24 January, 2016

A same password for every service?

Do you have a same password for every service that you use? The same password for office and personal emails? The same for Facebook and Gmail? The same for www.some-forum-site.com?

Well, it seems you could land in deep trouble.

Having a single password is a single point of failure. If your password gets compromised, all of the services that use your password are no longer secure.

If you keep your password written on a piece of paper and keep it locked in a vault, it is still not safe if you use a 'one for all' password.

Why? Well, do not consider a password analogous to a physical key. A password can be copied easily once it leaves your system to the server. Physical keys can also be copied, but it is not so easy and you need special equipment to do that (and a locksmith).

When you enter your password in the login prompt, you enter it in "plain text" (even though it appears to you as * * * *). It is sent to the server in "plain text". If you don't use HTTPS, it is transfered over the network in "plain text". Even if you use HTTPS, the server decrypts it to "plain-text". The point I am trying to make is that the other side (i.e. the server) can read your password once you send it from the login prompt. Eventually, you have to trust the other side.

Now what they do with your password plays a major role in securing your account. Trusted companies like Google, Facebook, Twitter do not store your password in "plain text". What they store is called a "hash" of your password. So while signing in, they compare the hash of received password with the stored password. If it matches, Viola! You are logged in!

So trusted websites do not store your password. Do they? Well you trust them so OK.

But there are websites which are developed by amateur programmers, who happen to store the passwords in "plain text". Yes IT HAPPENS! Such websites are very vulnerable because beginner developers tend to turn a blind eye towards security.

Now, you might have heard reports of hacker groups releasing millions of passwords from hacked websites. Many times they get these passwords in plain-text and release them in public domain along with user details. Believe me, this is very common and there are several methods attackers use to get this information.

Now, you happen to have an account on www.some-forum-site.com which gets compromised. Your password is now in public domain. If you use that password everywhere, you are gone! I mean seriously gone!

Should you keep a one-for-all password? No! Now go change your passwords!

No comments: