4 ways to know if you can trust *them* with your password
There are numerous services out there (online or other) which will require you to identify yourself by the mean of a password. In principle, you are then supposed to make sure that that password doesn't get known by an (untrusted) third-party, allowing them to access the service on your behalf and cause you damage.
But the question is: How well will the people in charge of the service ensure that your password doesn't fall into the hands of a third party? And in many case, the answer is: Not as much as they should.
When a service doesn't handle a password as they should and do not take all precautions to ensure that a third party cannot obtain it, you are exposed to two kind of attacks:
- Someone can use your password to impersonate you on the service you were using it for
- Someone can use your password to impersonate you on other services where you happen to use the same password
The first one is not always problematic, but it can be if, for example, the service in question is related to handling of your money.
The second one is obviously worse than the first and that is why you ideally want to always use a different password for each different service you use. This is well and good, but it happens to be a problem for most people because no matter what solution you use for having a different password for each service, it causes extra work, compared to remember one password for everything. So, if you really can't stand using a different password for each service, how can you know which ones you really shouldn't trust with your usual password?
There are a few ways to find out if a service is likely to handle your password properly, which I'm going to list in a moment. If you don't know how a particular service handles passwords, start by using a temporary one for testing before using your usual one.
Once again, note that it is always better to use a different password for each service.
There are at least two things a service must do in order to ensure that your password can't be compromised:
- Store a cryptographically secure hash of the password instead of the password itself. This ensures that if an attacker gain unauthorized access to your information, they won't be able to obtain your password out of them
- Whenever a password need to be communicated between you and the service, it is either a one time password or it is properly encrypted.
There are at least four signs that a service is not actually taking those steps:
- You are required to enter a password that is shorter than a certain small amount of characters (often shorter than 20 or 30 characters) and/or that cannot contain any "special" characters:
This is sometimes (but not always) a sign that the password is stored in clear text by the service. These restrictions are usually imposed because passwords are stored in databases fields which restrict the length or encoding of the string they accept, sometimes coupled with poor handling of special/international characters server-side. In principle, a service should always hash a password as soon as it receives it, which usually produces a fixed-length string containing only a given set of characters. There should not be any worry about encoding or length of the original password.
Of course, passwords cannot be arbitrarily long either because they do need to be transmitted over the network and hashing them is actually a time consuming operation. But passwords of up to 100 characters should be no issue in most cases. - When you set or change your password, it is sent to you over email:
This means that your password has been sent in cleartext and you can't trust it to be secret any longer. This can be mitigated by using a not well-known email provider which allows you to remove emails without traces because it will lower the chance that someone intercepts the content of your email and thus the password. If you are using a popular service like GMail however and receive an email containing one of your passwords on there, you should consider that password compromised. - When using a password recovery form, your old password is sent to you by email:
This is bad for two reasons. The first of them is what was mentioned in the previous point and the second one is that it almost guarantees that your password was stored in clear text by the service. Hashes are one-way functions and it is impossible to recover a password from a password hash. There is the possibility that a encrypted form of the password was stored instead, but that is still not as safe. In an ideal case, a password recovery system should send you a one time password. - When performing an operation that requires sending your password to the service (such as creating an account or logging in), you are made to use an insecure (using http instead of https in most cases) connection:
This is one of the lesser issues you can encounter, but it is problematic nonetheless. It means your password is transmitted in clear and if someone happen to be intercepting the communication, it means your password is compromised. Ideally, all password submission forms should be submitted over encrypted connections.
I'm probably forgetting some cases here, but these should be the more obvious ones. If you find that any of the above is true for a service you are using, you should ensure to be using a password specific for that service. In addition, if the service in question is of any importance and that having your account compromised could lead to real problems, you should consider contacting the staff and ask them about their password handling policies and possibly consider not using the service at all.
And of course, if a service you are using expects you to keep your password safe, you should make damn sure that it will do the same.
Posted on the 15-04-2011 14:38