Your Password is NOT Safe

April 23, 2013

You may think that your ten digit password that includes three non-alphanumeric characters would be impossible to crack, meaning that your accounts using that password are completely safe. Sadly, that is not the truth. Your password may be strong, but everything else may be weaker than you think.

When you sign up for a website, you enter in the details you would like to use. It is then up to that website to process and store that data. You may think that having a secure password completely secures your account, but what if the group managing that website you just signed up for stores all of your information in cleartext. That would mean your password is readable to anyone with read access to their database, or sufficient permissions on their software. If you used that information elsewhere, say with the email address you signed up with, you have just given these people complete access to your emails and contacts.

The same goes for if someone breaks into a website that stored your password without encryption. The website may have been created by a lazy programmer, but run by a good-willed person. They don’t abuse your trust, but if a third party intent on extracting login information gains access to this website’s database, they win. They have your password, plus any other details you may have entered, giving them more ammunition for attacking your accounts on other websites.

Now, for this next example, say that the website securely encrypts your password on their server before storing it. When logging in, check to see if your browser displays “https://” at the beginning of the URL. If not, then your password is being sent in cleartext over the web. This is a perfect target for anĀ eavesdropper, intent on snooping and capturing your network activity in order to grab your login information. While a website does not need to use HTTPS during the login process, it is definitely less secure for your password to travel without being encrypted before leaving your computer.

For this fourth example, let us assume that when you submit the login form, your password is first encrypted by some javascript before being sent over to the server. This is also not secure, as someone that captured your network activities has your password in the encrypted form. If that person has sufficient technological powers available, he or she can break the encryption on that single phrase.

For this last example, assume that this website does use HTTPS and stores your password in an encrypted form, but does not limit how many times your login attempts can fail in a certain period of time. These days, botnets are available for hire, and one large botnet has been attacking websites powered by WordPress in order to gain access. They try to brute force the password of the admin account (but it could easily be your account if attacked by a different botnet). Even if the password is very strong, there are thousands of computers at work trying to break their way in, so the password will eventually be discovered.

So, what can you do when you don’t know if you can trust your password in the possession of most websites? Be smart. Enable two-factor authentication if you can, and do not reuse the same password on multiple websites. Use password-manager software to help you collect and store all of the passwords you use, making memorizing each one a non-issue. In addition, do not give your passwords to other people, unless you know that you can really trust them. Your sibling/friend/co-worker/etc. may not be as careful with it as you are, and might accidently share it with even more people.

Your password is your key to the Internet. Treat it as as you would treat the key to your heart.

Leave a Reply

Your email address will not be published. Required fields are marked *