Feb 8, 2012 11:30 PM by Matt Stafford
"Nothing has changed; the vulnerability still exists," says David Stites, a master's computer science student at UCCS.
In January, Stites showed News 5 a security lapse he found on the iPhone mobile app for Southwest Airlines. He was able to pull login and password information out of the air while the user was on unsecured WiFi internet access.
Stites is still able to pull password info from Southwest's mobile app, a month later.
When News 5 spoke with Southwest Airlines back in January, they said they didn't have any issues that they were aware of. We called again this week; they say since our story ran, they've been running tests on the app. They say it's about 98-99% secure. Southwest spokesman Chris Mainz says he believes they found the issue Stites was talking about. Mainz says they have a fix that they plan to implement on Friday -- but as of this posting it's still not fixed. Southwest has never contacted Stites about the issue.
Stites says it's up to you to keep yourself safe, and your password is a good place to start.
"If I'm able to compromise the one password, based on human tendencies I probably can compromise something else," says Stites. A big part of that, he says, is that people use the same password for up to four sites; usually when they use a different one, there are only slight changes.
He says hackers pay attention to that.
"The goal is to build a profile of this person; know their Facebook, know their e-mail, know their banking," explains Stites. "Typically if they're liking something, they have a personal connection with it."
"They may check that and find out quickly; 'oh, well, this person is a member of this bank, or has this association'. They may just figure, 'well I'll attempt this attack'," says Doug DePeppe, principal of i2IS Cyberspace Solutions.
Even if your info is safe, it doesn't mean that your kid's is.
"95% of kids, grade 7 to 10, are using social media and social networking," says DePeppe. He says it's crucial to start teaching kids "web sense" -- kind of like "street sense" -- right now.
"Have multiple passwords, and you need to change them," explains DePeppe. "You need to have, you know, seven, eight characters -- numbers, letters, and special characters."
"A good rule of thumb is never use any personal information," says Stites. That means leave your birthday and the last four of your social security number out.
Also, don't use any words in the dictionary.
"If I were trying to break a password that is the very first thing I would do, is try a dictionary attack," says Stites.
Stites agrees that random letters, numbers and characters work best, but he points out that you've got to remember them.
"It's no good if you have to write it down and stick it underneath your keyboard," says Stites.
"Think of a phrase; such as -- my sister likes to eat oranges everyday," says Stites. "Take the first letter of each word and make your password out of those letters."
Another idea is to pick words and combine them to make something that isn't a word (For example: take "computer", "desk", and "mouse", and create computerdeskmouse - but it might be better to add some numbers and characters)
Stites also suggests setting your accounts to lock if there are multiple failed password attempts. He says that will keep hackers from trying as many key combinations as they want.
A final suggestion is to have your password include two of these three things: "something you know", "something you are", and "something you have". "Something you know" could be a password, but to use it you would need to have at least one of the other two categories. "Something you are" could be like a thumbprint; several laptops now include scanners, or you can buy an extension for your computer. "Something you have" could be a key fob, or device that only you carry around, to let the computer know it's you. Stites says having at least two of these items included in your password can make it much more complex.
The more random, the better; a good password isn't full proof; but it's a good start to keeping hackers at bay.