Saturday, 27 December 2014

2 Factor Authentication - How It Works and How To Set It Up

2 factor authentication (also referred to as 2 step authentication) is a login process which requires 2 forms of verification from you, making it more secure than a just a standard password-based system.

The idea is that in order to log in, it requires something you know, plus something you have.  The something you know is usually your password, and the something you have is a physical object, e.g. your mobile phone, your bank card, or a special USB device.  These 2 requirements together make your account more secure because it's very unlikely that they will both be stolen at the same time.  Your password could be stolen online through software (e.g. a virus or a key logger), and your phone or bank card could be stolen from your home or your person, but it would be very difficult for someone to steal both a piece of information and a physical object from you together.

So the something you know, plus a physical object which you have, make the login system very hard to breach.

Hopefully my article on Why You Should Take Your Email Security Seriously will have convinced you to at least set up 2 factor authentication on your email.  But I highly recommend that you enable it on as many of your online accounts as you can.  It's supported by Gmail, Hotmail, Yahoo!, Twitter, Facebook, Apple, Dropbox, PayPal and LinkedIn, plus many more.

How It Works

How the password part of the login works is hopefully fairly obvious, but the fun part is how the website verifies that you are in possession of your special physical object.  Sending someone over to your house to check that you have your object would be somewhat tricky, so an object used for 2 factor authentication needs to generate a code which you can type into the website, allowing the website to know that you are in possession of the device.  Crucially the code must only work once, because if it could be reused then it would just be another piece of information, steal-able in the same way as your password.  So your physical device must be able to generate single-use codes, sometimes referred to as One Time Passwords (OTP).

For mobile phones this is fairy straightforward; after you have entered your username and password into the website, it then sends an SMS text message to your phone containing a single-use code.  You enter the code into the website, thus proving that you are in possession of your phone (or at least the SIM card), and the website then lets you in.  Each new login attempt causes the creation of a new code, and each code usually expires after a short time and once used cannot be used again.

For online banking, your bank card is used for the verification.  Each card has a unique chip in it, and this chip provides a function where you pass it a number and it passes a different number back to you.  Every single chip responds in a different way, so if you pass the same number into 2 different bank cards they will give you 2 different results.  Your bank knows the details of the chip in your particular card, so they provide you with the number to enter, and they know the result which your card should respond with.  Using your "card reader" you enter the number they provide into your card and retrieve the result which you submit to the web page.  This allows them to verify that you are in possession of your card.

There are also mobile apps such as Google Authenticator, and USB devices, which provide other methods of physical object verification.  Some services such as Facebook and Twitter have the 2nd factor authentication built into their own mobile apps.  Regardless of the mechanics, the key factor in all of them is that they provide a physical-object-based verification in addition to the knowledge-based verification of your password.

What If I Lose My Device?

In short, if you lose your device, you're screwed, unless you've printed your back up codes.  The whole point of 2 factor authentication is that unless someone is in possession of both your password and your device, they can't access your account.  So if you lose your device then you lose access to your account.  For obvious reasons this could be problematic, so there's a handy solution: back up codes.

All websites which provide a 2 factor login system will give you a set of back up codes which can be used in lieu of the codes generated by your physical device in the event of said device going in the river.  You should print out and keep these codes so that you don't lose access to your account.  Print several copies, keep one in your wallet, one under your floorboards and give a copy to your mum.  But don't store them on your computer.  Remember that these are part of the physical aspect of your authentication, so keep them in physical form, i.e. on paper.

Let me say this again, print your back up codes!

Application-Specific Passwords

On rare occasions, you may find that you need to login to your 2-factor-enabled account via an interface that doesn't support 2 factor authentication.  For example, supposing you've created an hilarious video of your cat drinking out of the toilet using iMovie on your Mac, and you want to share it to YouTube directly from iMovie.  iMovie requires you to enter your YouTube (Google) username and password in order to do the upload, but iMovie isn't aware of the need for the 2 factor login process.  So what do you do?

Well first you ask yourself the question "Why am I typing my password for YouTube into something which is not the YouTube website?".  Any time you are typing your password anywhere other than the website or application which it belongs to, you should raise suspicion.  But if you decide that you trust the application in question, then you'll need to give it an Application-Specific Password.

An Application-Specific Password is a password which you create solely for use with a particular application (e.g. iMovie).  This password will be automatically generated for you, and can be revoked at any time.  So in the example above, you would go to YouTube/Google and in your account settings ask it to generate an application-specific password for you, which you would label as being for iMovie.  You would then copy/paste this password into iMovie in order to allow it to upload your video.  If at any time you decide that you no longer want iMovie to be able to meddle with your account, you simply go back to your account settings and revoke the password.

Getting Set Up

Hopefully you've now got an idea of what 2 factor authentication is, and how it works.  If you're still not convinced that you need it, then why not take a quick read of my articles about Why You Should Take Your Email Security Seriously and Ways In Which Your Passwords Can Be Stolen.

Each website/company tends to do things slightly differently, so now that you're armed with the information from this article, the main instruction is just to follow the instructions for each site.  Here are some handy links to point you in the right directions.

Google Authenticator, this is a mobile app which can be used to generate single-use codes for a variety of different sites (including Google/Gmail), so is a great app to have on your phone.  iPhone, Android.

Links to the account settings for common sites are as follows:

Until next time, stay safe.  And remember, you're not safe until you've set up your 2 factor authentication!

Saturday, 29 March 2014

A Different Password For Every Website - No Memory Palace Required

Hopefully my previous posts will have scared you into wanting to have a different password for every website, and will hopefully also have convinced you that simple passwords are weak.  So how do you create a different password for every website without having to have some kind of Sherlock Holmes- or Derren Brown-esque memory capacity?  There are 2 main ways of doing this:

  1. Use a password manager such as 1Password or Last Pass to generate and store your passwords for you.
  2. Use this blog article to create your own sexy password system.
The first option is definitely easier, but because you're storing everything in one place protected by a master password, there is a small risk from the all eggs in one basket approach.

The second option does require some mental effort, but keeping your brain active has all kinds of benefits, including helping to prevent memory loss, Alzheimer's and dementia.  And it saves you paying $25 for 1Password.  So let's go...

Here's the idea:
  1. Create a base password which is used as the basis for all of your passwords.
  2. For each different website use characteristics of the website's name to modify the base password.

Pros And Cons

First though, I don't want to give illusion that this method is foolproof, so for the sake of covering my ass, here are some good and bad things about it.

  • All of your passwords are in some way different.
  • You hopefully have enough memory power that you don't need to write anything down.

  • Unless you play ridiculous tricks with the website name it is theoretically possible to work out what your system is from the password(s).  This would probably require someone knowing at least 2 of your passwords and the websites which they belong to though.
  • If  anyone finds out or works out what your system is then everything is compromised.
  • The derived passwords may not meet the requirements of some websites, if that is the case then you should probably complain to them.  See here.
With that said, let's take a gander at this cunning method of permuted password production.

Choose A Base Password

For this just take the first letter of each word from an easy to remember phase, such as The Quick Brown Fox Jumps Over The Lazy Dog.  That gives us tqbfjotld, which is suitably obscure.

Modify The Password Using The Website Name

The simplest way to do this would be to add the website's name onto the end, so for Google we would use tqbfjotldgoogle.  But with that system anyone who finds out your password for Google is going to be able to make a pretty good guess at your passwords for other websites.

For it to be worthwhile having a different password for each website, it needs to be almost impossible for anyone to use the knowledge of one of your passwords to work out another.  Even the knowledge of several of your passwords (including knowledge of the sites they are used for) should be insufficient to allow any of your other passwords to be figured out.

There are many many methods which would achieve such obscurity.  I'm going to suggest a couple of them, but I encourage you to make up your own, as using a method which has been published online is not going to do you any favours.

An Example Modification Method

For each letter in the base password we're going to instead use either the letter in the alphabet which comes before it, or the letter which comes after it.  For example, T will become either S or U, and O will become either N or P.  We will decide whether to use the letter before or the letter afterwards by comparing it to the letter in the  corresponding position in the website's name.  So the first letter in our password is compared to the first letter in the website's name, the second to the second, and so on.  In each case we will move alphabetically in the direction of the letter from the website name.  Here is an example of using this method to modify our password for use with Facebook (the base password is written down the left column, the website name in the next column, and the result in the third column):

  • t & f => s
  • q & a => p
  • b & c => a
  • f & e => e
  • j & b => i
  • o & o => o (note, if they're the same then do nothing)
  • t & o => s
  • l & k => k
  • d & f => c (note, we looped around with the website name)

Now that gives us a password of spaeioskc which bares no resemblance to anything meaningful whatsoever.  Perfect.  But it's not good enough yet.  To make it even harder to guess, and to satisfy the requirement which some websites impose that the password must contain capital letters and/or numbers, let's add some more nonsense to it.

