I have been making a website to give as a present for my sister. It was a learning experience. I had to get to grips with apache, PHP, MySQL and CSS, none of which I was familiar with. I do have a good SQL and programming basis, though, so I was able to get to grips with it fairly easily. I also registered a domain name. It was 4.84 EUR (5.84 USD) for a .net name for a whole year! For those interested, I got it here.

On a side note, PHP is a dream to work with. I found it very flexible and was able to do some nice things, like using JPGraph. Also, coding HTML and leaving almost all of the layout issues to CSS made for easy going.

Anyway, back on track. So I made a website for my pregnant sister. She is three and a bit months along now and I was asked to be godfather. This spurred me on. I decided to make a website where people could register, login and vote on what the gender and and date of birth would be. There was also to be a guestbook. All the data nicely being stored in the database.

I made everything from scratch, didn't download any scripts. And so when it came to registering, I just did the usual checks and then pumped it all into the database, cleartext.

Meanwhile, 11 people have logged in and voted. Curious as I was, I had a look at the database and saw all the passwords people were using. And I saw their email addresses.

I am certainly not a malignant webmaster, but I checked to see if people would actually use the same password everywhere. I shouldn't have been surprised, but of the 11 so far registered users about 4 of them used the same password for my site as their email.

I realise that in register scripts the passwords would first be made into an md5 hash and then entered into the database. This would probably be the case for most reputable sites.

I wonder though, how many less scrupulous webmasters have actually snooped around other peoples' emails, perhaps even taking information from them and using it to their advantage?

This is quite an obvious thing I am stating of course, passwords have to be stored somewhere and the databases have to be administered. But seeing it for real is another kettle of fish...

So beware!

Dylan says:

Very good point.

And in case anyone is wondering, this site is secure in terms of password storage. Not only is every password hashed, but it's hashed with a random salt, so even if two people have the same exact passwords, their password hashes will be different. This site can never send you your password if you forget, because it has no way of knowing what the original password is. It just knows what the password hashes to. I frequently have to dig around in the database while coding, but I can't see any passwords while doing so, simply because the database doesn't store them.

General rule... never trust a site that can e-mail you your password if you forget. It means they are storing it somewhere that's accessible to someone else.

rnewhouse says:

Yes and no...

I agree that a blind password certainly is superior in terms of security.

However, of all the sites I visit and have passwords to, there is only one that can't email me my password: Southwest Airlines. What happens there is if I need to log onto my account to find out my frequent flyer credits or whether I have any money on account, I have to remember the password. And if I can't remember the password, which I never can, I have to request a new one, which they will make up and MAIL to me "within 14 days."

I have done this three or four times over the last several years, and then I always lose the password somewhere in my ultra-organized paper filing system, and have to do it all over again.

What I DO have going for me on passwords is that I use a different password for my emails than I use for anything else.

I kinda figure, I don't really have any secrets that I couldn't live without, so for the most part passwords are just an inconvenience anyway.

Wirehead says:

A nice idea I came up with the other day for secure passwords:

Given that numeric passwords are basically impossible to crack with a dictionary-style attack, I decided the best and easiest to remember method of using secure passwords would be to use old phone numbers of my friends (not my own, since those could be come up with merely by doing a Google search on past addresses, probably). I still remember old phone numbers for people I haven't seen in ten or fifteen years, but who I used to call constantly. One of those phone numbers with the addition of a random letter or perhaps a single unusual word between the area code and the last 7 digits produces a very nice secure password that is also much longer than average (between 11 and 15 digits or so).

I use a different password for all 3 of my email accounts, a different SSH login pw, a different pw for my BofA site, and I don't have trouble remembering any of them because they are numbers that I used to tap in on a phone keypad at least once or twice a day for several years in a row. The only password that is consistent across sites is my "forum" password which is pretty simple, since I'm not really concerned about the possibility of someone being able to post under my name on Overclockers or something.

It occurs to me that I should probably change my Mboffin password now that I'm a full moderator with the new site version...I'd hate to have someone come delete everyone's posts or something in my name.

Post A Reply:

Sorry, but before you can reply you must either log in or sign up.