• Web • 1 min read • 4 comments
Are our passwords safe?
I can’t tell how many times I registered on a website since I started surfing the Internet, and I bet it’s the same for you. We’ve been through countless registration forms, and we had to choose a username/password pair for each of them.
But I, like the majority of you, tend to use the same credentials for more than one place, sometimes.
I know it’s a good practice to avoid using the same password for too many services but, hey, we’re human beings, and we’re not so good in remembering things. However, maybe I’d be more reluctant to use my favorite password (the one I use to register on countless websites) if I knew that it would end up in clear text on some database, where some malicious DBA can easily see it.
That’s why I think it would be better if registration forms included an indication (maybe just an icon) about whether the password you’ll supply will be encrypted before being stored on the website database.
Maybe times are not mature yet…
Comments
Informing the user about DB-side password encryption (or lack of) is, from my point of view, the wrong solution: encryption should be always used when managing password and other sensible informations.
Maybe we should consider encrypting also other user informations (like email), to limit damages in case of SQL-injection.
Or am I wrong?
I agree with you: passwords should be always encrypted, no matter what.
In my opinion, however, there are a couple of (bad) reasons that usually make webmasters refrain from doing that:
1. encrypting password is harder than... well... doing nothing :P
2. if you store your users' passwords as clear text you can send them back (or give them at the phone) a few weeks later when they'll have forgotten them.
The latter point, in particular, is a bit more delicate: I've seen at least twice clear text passwords being stated as a business requirement for e-commerce websites, for that exact reason.
As long as implementors don't answer with an inflexible NO to that kind of requests, I'm afraid we'll have to deal with this issue. :(
Maybe I'm a security jerk but sending clear-text password via email is non-sense in 2009: sending back forgotten password is a security risk.
In a utopistic world customers should understand this (yes, I know, it's pure sci-fi ;) )
Unfortunately these days you can't rely on whether or not a site encrypts its passwords, and the safest thing to do it to use strong, unique passwords for every website. However, managing that becomes a nightmare without a system. I have been using Mitto, an online password manager (http://mitto.com) to manage my passwords so that I can I can create separate, strong passwords for all the websites I am required to use, and not worry whether or not they are storing the password in clear text. With Mitto, every time I attempt to use their service from a new computer, I am required to either answer extra challenge questions, or it sends me a text message one-time code to my cell phone, just like Bank of America. It's super easy to use, and free to sign up. I think they are going to offer a paid version sometime soon with some additional features, but the free version is awesome.