How Does That Website Store Your Password?

It might not be encrypted

How Does That Website Store Your Password?

Over the weekend I received a marketing email with a terrific 50% off “make-your-own” calendars. I’d used the website before and thought the offer was worth pursuing. Since I’d received the marketing email, I knew I already has an account but I’d forgotten the password. So I clicked on the link to reset it. Imagine my surprise when the email arrived with my old password clearly displayed! I had expected a password reset link, not the actual password. Although to be honest, I should have guessed I’d get the actual password since the link on the website was labelled “resend”.

In the early days of e-commerce and online shopping, requests for password reminders often meant an email from the website containing your actual password. Even Yahoo did this. The fact that some websites still do and given all the hacks that have occurred in recent times can only suggest that they really don’t care about security of their customers. I’ve worked for a variety of organisations during my career and few  store passwords “in clear text” within their database. This where can i purchase adipex-p means that anyone with access to that database could read someone’s password and log in as them. In the past it wasn’t considered an issue as it was assumed that the other safe guards surrounding access to the database would be enough. As some of us know from bitter experience, this is now certainly not the case. Whole databases have been stolen, the data harvested and used by scammers in a variety of imaginative ways.

More worrying though, is that we have no idea how many websites still don’t bother with encrypting your password or at least make some attempt to secure it. This means that if you are one of over 50% of web users who use the same password across multiple sites, the fact that it may be difficult to guess and strongly encrypted, is pretty useless as a security measure if some other website has given it away “in clear text”.

I’ll give you an example of what I mean. Suppose my password is something like “lightbulb123” and I use this to access a lot of the websites I visit. These sites encrypt or scramble my password so that it is stored in the database as something like “mY@BKc%B?zC1IA” which is not very useful if revealed or stolen. That is all, except for one site, which stores the password un-encrypted, or in clear text. If this site gets hacked and the database stolen or exposed, then my password, stored as “lightbulb123” would not require any decryption software to unscramble or crack it. It could be read and applied, along with my email address, to a number of popular sites to see if I’d used it elsewhere.

I’m tempted to start a list of named and shamed websites that operate an “in clear text” use of passwords and invite you to add to that list in the hope that these sites will feel pressured to improve both theirs and our security. They will certainly need to if they want our business. Oh yes and to top it all, this particular website asked to store my credit card details for faster purchases. Yeah right. For more suggestions and discussion around why you might not want to do that, and other ideas about protecting yourself when shopping online check this out.

Leave a Reply

Your email address will not be published.