Neither does anyone else - if they are legitimate.

The news about user accounts being stolen from Google, Home Depot, and others, it can be very unnerving. However, good sites don't actually store passwords. They only store a representation of them. Even if your information is stolen, it doesn't mean your password is exposed.

How it works

Digging Deeper

There are a number of techniques used, but they all use the same basic premise. Here is one of the most common techniques.

When you put in your password into an online account, the password is run through an algorithm. That is, a mathematical calculation is performed. The result is what is saved in the database instead of your password.

The cool part - (getting a bit geeky here)

The result of these mathematical algorithms (you should drop that phrase at your next party), is called a hash. If you use the same type of technique very time, then the same string of characters will always result in the same hash.

For example, using one technique, the password "qwerty123" will always be converted to the hash "2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=". If you use a better password, like "Five5For5Fighting!Google", you get the hash "gsOnlRB5/7LGOSyNTnQjjolSpqumI9UsT5/uNYgnM6A=".

It is this longer string that is saved in the database. If a hacker steals the database information, they can't tell by looking at the hash what your password is. Hashes can't be reversed.

To find out if you used the right password, the website simply runs the same algorithm to check the password. If it matches the hash in the database, you used the right password.

Putting the hash in the password field would result in a completely different hash, so it wouldn't work. So, if you were to put in the qwerty123 hash (2qrW5WBOjhe9nxCNkeJq/mKB2sj9oAkQQKem172bQ7U=) in the password field, you actually get "G4AAO88pl0kITda+I20eX69Pxk6lHGFzfC3l53NF2Ew=" back. It doesn't match, so the hacker can't get in.

Getting a bit more secure

To make things even more difficult for hackers, websites use what is called a salt. This is a string of random characters only the site/database owner knows. This is added to your password before it is turned into a hash. Even if the hacker knows what algorithm is used, without the salt, the hacker can't figure out what the hash should be.

With the salt, the whole thing is really pretty sweet.

What we do at MSC Southeast

More robust systems, such as ours, don't use this technique specifically. We have the benefit of our StarID system. We don't store your password, or its hash. Instead, we have a connection that validates your StarID/password with the State's StarID system.

This is a similar technique used by other government agencies. It allows us to greatly insulate your information from hackers.

Final thought

The techniques outlined above are used by professionals in the Web and security industries. Some, less professional, sites don't use these techniques at all.

It is hard to tell what sites use these techniques and which do not. This is why you should never reuse passwords. If they get your password in one place, it shouldn't work anywhere else - they will certainly try!

Extra links

Find out if your Gmail has been hacked by reading 3 Ways to Check if Your Gmail is Hacked.

Learn about Google's Security Settings (you need to log in first).

www.calm.com

You're welcome.

Remember, for every password you as a normal person have to reset, we as IT professionals have ten more we have to maintain.

We feel your pain.

Man, are you lucky! You live every day with things that could easily ruin your day, week, or decade. One slip and you are toast.

I'm not talking about your shower or the main stairs in your house. I'm talking about all that living you do online. Facebook, Google, Amazon - you could be running with scissors and not even know it!

A recent article from LifeHacker.com outlines "The Stupid Things You Do Online (and How to Fix Them)". I highly recommend giving it a careful read. Here are the "stupid things" in order.

1. You Undervalue Your Personal Data
2. You Submit Sensitive Information Over an Insecure Connection
3. You Feed Trolls
4. You Leave Private Information in Your Web Browser
5. You Don't Keep a Backup of Online Data
6. You Assume Your Posts and Comments Are Anonymous
7. You Let People Track Your Whereabouts
8. You Use an Insecure Password That You Rarely (or Never) Change

Truly, these are the critical aspects of living online that need serious attention. Evaluate your own behavior and see where you can improve. It will keep you from getting into some fairly serious trouble.

While you are reading, I'll be backing up my Google Docs.

