Your password is not safe
Image: Salvatore Vuono / FreeDigitalPhotos.net
So, you think your password is secure? Perhaps you’ve got a system to remember your password that allows you to use a complex password? Well, good for you. Unfortunately, your password is still not secure.
The problem is, you simply can’t trust the website that you give your password to. What type of encryption do they use to store your password (if any)? Encryption (as I will talk about later) is a way to turn your password into a secret code that is more difficult for hackers to crack.
I’ve lost track of the number of websites that send you your password in plain text with their welcome email. I posted about this some time ago on a Google+ post. This isn’t just bad practice, this is almost criminal! They’ve shown no regard to the storage of your personal data by storing your password in plain text in their database. Not only that, but they’ve sent your password in plain text in an insecure email. When an email is sent, it can pass through many different servers throughout the world, and be potentially “seen” at any point as it goes on it’s way. If someone malicious sniffs out your email, they could potentially get access to your account for the website you signed up for.
But, it doesn’t stop there. I’m sure you’re not one of the many people who use the same password for multiple accounts are you?! Of course not! However, just think about the many people who do use the same password across all their accounts. If this malicious person has gained access to that one account, they could also potentially get access to your email account. Now that’s when the very bad news starts. Once they have access to your email account, they can change the password and lock you out and start to reset your passwords for all your other accounts. This could include Facebook, Twitter, Google, PayPal and perhaps even your bank. If this doesn’t scare you, then I don’t know what will.
So, how do you guard against this? Well basically, you can’t trust the website you sign up with. When you sign up, you should sign up with a temporary password- you can always change this later. If you do receive your password back in plain text, then at least you know all your other passwords are safe.
If you do use the same password for all your accounts, then don’t! I know it sounds really complicated, but there are plenty of ideas to get you started. Here is one system… come up with a sentence and your favourite number. For example “I like salted peanuts” and 15. By using the first letter of each word and the number you could get 15Ilsp. Then put the first 5 characters of the website you are signing up for at the end. For example, for Amazon, your password could be: 15IlspAmazo. You could even put another character at the end, for example, a hash- 15IlspAmazo# for extra security.
Even with this method, your password isn’t necessarily secure- it might be obvious to a hacker how your password system works. Of course, a password manager can help here, one like Last Pass. Here, all you need to remember is one password, and you can get Last Pass to automatically generate fiendishly complex passwords for all your accounts.
What should sites do to beef up their security?
One of the main reasons for me writing this blog post is because I came across another site this morning that sent my password in plain text. I was furious! Of course, it’s best to let your anger die down and think logically about this. This is the real world, and we’re all human. Not everyone knows about security, except you’d have thought the people developing these websites would. My advice is to send them a polite email, notifying them of the major security issue on their website. Kindly explain to them the issues that I have mentioned above- that potentially their customer’ accounts could be open to hackers.
Passwords should NEVER NEVER NEVER NEVER NEVER be stored in plain text. That’s just inexcusable. Passwords and other sensitive data should be encrypted at a bare minimum. However, even that is not enough. Encrypted passwords are surprisingly easy to crack with the right software. Take the password ‘passw0rd’. When this is encrypted it can then be stored as a ‘hash’. The encryption method changes this into a string of letters and numbers which is called a hash. The resultant hash is dependent on the encryption method used. There are in fact many encryption methods. Here are some examples:
|Method||The hash of ‘passw0rd’|
So, as you can see from the above, sha512 is more secure than md5 because of it’s sheer length. The problem is that hackers have lists of common passwords and their encrypted equivalents. That way they can find out your password from the hash quite easily. There is also the “brute force” method, in which a hacker will try thousands of passwords over a period of time in order to try and guess the password. So, how do you up your security? What you need is a bit of salt…
What is a salt?
Well, you could consult Wikipedia‘s entry, but to be honest I wouldn’t bother, as you’ll end up more confused (well it confused me). I’m not going to go into huge detail here.
You add salt in cooking to enhance or change the flavour. Salt, when used in encryption, changes or enhances the hash. When you encrypt a password, you can use a salt string to add a bit of flavour and modify the hash. This means that it is very difficult for a hacker to work out what the password is, because they need to know the encryption method and the salt.
This still isn’t perfect, as hackers with enough time and processing power can try and get your password by using techniques involving rainbow tables and the like. The best advice I can give is to make sure passwords are long and complex and to investigate more advanced encryption methods such as bcrypt. I’ll be updating this post with more information on these methods in due course.
So, What next?
If you do contact the website owner to mention the security issue only to discover they really don’t care, what do you do? I’m not really into “naming and shaming”, but I do believe something needs to be done. If you have any ideas, then please leave them in the comments below. I’d love to know!
Thank you Ian, i’m working on a project right now in school about Password Safety, and this really helped me understand a lot about it!
I’m really glad it helped! Let me know how your project goes.
Well why not name and shame? Not the websites who say they intend to do something about it, but we should definitely name and shame the ones that don’t give a damn! I had my ID stolen – probably via the Lush website when they were hacked a few years ago. I am naming but not shaming Lush because they did something about it and their website is now super secure. But I will name and shame these two: The Royal Horticultural Society and Crocus. The awful thing about these two is not only are they refusing to do anything but I got this email reply from RHS: “however [IT] assure me that we do not retain any of your card details and our site is completely secure” !! Oh yeah – we just trust them! The awful thing is the RHS website actually share my unencrypted password with the crocus website! (I think crocus probably manage the RHS website for them) I think it should be made illegal and I’m very surprised it’s not.
Thanks for your comment, Vivian. I feel your pain- so sorry for all the issues you’ve had. Whenever I’ve had problems like this I’ve contacted them directly. Unfortunately most companies don’t know how to respond when you point out that they’re storing your passwords in clear text. They just think you are being fussy.
Thanks for the great article.
I agree that using a password manager is the best option, after creating a very complex password. Even though I tested LastPass I actually found it quite complex to use. I ended up using LoginBox. It’s easier to use and set up, and it logs in automatically to the websites I need.
I’d be interested to see a comparison between the various password managers. I tested a few and found not all actually log in automatically and thus stuck with the one that worked for me.
LoginBox looks promising. I love this app.
What type of hash does Facebook uses now a days?
wilt all the commotion around privacy and security?
It’s a pleasure. How did it help you? I plan to update this article further with more information. Any thoughts on what I should add?