Tower and Town, November 2024 (view the full edition)The Secret Life Of A WebmasterSecret? Well, sort of. Secret in that I need to spend a good deal of time observing and tracking what people are actually doing with the websites I manage. When you type a website address into your computer - something along the lines of 'https://bbc.co.uk' - clearly the computer uses that address to dredge up a web page for you to look at. Implicit in that operation is the opportunity for the programming behind the web page to record in a database the requested web address together with the address of your computer. So although I don't know which individual is using your computer, I can document in detail your computer's use of my websites. However, beyond compiling statistics of how often my websites are used - how many 'hits per month' each page gets - I'm not interested in the person behind the page requests. What I am interested in is any funny business a user tries by meddling with the address of the web page. It's perfectly possible to add malicious programming code to that bbc.co.uk web address and you'd be amazed at the amount of malicious code attempts that I track on sites as innocent as towerandtown.org.uk, much of it churned out automatically by hacking programs running in distant countries. The other thing that comes high on my list of tasks is prevention of unwanted log-ins through guessing people's passwords - hacking, in other words. When I first started looking after websites, I was flabbergasted at how pathetically simple many people's passwords were to guess. It very quickly became clear to me that no-one should be allowed to record their own password. So for the last 20 years or so, no website that I manage has allowed private passwords. Instead, whenever those people registered to use a given site want to log in, they send their email address to the site with a request for the site to email them back with a One-Time Password - an OTP. The user then puts the OTP into the login page. The instant the OTP is used, the website (a) checks that it's the same as the one it sent out, and that it's coming from the computer that requested it in the first place, and (b) then kills the record it holds of that password. So no passwords are stored on the website for more than a few seconds and therefore a hacker has nothing to hack. I am delighted to say that recently I have noticed that the Expedia website has moved to exactly this method of logging in, and many other sites now require use of a one-time code sent to your mobile phone in addition to checking your password. Hugh de Saram |