facebook). While you might be able to excuse a database compromise, you can never excuse plaintext passwords.
Therefore, always use hashes to store passwords. A hash of a password is a deterministic function that is easy to calculate in one direction but not the other. I.e. a simple hash (md5) would translate "test" to "d8e8fca2dc0f896fd7cb4cb0031ba249". But going from "d8e8fca2dc0f896fd7cb4cb0031ba249" back to "test" is much harder (note that md5 is NOT secure, but other hashes are). If you are not the CTO, then tell your CTO he should also consider using a salt which increases the security of your hashes again.
You can find a more thorough introduction about hashes and what salts are, over here.
Work hard and sleep well
Unfortunately, keeping yourself and your users secure requires work. But this work will pay off eventually, when you can hopefully snicker about the likes of Ashley Madison (assuming that you didn't have an account there). Realizing that your users trust is one of the most important values nowadays is quite important. Of course, other rules apply anytime, such as keeping your system and servers up to date with the newest security updates.