Login to participate
Register   Lost ID/password?
Louis Kessler's Behold Blog » Blog Entry           prev Prev   Next next

How Secure are Your Passwords? - Fri, 11 Jan 2008

Article warning: If you are paranoid about everything, you should avoid reading this article or it may ruin the Internet for you.

I started converting the Behold Forum over to bbPress. The first thing I had to do was convert all the registered users. To my horror, I discovered that my old Forum stored the passwords as plain text.

That actually was terrible for three reasons. First, if I was a dishonest guy, I could take your password, assume you used the same one at other sites you use, and login as you and do malicious things. Second, since I’m honest and don’t even want to know what your password is, if there was someone working for me who had access to the database, they might be dishonest and use your password. Third, since I don’t have anyone working for me, if there was a hacker out there who could get into my database, they could use your password.

So I’m not talking here about the “quality” of your password. It doesn’t matter if you use a simple 3 letter password, or a complex 29 character password with lower and uppercase and numbers and special characters. If someone can find it out, it doesn’t matter how well crafted it is.

WordPress and bbPress are different. They do not store the password in the database. Instead they “hash” the password using the MD5 algorithm and store that hashed value. This is not encryption which makes the password retrievable again. This is a hash which hides the password from everyone, including the owners of the database.

Now I know there have been vulnerabilities found to MD5 and WordPress and others are working to block them, but even so, hashing the password is infinitely safer than leaving it in plain text for the three reasons above.

So that got me wondering. I have about a dozen different passwords at several hundred different sites I use. I wonder how many of them are not hashed but are insecure in plain text in the databases.

In most cases, there actually is an easy way of finding out. Go to a site you’ve registered with and click on the “lost my password” link. If they email you back your actual password, then they are storing it in text or in some accessible way. If they instead send you a message with a new random password and say your password is reset, then they probably don’t have access to it, and all they can do is give you a new one.

Unfortunately, you can’t find this out until you’ve already registered for the site. For people paranoid about this, I guess the trick would be to use a dummy e-mail address and dummy password and register with that, do a lost password request and see what they send back. Then you can decide whether to trust them and register for real.

Credit card information could have the same problem. You can’t do the same thing here, since I’ve never seen a “lost my credit card information” link on a site. You can follow the policy of only giving your credit card to companies you totally trust. That’s why PayPal is so popular. You can buy from thousands of companies, but PayPal will be the only one with your number. But do you trust PayPal? I’d trust them more than the various kids working at the corner gas station who get my card number all the time. This is not really a worry though, because credit cards have lots of levels of security and are actually very safe. The credit card companies will protect you from credit card fraud.

But giving out passwords you use can be much worse. What if your userid and password were the same for your PayPal account? That could be very bad.

For those of you who signed up to my Behold Forum, I apologise. I didn’t know about this before. I’m transferring your account and an MD5 hash of your current password to the new bbPress forum I am creating, and they’ll now be safe.

No Comments Yet

Leave a Comment

You must login to comment.

Login to participate
Register   Lost ID/password?