HSTS: Enforced HTTPS

Though HTTPS has been an option for my site for a little while now, I haven’t enforced it outside of various commerce related pages (e.g. the shopping cart). Starting now, not only is HTTPS required to browse my site, I’ve enabled the HSTS header to ensure that unencrypted connections are never allowed.

Read More

1&1 Asks for Your Password to Cancel Your Account

After a couple of long years using 1&1 Shared Hosting and Virtual Private Servers, I’ve completely migrated all of my hosting to Digital Ocean and Heroku, and my domains to Namecheap. And after trying to cancel my 1&1 account, I now have complete justification for doing so.

1&1’s experience has always been similar to that of a larger company, with over complicated systems and procedures to do simple things. Contacting their support means waiting through a phone queue, domains sometimes can take forever to switch name servers (though the process in itself takes a while on any provider, 1&1 seems particularly slow), and the various FTP and database account management systems are nightmares.

Read More

Please, Stop Helping the Hackers Guess My Passwords

There have been numerous high profile hacking attempts (and successes) in recent months and years. In 2012 alone, millions of accounts’ hashed passwords and other sensitive information was stolen across tens of different websites:

  • Zappos: 24 million accounts’ passwords and email addresses exposed
  • Global Payments: 1.5 million credit card numbers exposed
  • LinkedIn: 6.5 million hashed passwords stolen– many of which weren’t salted
  • eHarmony: 1.5 million hashed passwords exposed
  • Last.fm: Passwords compromised
  • Yahoo: 450,000 passwords leaked– in plain text

By now, I’m sure you get the point– your information is never safe. When you input your credit card number or password into to a website, you’re trusting they’ve taken the necessary precautions to safeguard this data. The reality is, there’s a lot of business that do not implement decent security practices.

In fact, the worst offenders not only store your password insecurely, but they prevent you from protecting yourself properly. In the event of a leak in which password hashes are made public, having an extremely secure password is the only way to keep yourself protected. A secure password can be composed of random letters, numbers, symbols, or even a long sentence that you remember. The issue is, not all sites let you use these kinds of secure passwords.

Read More