Awesome Conferences

How to tell if a site stores passwords in clear-text?

  1. Click on the "I forgot my password" link.
  2. If they email you your password, you know they stored it in clear-text somewhere. You should complain. Sadly their first-tier support probably won't understand and will assure you that they take security seriously and you have nothing to fear. Oh well, at least you know and can choose to use a different company or at least use a password you aren't using anywhere else (which, you already do, right?)
  3. If they email you a code to reset your password or a temporary password, then either they stored a hash of the password (hopefully they did it right), or they're doing it wrong and their password-recovery system obscures this fact.

Every sysadmin should know how to properly store your users passwords in a database even if you aren't a programmer. It helps you evaluate services that you may use.

How to properly store passwords in a database:

(This post was inspired this problem that was recently reported.)

Posted by Tom Limoncelli

No TrackBacks

TrackBack URL: http://everythingsysadmin.com/cgi-bin/mt-tb.cgi/1535

3 Comments | Leave a comment

It should be pointed out that if number one happens, it doesn't guarantee that they store it in clear text. It may mean that they store it with reversible encryption. Neither instance is very good, and either one should give cause for concern (there is *never* a need to decrypt the password)

On Opera I use this extension ( https://addons.opera.com/en/extensions/details/evenlv-md5-converter/?display=en ) to quickly generate a MD5 sum to use it as a password for such sites. I wonder what they think when they peruse the passwords database and see: "12345", "qwerty", "password" and my own "296fa6253314d4163f592678a73fd5e"?

Normal users can choose to trust some third party "wallet" type service, or come up with a few rules to ensure that a password is "unique" to a given site.

The idea basically boils down to something like:

Base password:
password

Google password:
pgssword

Yahoo password:
pyssward

Microsoft password:
pmsswird

A spear phisher might deduce your algorithm, but a basic password dump will minimize your exposure.

-danny

Leave a comment