Websites + Passwords

If you have an account with any website, they should be making sure the password you use is nice and secure, so if any hacker comes by and breaks into their website your password (which you’ve probably – like everybody else – used on a hundred other websites) won’t be revealed.

One way the website can protect your password is called ‘hashing’. Instead of storing your password, the website stores a ‘hash’ of it. You type your username and password in the usual way, and the website does some clever maths behind the scenes to hash your password for you. The mechanics are pretty dull, but all you need to know for now is that your password is never kept on the website, so nobody can steal it. Nice and secure.

If you’ve ever forgotten your password, the website might offer a link “I’ve forgotten my password”. What happens next will give you some big clues as to the kind of security they use.

If they send you an email with a nice, long link to click ‘Reset my password’ this is usually a good sign.

If however, they send an email with “Hello, your password was kittens45” be warned. This means that the website kept ahold of your password all along. Good news for somebody looking to steal a bunch of passwords.

This might not seem like a big deal. So what if some hacker breaks in to that website, steals all the passwords and runs off laughing? Not too serious if it was just a cookery site or an online kitten album.

However, an awful lot of people use the same password for their GMail, Yahoo or other accounts. They might be using it for their utility bills online. The hacker now has your password. Suddenly that password leak becomes a bit more serious – your email might give other details about you, like your bank account or even more passwords to other sites. The hacker knows your username, your password and can probably now get to your mail, private photos, documents and other websites.

So, we know websites should be at least keeping your passwords safe and hashed. If they’re not doing that, you have to wonder what other security lapses they have made. People invest enormous chunks of their private lives online, and we have precious few indicators of how seriously websites take the issue of security. Some are surprisingly relaxed – and it’s your personal data they’re toying with. Oh, if only I could tell you some horror stories…

Next time you use a website, quickly try the ‘Forgot my password’ link. It (usually) doesn’t actually change your password, and the email they send to you can give an immediate clue about their attitude to your security.

* Notes for the technically minded:
– If you hash, make sure it’s a good one. MD5 is weak and easily cracked.
– Determined hackers might also interfere with the login page and capture the password from there, but most recent cases have shown the password tables to be much juicier pickings.
– The website might be encrypting the password rather than hashing it. I’ve yet to find a ‘regular’ website that does this though – all that I’ve challenged where a password has been returned have simply been keeping it in the clear.