Is there a way of guessing non encypted storage of your password?

Forums › Off topic › Is there a way of guessing non encypted storage of your password?

Batman

Mad Scientist
30014 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#151670 1-Sep-2014 18:25

I have had a few of these shockers in the past but the latest one was mindboggling. Registered at the ODT website and they emailed me this

Thank you for registering at Otago Daily Times Online News. You may now log in to http://www.odt.co.nz/user using the following username and password:
username: xxx
password: yyy

You may also log in by clicking on this link or copying and pasting it in your browser: This is a one-time login, so it can be used only once. After logging in, you will be redirected to so you can change your password. Kind Regards,
The ODT Online Team

ok ... this was obvious, as they don't have a delete account button I changed my password to yourpasswordiss#it and to an email that doesn't exist and never log in again

but is there a way to tell if they don't do this to warn you?

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#1119832 1-Sep-2014 18:48

I can't think of any way you could tell no, even if they were encrypting it unless they are salting it correctly etc it would mean nothing anyway.
Did they email you the password you registered with, or a temporary password? (I'm guessing the password you put in).

Only way is to use LastPass/similar to generate a random per-site password.
Or, if it is an account of absolutely no importance, just use a password that you only share with equally unimportant accounts.

charsleysa

597 posts

Ultimate Geek
+1 received by user: 125

#1120045 1-Sep-2014 22:14

Well just a few of things to point out here:
1) when you type the password into your browser and click update or whatever, it's not encrypted.
2) the password encryption happens on the server unless otherwise specified.
3) there are multiple types of encryption, 1 way and 2 way. 1 way means you can't retrieve the information while 2 way means you can.
4) going on from 1, since the server receives the password in plain text it can do whatever it wants with it, including sending it to you via email

unless you use a managed system, don't bother trying to have a password for each site, have a few different passwords with different security levels.
For example I have 4 passwords I spread across the websites I use, then I have a separate password for bank accounts and such.

Regards
Stefan Andres Charsley

toyonut

1508 posts

Uber Geek
+1 received by user: 211

#1120057 1-Sep-2014 22:19

Stay away from small local sites that are unlikely to know or care about being overly secure? Unless something happens, I am guessing most sites rely on good enough and security by obscurity.

Try Vultr using this link and get us both some credit:

http://www.vultr.com/?ref=7033587-3B

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#1120210 2-Sep-2014 08:17

1. Register your own domain, sign up for every site with sitename@yourdomain.com, so the same email address is not used across multiple accounts.
2. Use Lastpass, create long, strong, random passwords for every site.
3. ??
4. Profit

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#1120351 2-Sep-2014 11:07

It seems very true that we will all end up with a bazillion passwords to remember, none of which are anything but random strings of letters and numbers, if we follow the standard advice.

From a human POV that is untenable - no one will comply, no one will remember.

Biometric scanners or something where you can scan fingerprints or iris as a log on to a site seems inevitable.

Also, creating a legal liability where you can sue site operators who get hacked might encourage more investment in security at that end...!

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#1120362 2-Sep-2014 11:17

Lias:
2. Use Lastpass, create long, strong, random passwords for every site.

+1 though I use keepass, synced through something like dropbox, to do similar. It has a bunch of implementations and ports:

http://keepass.info/download.html

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

AliExpress

Shop now on AliExpress (affiliate link).

bazzer

3438 posts

Uber Geek
+1 received by user: 267

Trusted

#1122022 4-Sep-2014 17:27

Lias: 1. Register your own domain, sign up for every site with sitename@yourdomain.com, so the same email address is not used across multiple accounts.
2. Use Lastpass, create long, strong, random passwords for every site.
3. ??
4. Profit

You can do something similar with gmail, just add "+sitename" to your email address, e.g. email+sitename@gmail.com. Some websites don't like the + though.