Jason

Rundell

Full Stack Web Developer


A Password Tip for the Non-savvy

If you have forgotten your password for a site and use the password reset/retrieval process – pay very close attention at how they get you to reset/retrieve your password! If they email you the EXACT password you used, this site is not very secure at all and may possibly take part in hacking activities. For these sites, I recommend not using them at all if you can, but if it’s a site you need, then use a password that is not used for anything else.

Let me try to explain. When you create an account, your account details go into a database (it’s similar to an Excel spreadsheet). It saves your Name, Email, and Password into a row with plain text.

BAD PRACTICE

User's info with the password 'lovesexsecretgod'

GOOD PRACTICE

User's info saved ina  database with an encrypted password

If the site does not encrypt the password field, then the password is 100% visible to any of their staff with access to this database. THIS IS BAD! If you recieve a password retrieval email and they give you your exact password, this means they are not encrypting their user’s passwords. Of course, only someone with access to your email will be able to gain access to your password, but if the site’s database ever gets hacked/stolen, your password will be out there for someone to use.

A professional site built with it’s user’s security in it’s best interests will have it’s passwords encrypted. There are a variety of ways to securely encrypt data like a password in a database (if they use base32/base64 encoding it’s just as unsecure as plain text!), but a site’s support team should never be able to tell you exactly what your current password is and they should never need to ask you for your password.

Password retrieval should follow these steps:

  1. Submit your email/username
  2. Receive an email with a link that leads to a page with instructions to change to a new password
  3. After submitting your new password, it should be required to log in (automatic login is not as secure)

The ultimate way to avoid exposing your password to any site is to use a different password for every site. A pain in the butt for the average person. There are tools to help with this, like https://agilebits.com/onepassword so a program will remember all your different passwords. I don’t use it, but there are people that I know that swear by it.

Good luck out there!