The website name 'Facebook' contains 8 letters, 5 of which are in the first half of the alphabet (up to m).  So let's add 8 to 5, which gives us 13, and add that on.  And now let's take the letters from the name which are after the half way point of the alphabet (o and o), and add those on in capitals.  That gives us a final password of spaeioskc13OO.

Given this password it's pretty difficult to work out how it was derived.  If someone knew several of your passwords along with the names of the websites they were used for then they could probably reverse engineer it eventually, but it would be difficult.  If you want to get properly secure then read the 'Going Enigma' section below.

You may find at first that working out which letter comes before or after each letter of your base password is a bit brain taxing, but your base password doesn't change, so you'll soon just know them.

So there you have it.  Crazy passwords, no memory palace required.

Passwords For Work

You may find that you sometimes have multiple accounts for the same website, for example I have a Google account for my personal use and another one for work.  My advice here is to just create a different base password for each category/area of your life.  So one base password for work and another for your personal things.  The method for your passwords can stay the same.  If you use easy to remember phrases for these then it's a very easy to create a whole new set of passwords while not really having to remember anything more.

Never Tell Anyone Your Method

This is hopefully obvious, but I'll say it anyway.  Using a method like this means that the method is the foundation of your online security.  I encourage you to make modifications to the method which I have suggested.  And never tell anyone what it is.  Especially don't use the same method which someone has published online in a blog post. :-)

Going Enigma

If like me, you think that the method described above doesn't provide enough protection against reverse engineering, and you also think that the mental capacity required isn't anywhere near taxing enough, then you can take things to the next level by employing something a bit more badass.  Read on.

Learn each letter's position in the alphabet.  A=1, B=2, C=3, etc.  They're going to be needed for this method.  You only need a few reference points to get started, and you can then work out the rest by counting either side.  Here are some easy to remember reference points:
  • Haters will be haters.  Sorry, H8-ers.  H is 8.
  • Sweet 16.  Or as I like to call it, sweet pea 16.  P is 16.
  • T is for... 20!
Now then, we have our base password, derived from a memorable phrase as before.  And now we do some serious modification.  As before we will go through each letter of the base password, paired with the corresponding letter from the website name.  For each pair, we take one letter and shift it through the alphabet, not by one place, but by the numerical value of the other letter.  So if we have A (1) and D(4) we shift A 4 places, which turns it into E.  If we have F(6) and G (7) we shift F by 7 places which turns it into M.  Note that for any pair of letters it doesn't matter which you shift by which, the result is the same.  If we reach the end of the alphabet then we just loop around.  Easy.  So we'll make it a bit harder by adding this rule: if the letter from the website name is higher in the alphabet, then we capitalise the result.  Here's our password for Facebook done with this method:

  • t & f (20 + 6 = 26) => z
  • q & a (17 + 1 = 18) => r
  • b & c (2 + 3 = 5)   => E (c comes after b, hence capital)
  • f & e (6 + 5 = 11)  => k
  • j & b (10 + 2 = 12) => l
  • o & o (15 + 15 = 30)=> d (30 loops around, so effectively 4)
  • t & o (20 + 15 = 35)=> i (35 loops around to become 9)
  • l & k (12 + 11 = 23)=> w
  • d & f (4 + 6 = 10)  => J (back to the f of facebook)

So that gives us rEkldiwJ.  And now we'll add some digits and another capital letter, just in case the result didn't produce any.  As with the earlier method we'll take the length of the website name (8) plus the number of its letters which appear in the first half of the alphabet (5) and add them to get 13.  Then slightly different to the earlier method, we'll take the letters from the website name which are in the second half of the alphabet, and just use the first one, shifted by the 13.  So that's O shifted by 13 places, which is 28, which loops around to become B.  Still here?  Blimey.  So our password for Facebook is rEkldiwJ13B.

