Why do we have to login?
Our news articles and information about us are public and free to view without login. That’s important for raising awareness of our sport and encouraging cruising.
Over the years we have spent members’ money acquiring and developing valuable resources for the benefit of members. Restricting access encourages people to pay the membership fee.
Interactive features such as the merchandise shop and event booking form are particularly vulnerable to abuse if they are public, so we only show them to trusted users. If we know who the user is we can make these features simpler.
Some users need access to more sensitive information or more powerful features. Committee members, web page authors and administrators all login as members but have different access levels.
Since computers were first connected together in networks, people have been breaking into them. They do it to show off, to earn a living, to steal money or secrets, to disrupt business, to influence people or for many other reasons. We call them hackers (though that was once an honorable term).
What do we have that hackers want?
It’s not our private internal documents they’re after, but tools and data they can use to attack other targets.
- A well-connected trusted computer that is authorised to send bulk email
- Popular web site software (WordPress) with a connection to a payment service
- Contact information about members and subscribers
- A reputation as a source of reliable information
How do they get in?
To take advantage of these riches, a hacker needs privileged access to the website. Pretending to be a member is a significant step towards that goal, so guessing usernames and passwords is a rewarding activity. It’s going on all the time: hackers use computers to try over and over again with different combinations of username and password until they strike lucky. Our website keeps a log, and it’s full of failed login attempts.
How do we keep them out?
A computer that’s not connected to the internet is safe, but that’s like keeping a ship in a harbour. We don’t accept all traffic; for example, the website rejects connections from unlikely places like Botswana. That first line of defence is called a firewall, and it just examines internet addresses.
The login system is the second line of defence. It tracks login failures carefully, noting the username, password and internet address. It looks for suspicious behaviour such as a series of failed attempts from one computer with different usernames or passwords. If it decides a hacker might be at work, it tells the firewall to block that internet address for a while.
Passwords have many disadvantages, and modern secure computer systems don’t use them. Some companies issue physical tokens to employees; my Windows computer recognises my face; my Android phone recognises my fingerprint. Many websites use one-time passcodes generated by a phone app; others send a code by SMS. The Revenue has installed a digital certificate on my computer. In future our website might use one of these alternatives.
A detailed guide to the login procedure is on the way, and we’re working on improvements. Meanwhile, here are some suggestions that might help.
- If you don’t know your username you can use your email address instead. Don’t guess.
- If you don’t know your password, follow the ‘Lost your password?’ link. Don’t guess.
- Write down your password somewhere safe. Don’t trust your memory.
- Tick the ‘Remember Me’ option, so you won’t have to login every time.
- After five failures in four hours, your computer will be blocked for twelve hours…
- …but the webmaster will hear of it and might step in to help firstname.lastname@example.org