With all of the ongoing security breaches and people having their passwords compromised, it has to make you wonder how some websites can give you your actual password and other sites send you a link to create a new password after sending you a temporary password to use.
In this article, we are going to explain how you can determine if a website you frequent is storing their password securely. Before we do that, let’s briefly discuss how website authentication works.
How Authentication Works
When you access a website, sometimes you are required to login with a username and password to access specific website features. To do this, the website has to store your username and password so when you provide them, it can verify if you entered the correct information.
The username and password you provide is usually sent to the web server using a web form and hopefully using some form of good security, such as SSL (see this article for more information on SSL/TLS).
When the username and password is received by the web server, it looks up the username and password you provided in its files or database and then compares them to determine if the information is correct. If not, then the login attempt fails.
Sometimes you need to recover or reset your website password because you can’t remember what it is. What happens when you do this can provide you with hints as to how secure their application is storing your username and password information.
Basically — if the website can provide you with your actual password, whether or not it asks you some security questions, then:
- The website is possibly storing your password information unencrypted; or,
- The website is storing the password encrypted, but knows how to unencrypt the password.
The Website Can send Your Actual Password
When you forget your password and access a website’s “I forgot my password” link, the webiste may ask you some security questions, if it was set up to do that. Whether or not the website does this is not important to our discussion. If the website can either:
- Can show your actual password on the screen; or,
- Send your password to you via email;
then it is highly likely the website either stores the password unencrypted or knows how to decrypt the password. If the website can give you your actual password, then it is very likely that should the website be compromised, an attacker will have access to all of the usernames and passwords for all of the users.
The Website Sends me a Temporary Password to my Email
When a website uses this approach, they have no ability to look up or retrieve your existing password. This is a good sign, but there is no way to tell if the website is using unencrypted passwords and implemented this method to obscure that fact. This approach at least doesn’t send your password back to you through normally insecure communication methods.
Most reputable websites that implement this form of password recovery likely are storing the passwords in an encrypted format, ,aking it difficult if not impossible for an attacker to recover the passwords if retirved.
The Website sends me a Reset Password link to my Email
The same caveats as mentioned in the previous section exist here, because you can’t be sure if the passwords are actually stored encrypted. However, since they won’t provide the existing password, it is more likely that your passwords are encrypted.
The Role of Security Questions and Answers
Websites that ask you to provide some security questions and answers are using this information to help prove it is you when you either forget your password or want to perform some highly protected request. If you can provide your own questions and answers, this is a better choce than using the standard questions and answers most sites use.
If you are concerned about how well a website protects the answers to your security questions, you might want to come up with a set of alternative responses to the various questions and use them instead of the real responses — the more paranoid user takes this approach. Paranoia is not a bad thing in this case.
Copyright 2018, Chris Hare