The Stupid Things You Do Online (and How to Fix Them)

Outlook 2010 is an excellent program, though it can be a daunting one. With a plethora of viewing choices, lots of categories, and more features than you can shake a stick at (I've tried); it is hard to know where to start. Often, people just use one or two features, believing the others to be too difficult to use.

Fortunately, a recent Microsoft article does an excellent job or outlining seven rules to help you stay organized. Most of these I use myself, and it makes my work life much easier. Rare is the day I have more than one unread email in my inbox.

Here are the tips, in brief:

1.      Group by Conversation. This feature allows you to group entire discussions together, eliminating the need to hunt for previous emails in the same conversation thread. If you have ever hand twelve people respond to one of your emails, you know how much this can help.

2.      Sort emails in folders. Creating your own group of folders helps keep things in place. Most people have some folders in place, but don't forget that you can have sub-folders as well. Moreover, you can use rules to automatically sort emails into these folders as they come in.

3.      Create Search Folders. Admittedly, I don't use this feature much myself. I'm a little diligent with my folder organization. However, if you aren't nearly as geeky about this, creating search folders is just the thing for you!

4.      Route mail using rules. If you aren't using rules, you should! They allow you to mark, forward, sort, or delete emails automatically based on your needs.

5.      Use Junk filters. The bane of email marketers, these rules allow you to sort or delete email based on who sent it to you. This is the last line of defense against obtrusive email.

6.      Assign color categories. I use this feature every day. In Outlook, you can give color categories to emails. You determine what these categories mean. For example, I use red for those important "to do" emails. I use green for emails that I will keep for reference, and I use orange for those emails I need to read closer later. It is one of the handiest features in Outlook.

7.      Flag for follow up. These flags are excellent! Simply by adding a flag, you can set a due date, start date, or a reminder. It essentially turns an email into a task. They even show up on your calendar.

To learn how to do each of these, and read more about these great features, visit the Microsoft At Work Web site.

One of the things we don't enforce as much as we should here at Southeast Technical, is a policy of strong passwords. One of the reasons for this is that if a password is too difficult, people will end up writing them down and then "hiding" them under their keyboards.

That doesn't mean you should keep your password simple. The stronger the password, the better protected you are from identity and account theft.

Common passwords to avoid

On occasion, we have to help guess someone's password when working on their computer, or helping them with an online account. IT professionals can be more successful at this than you may think. This is because we know the most common passwords people use. Here are 10 of the top passwords*.

1. password
2. 123456
3. qwerty
4. abc123
5. letmein (one of my favorites)
6. monkey
7. myspace1
8. password1
9. blink182
10. (the person's first name)

Other favorites include

• admin
• master
• asdfjkl;
• 55555 (six 6's, seven 7's, etc.)
• 999 (I recently saw this used by a manager at Barnes & Noble!)
• dragon
• football
• harley
• (a rude word you couldn't say on television)

Hopefully, you aren't using any of these.

Strong passwords

Strong passwords have the following attributes:

• They do not contain a word found in a dictionary
• They use a mix of upper-case and lower-case letters
• They use special characters (punctuation, symbols, etc.)
• They do not use personal information, such as your house number or initials
• They are not so complicated that you have to write them down
• They are used in only one location (for one site or purpose)

This looks like a daunting list. However, there are several techniques out there that make it easier than you think to create strong passwords.

Making a secure password.

There are many techniques, but this video from The New York Times outlines a few ideas.

* Top ten list courtesy of Texas A&M

The Mysterious Windows Key

Have you ever noticed that key between Ctrl and Alt? Have you ever wondered what it does? Sure, clicking it will bring up the start menu, but it can unlock a host of other cool functions.

For example; if you are leaving for the day, but don't want to shut down your computer, hold down that Windows key and press the "L" key. You've now locked your computer. Or, if you are using Windows Vista or Windows 7, hold down the Windows key and tap the "Tab" key a few times. Pretty cool eh?

Many other key combinations do some amazing things using that mysterious Windows key. You can download a PDF listing many of these functions below. (Thanks to Michael Dunham for providing this list.)

List of Windows Key Functions (28KB PDF)