A couple weeks ago, I noticed a question where a site owner was asking about how they could better manage user passwords for their site. They were storing the passwords using an excel sheet as a database.
I am not finding that question now, but there were several comments pointing out using Excel as a password database was not a good idea. The pure inappropriateness of this has not left my thoughts and I wonder, how many sites use low level password word protection.
If I were to test on that particular web site, by changing my password to '=2+2' and then trying to logon with '4' as my password. That might give me an indication that my site password was not being well managed.
What should I look for, or what tests can I perform to validate what level of protection a site is using to protect the password I use there?
It can be incredibly difficult (or even impossible) to judge the security of some site without straddling some legal gray areas.
One easy way to test if password managament on a site is awful is if you do a "forgot password" request, and they email you your password in plaintext. That means they are at worst, storing your password in plaintext, and at best encrypting it instead of hashing it (still bad practice).
Other than gaining access to the system (or, of course, asking the developers) you can't really be sure about what methods are being used. They could store your password in plaintext and still not send it in an email. It eventually comes down to trust and using necessary precatuitons (such as unique passwords, or limiting what info you give them).
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments