Library Elf - stores passwords rather than hashes

Forums › Off topic › Library Elf - stores passwords rather than hashes

timmmay

19622 posts

Uber Geek

Trusted

Lifetime subscriber

#220394 9-Aug-2017 08:16

Library Elf is a service that does things like send reminders before books are due, to avoid overdue fees. It's compatible with Wellington City Libraries.

It hasn't been working for a while, but emailed me today saying it's working again. I went to delete my account, because I haven't been into a library since I got my Kindle. I didn't remember my password, so I used the "forgot password" function.

Library Elf emailed me my password. This shows that they store the actual password, rather than best practice of storing a secure hash. It's possible that they store the password unencrypted in a database, but the only way to work that out would be with system access. Either way it means user passwords are more vulnerable than they should be.

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

I'll point this out to Library Elf. I don't think Wellington Libraries are directly associated, but if anyone wants to tell them please go ahead.

1 | 2

2523 posts

Uber Geek

Lifetime subscriber

#1841601 9-Aug-2017 08:53

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

NordVPN

Protect your online activity with NordVPN (affiliate link).

Lias

5224 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1841915 9-Aug-2017 15:44

kryptonjohn:

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general).

I'm a geek, a gamer, a dad and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it.

geocom

587 posts

Ultimate Geek

Subscriber

#1841933 9-Aug-2017 16:01

Report it to cert.govt.nz This is one of the reasons why they exist.

Geoff E

timmmay

19622 posts

Uber Geek

Trusted

Lifetime subscriber

#1841950 9-Aug-2017 16:25

geocom:

Report it to cert.govt.nz This is one of the reasons why they exist.

They're not based in NZ.

geocom

587 posts

Ultimate Geek

Subscriber

#1841958 9-Aug-2017 16:48

I don't know how Library Elf knows about Wellington Library (WL) loans. It could be that I gave them my WL password so they can log in as me. Maybe WL has provided an integration point for Library Elf. It potentially adds to the risk.

If you think this then cert should do some investigating to see if there is any link with wellington library and their systems. I don't know anything about the system however if it is able to get loan information from wellington lib then there is some level of integration. If they are just scraping a site linked to wellington lib using a password that you have given them then Wellington Library are more than able to block the requests.

Chances are that anyone you can talk to at Wellington Library are going to have no idea what needs to happen however cert have a bit more ability to get to the higher levels.

Geoff E

andrewNZ

2487 posts

Uber Geek
Inactive user

#1842969 9-Aug-2017 17:22

timmmay:
geocom:

Report it to cert.govt.nz This is one of the reasons why they exist.

They're not based in NZ.

But the library IS

chevrolux

4962 posts

Uber Geek
Inactive user

#1842971 9-Aug-2017 17:28

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

The other thing I think here is... this is a library we are talking about... not banking, email etc.

hio77

'That VDSL Cat'
12982 posts

Uber Geek

ID Verified

Trusted

Voyager

Subscriber

#1842972 9-Aug-2017 17:29

Lias:

kryptonjohn:

Scary as a lot of people use the same password for their email which then gives a hacker pretty much free reign to reset passwords on other systems.

I have very little sympathy for anyone still using their email password for any other system (or simply reusing passwords in general).

I have empathy, but no sympathy for this.

I have seen businesses get completely rolled by this....

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

geocom

587 posts

Ultimate Geek

Subscriber

#1842974 9-Aug-2017 17:33

chevrolux:

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

The other thing I think here is... this is a library we are talking about... not banking, email etc.

Nope.

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.

Geoff E

chevrolux

4962 posts

Uber Geek
Inactive user

#1843009 9-Aug-2017 19:41

geocom:

chevrolux:

I don't profess to know much about databases (i can struggle around phpmyadmin haha) and such things.. but isn't it entirely possible the back-end is in fact hashed and then encrypted? Then the front end program that sends the emails out and decrypt the password and send it?

The other thing I think here is... this is a library we are talking about... not banking, email etc.

Nope.

The only situation where this would work is if the Password is emailed in the same request as the generation of the password or if a new password is generated when clicking on I forgot my password however this is not something I would recommend.

There should be no way for a developer to get the password from a hashed string. If they can then it is not secure.

That makes sense I suppose now that I think about. If a hacker got a whole bunch of encrypted passwords they could just run it through something to decrypt it.

Batman

Mad Scientist
29032 posts

Uber Geek

Trusted

Lifetime subscriber

#1843030 9-Aug-2017 20:22

Empathy or sympathy or not, when you get to a certain age, you can't even remember if you've had breakfast or not.

Moreover tech for some is like Greek.

When you get to that age you will understand. THere'll be this chip thing in your ear once your iphone 99 dies and you wouldn't be able to shut it off from keeping talking inside your head because you forgot the tongue dance code.

allan

1892 posts

Uber Geek

ID Verified

Lifetime subscriber

#1844979 11-Aug-2017 09:36

I ran the question regarding Library Elf past the Wellington City Library staff, who have advised:

“Wellington City Libraries does not share any customer data with Library Elf or integrate it with any of its systems. It is a separate online service which people can choose to join. Library Elf then uses the customer library card information (i.e. the same information as can be accessed via www.wcl.govt.nz/card) to source the loans & reserves that the customer has.”

There is also a note on their web page at http://www.wcl.govt.nz/blog/index.php/2010/01/28/library-elf-a-service-that-can-help-you-manage-your-library-card/ advising you to check out the Library Elf privacy statement regarding the library card details that you are providing them when you sign up to use the Library Elf service.

Disclaimer: I work for WCC

surfisup1000

5288 posts

Uber Geek

#1844995 11-Aug-2017 09:53

I like library elf when my library used it. Never had any overdue books. You could configure email alerts to immediately send emails for any books that are overdue.

But, since my library dropped library elf, they only email 3 days before it is due, then another email a week after it becomes overdue. When you have 30 books out at a time (lots of little books for young kids), you often don't know if you've missed a couple.

Our library says it is too expensive to send emails (yes, they really said that!) and that they are only obligated to issue the paper reminder when you check out the book. It really bugs me, as they seem completely opposed to the benefits of technology.

timmmay

19622 posts

Uber Geek

Trusted

Lifetime subscriber

#1845028 11-Aug-2017 10:38

Ok, WCC aren't directly integrating. That's interesting. It's not the answer though.

Library Elf didn't reply when I contacted them.

Bung

5419 posts

Uber Geek

Subscriber

#1845100 11-Aug-2017 12:24

Some discussion here http://blog.librarylaw.com/librarylaw/2005/11/my_library_elf_.html

Wellington library uses just card number and surname so anyone wanting to know what I have currently overdue just needs my card number they don't need to hack Library Elf.

Some years ago I did question why they displayed this information on the screens and receipts when you checked books out and that was changed. In the above article reserved books are mentioned. I can't remember what is on the slip wrapped around your book sitting on the shelf waiting for you or anyone else to look at.

1 | 2