You have probably heard this many times, your friend or someone told you that you should not use the same password for all of your website memberships. Perhaps they never told you why. I have seen people taking this for granted many times, using the same password even for online banking accounts! So I am going to let you know from a technical point of view, while being as simple as possible with my choice of words.
My points here directly relates to good database design, but as users you don’t have any choice and you are not even aware of what is happening at the server. Now let’s examine two scenario of how passwords can be stored in the database. For simplicity I only have 2 fields; username and password.
1. Bad Password Storage
| Username | Password |
|---|---|
| john | j0hN78h#k- |
| jane | j4n9K^jsla69 |
2. Good Password Storage
| Username | Password |
|---|---|
| john | f03d03e0335dad4713cd5122eebb0738 |
| jane | 5844a15e76563fedd11840fd6f40ea7b |
What are those?
The tables that looks like Microsoft® Excel worksheets above are indeed database tables. Database administrators can easily see the data in this format using any tool they have.
Why is one bad and the other not?
I mentioned that a database administrator can easily see the tables. For the bad example, he/she can simply see your password even though as you can see they are quite good passwords (containing lowercase, uppercase, numbers, symbols). For the good example, the password is stored using a one way hashing algorithm – the password is stored as something else.
Are all database administrators evil?
No they are not. But what if the database gets cracked? A malicious cracker can immediately see your password if the first example is used. It is fine if it is just a instant messenger account, or something not important but I have heard people losing money! Not because banks practices bad password storage, but because users use the same password elsewhere!
How to detect if a site is using bad password storage
Simple. If you try and use the Forgot password link, they send you your actual password. This means that they can read your password from the database. Good sites always reset the password to something else either directly via email or asking you to use a form. No, they will not tell you how they store the passwords, silly.
If the system can’t read my password how do I log on?
I mentioned a conversion process earlier called one-way hashing. Using the good storage practice, the database stores gibberish that can be reproduced only by your correct password. When you first set your password, it converts the text into the hash:
“j0hN78h#k-” => f03d03e0335dad4713cd5122eebb0738
From the storage examples, the exact, same hash can only be generated by the string “j0hN78h#k-” that only john knows. It is not stored in the database. When john tries to log in, the system will reproduce the hash f03d03e0335dad4713cd5122eebb0738 from what john entered. Even if he misses one characted, e.g. “j0hN78h#k” the hash becomes a98d3bfa2f9d11fb0bfcc6e6f7ae8b73. When the system compares this with what is stored in the database, it would not match and john receives an error!
Why do I write this?
I signed on to a service yesterday and my 32 character password got truncated so I had to use the Forgot Password function. The system sent me my actual truncated password and I immediately feel glad I didn’t recycle any of my current passwords! The moral from this article is that don’t share passwords between systems. If one site is cracked, you risk of compromising the others. I rather be using many different passwords than going through hundreds of sites changing my password if a site is compromised!
The email I received yesterday from a site that (still) practices bad password storage:
Hi Ady Romantika,
Thank you for forgot password request.
Your details are as below:
User Name: ady[at]romantika[dot]name
Password: xxxxxxxxxxxxxxxClick Here to for Login into XXXXXXXX.
It is not 100% safe as well, if you use simple passwords based on dictionary words as malicious users can deploy the try and error technique, or even use a software to crack your password. Believe me, there are many software available that can do that today!
I hope this has been useful for everyone. Remember, practice safe computing.
Useful? My goodness, yes! As a matter of fact, there is more useful stuff to be found in a quick 5 minutes on your blog than in an hour on many (highly regarded) others. Consider me a new and enthusiastic fan…
domestika: thanks for reading 🙂 I am glad it has been useful for you.
This article might be way over some people heads but my encounter with WordPress login makes it more comprehend able, at least for me it does. I now use KeePass for a safer password management. However, using the same password is definitely a bad habit and something that is quite hard to brush off.
@Ashrufzz: Well, I tried to be as non technical as possible 🙂 Good! I use KeePass too but the portable version on my flash drive.
Hi Ady, I wanted to let you know that a this post of yours has sparked off quite a lively discussion at my other “inner geek” blog, http://blog.myspace.com/jen0haven, and led to examining Clipperz.com (new to me!) as a possible alternative to KeePass… testing in progress…
So I did just want to thank you for starting an interesting digression, with your useful and thoughtful post!
Cheers, Jen
Hello Jen, thanks for your comments. Clipperz is a good service, and I have found many online password storage sites before. There is a possibility that they are as secured as they claim to be but we never know. I prefer to keep my passwords locally, not in the Internet. But I have seen many people using this kinds of service and it worked well for them. Just remember, I strongly oppose the idea of keeping any kind of banking information there 😉
I get so frustrated when I sign up for an online site and they send me my password in clear text.
aaarrrrghhhh.
I personally use keepass and keep that folder locked with yadadisk.
Thanks for the software. I scanned the file with avg and clamwin and neither picked up any malware.
jej