Contact Me

Confirmit Stream Blog

Confirmit Stream
February 2010 > Is your panelists' data safe and secure?

Is your panelists' data safe and secure?

posted by: Nick Roman on 2/26/2010

confirmit blog post

Before Christmas last year the social application site RockYou.com suffered a data breach that resulted in the exposure of over 32 million user accounts. In the aftermath of this incident, researchers from Imperva were able to analyze the unsecure practices used by millions when choosing their passwords. If you are wondering what the most popular password is, it is "123456". The next 4 are "12345", "123456789", "Password" (ironic, isn't it?) and "iloveyou".

Is this important to online panels?

One thing is that a lot of people use the same password/user name across a number of different sites, so that vulnerabilities in one solution (the panelist portal) potentially could expose their account on other sites as well (Web mail, etc.). (This obviously isn't as blatant as in the RockYou.com case where it was possible to break in and get the actual login details of other sites like MySpace.com in plain text, but anyway something to consider.)

But most importantly, let us consider the information that is accessible through the panelist portal. There are probably details on surveys that the panelist is invited to and does complete, and there are potentially some point status and incentives that could be harvested, but most importantly, there is probably a way to access and update the panelist profile.

And this is the scary part: the panelist profile is a collection of Personally Identifiable Information (PII). There's name, birth date, maybe address, gender, marital status, household size, perhaps even details on income, occupation, appliances, and so on. This is information that panelists trust is secure, and which in a worst case scenario could potentially be used for identity theft or other crimes.

So, if you are running an online panel with a panelist portal, what can you learn from the RockYou.com incident?

First: You can't trust your users to choose a password that resists guessing or brute-force attacks. You can, to a certain degree, address this by providing guidelines, but many users will ignore this. To help them, you should set up your system to enforce a certain level of password complexity.

Second: You have to make sure you have a secure system. Some important things to consider are vulnerability to SQL injection and Cross-site scripting (XSS) attacks, and also that passwords are encrypted (one-way, i.e.: hashed) instead of being stored in clear text.

In my next blog entry, I will provide some advice on best practices for panelist portal security.

RSS Stream
Subscribe
Follow Us On
Twitter
LinkedIn

Post Archive
May 2012(2)
April 2012(3)
March 2012(1)
February 2012(2)
December 2011(9)
November 2011(2)
October 2011(3)
September 2011(5)
August 2011(4)
July 2011(7)
June 2011(7)
May 2011(7)
April 2011(6)
March 2011(6)
February 2011(8)
January 2011(7)
December 2010(9)
November 2010(12)
October 2010(8)
September 2010(4)
August 2010(1)
July 2010(6)
June 2010(1)
May 2010(4)
April 2010(6)
March 2010(4)
February 2010(15)
January 2010(4)
Blogs We Read
CRM Intelligence & Strategy
Customer Experience Matters
Customer Service in the Media Era
Harvard Business Review
Research Rockstar
MarketResearchTech
Return Customer
The Chief Customer Officer
The Survey Geek
Think Customers: The 1to1 Blog
Walker Information Blog
The Future Place Blog
Customer Strategy Thinking Aloud

Affiliates
An NGMR Top Blog