Important Lessons on Password Security
As a professional web-developer, here is a small lesson to web-surfers to what goes on “behind the scenes” when you enter your password to login on a website and how you are at risk and why keeping strong passwords and changing them regularly is important.
Say a user “john” signs-up on www.example.com using password “apple”. Here are some things to take care of-
1. How is the database saving your password? Does it encrypt your password (using standard algorithms like SHA1 or MD5) before entering it into the database or does it store them as-is in plain text? If it’s the latter, anyone who has access to the database can see the list of usernames and passwords for all registered users on the site. The problem comes when you use the same username-password for all sites you visit.
2. Try clicking the “Forgot password” link on the website. If you get an e-mail containing the exact password you mentioned during signup, you can be pretty sure that your password was not encrypted in the database. SHA1 and MD5 are one-way hashes, i.e. there is no way to get back to the original text once it has been encrypted. Sites which send you a link to “reset your password” are more secure.
3. When you login to a website, is the connection SSL protected? If it is not, your credentials (username and password) travel in plain-text from your end (the browser) to the server. The data can be tapped into and your password can be stolen while it’s en-route to it’s destination. If it’s not (lucky you!), data is still reaching the website’s server in plaintext where it can be easily read by the guys running the website.
SSL is the process of encrypting the data before it travels to the web-server, hence making it immune to attacks on the route as well as unreadable on the server end. The easiest way to check if the site is SSL enabled is to find a small “lock” icon in your browser’s status bar.
SSL is also important in case of the “invite your friend” functionality which is common on Web 2.0 sites. The same logic of username and password traveling in plain-text applies here as well.
Be wary of sites which do not implement whatever I mentioned above. Pickup any article on password security on the Internet and try and implement it while choosing passwords. Never keep dictionary words, either as a single word or as combinations of two or more words. It’s a bad bad web out there. You can never be totally safe, but it pays to be alert.