Ideas For Your Own Variations

I highly encourage you not to use this system.  No, you should create your own.  Here are a few ideas for ways to use the website name to modify the base password.
  • How many of the letters in the website name are alphabetically after its first letter?  That gives you a number to incorporate somehow.
  • For each letter in the website name, is it alphabetically after the next letter?  E.g. in Facebook, F comes after A, A does not come after C, C does not come after E, E comes after B, etc.  You could use this to decide whether or not to capitalise each letter of the derived password.
  • Use different letters from your memorable phrase.  Instead of taking the first letter of each word, take the second or third or forth.  You could use something from the website name to decide which letter to take.
  • Incorporate a third piece of information.  Using something such as whether or not each letter of the website name appears in your either of your parents' names gives you another modifier.  This would be a good way of deciding whether or not to capitalise each letter.
The way you combine your modifiers matters.  Supposing you modify each letter of your base password in some way, and then you see whether the resulting letter is contained in your parents' names or not, and if it is then capitalise it.  This means that across your different passwords it will always be the same letters being capitalised, so if someone looked at several of your passwords they could potentially figure out which letters you capitalise and which you don't.  A much better approach would be to look at the letter from the website name and use that to decide whether or not you will capitalise whatever letter the modified letter in the password ends up being.  This way, the letter which you use to determine the case does not actually appear in the password.  This makes it much harder to reverse engineer.

Have fun.  Enjoy the reduced risk of cognitive degeneration.

For Techies

I'm interested to hear from web developers or computer geeks on this subject.  What do you think are the relative risks of putting all of your passwords into one place using something such as 1Password versus having a password generation system such as one of these which could potentially be reverse engineered?  Which do you think is the greater risk?

Wednesday, 12 February 2014

Ways In Which Your Passwords Can Be Stolen

There are numerous ways in which someone could hack into one of your online accounts, but the most obvious one is by getting hold of your password.  In a previous article I explain how and why a website shouldn't know your password, so if they don't store it and you don't tell anyone, how can someone get hold of it?

In this article I explain just some of the fun and interesting ways in which your passwords can be stolen.  The purpose of this is twofold: Firstly to allow you to take measures to reduce these risks.  And secondly to make you realise just how real the threat of one of your passwords being stolen is, and that you can't mitigate against all of the risks, thus encouraging you to have passwords.  Plural.  Not one password for everything, like your gran has.

Let's go...

Phishing Emails

You've probably heard of these, and you've probably seen them.  These are where someone sends you an email attempting to trick you into entering your login credentials into a site.  These emails usually take the form of "Please confirm your account details for security" and some kind of dodgy-looking link which takes you to a site which is masquerading as a site which you trust.  If you're naive enough to follow the link and enter your credentials then that's it.  One password, stolen.

How to avoid it:

Domains Squatting Attacks

This is another form of phishing - tricking you into willingly entering your credentials into a bogus site.  But this version doesn't require sending you an email.  Instead, the attacker buys a domain name which is a common typo of a site which you use.  Supposing I'm an attacker and I buy, and you're checking Facebook at 3am, again, and in your fumbling sleep-typing you enter instead of  You now arrive at my site, which I have made to look exactly the same as the login page on  In fact, I just made an exact copy of their page, and then added one subtle difference: my version contains a little script which takes what you enter into the login form and sends me a copy, before submitting the login form as usual.

And that is the beautiful part (from my evil hacker perspective), because you never notice that you visited my bogus page.  The form on my site actually submits to the real form on, and so when you submit my login form you actually get logged into Facebook.  Stealing you password is one thing, but stealing it without you noticing is even better!

Side note: There are actually ways in which websites and web browsers try to prevent a site from submitting a form to another site, but it is theoretically possible.  And even if I can't get that to work, I can always just redirect you to the real site, you might be logged in anyway, in which case it will look as if my form logged you in, or if not then you'll be presented with the real login form and will think that there must just have been a glitch in the Matrix.  (There was!)

How to avoid it:

The 'Real' Site Has Been Hacked

Let's suppose that I'm back as my evil hacker alter-ego, and I've been surfing the web finding some sites to hack into.  I've managed to hack into one site in a way which lets me alter their login page (the details of how one goes about doing such a hack would take another whole article, no, another entire blog, but...), let's suppose that I can modify the login page.  Like with my previous example, I've just added a little script which takes a copy of the username and password which are entered into the form and sends me a quick copy before allowing the form to submit as usual.

It could take the owners of the site ages to discover my hack.  Maybe hours, maybe months.  But until they notice I can get a copy of the login details of everyone who logs in, which I can use whenever I like at a later date.  And again, the users have no idea that it's happening.

The important message here is that just because the website itself is not malicious, that doesn't mean that the page isn't doing malicious things.

How to avoid it:
  • You can't, but using a different password for each site will confine the damage to just the one site.

Malicious Websites Taking Advantage of Your Reused Password

Let's suppose that you reuse the same password for several sites, and one of these sites isn't quite as bona fide as you thought.  A well-built and well-intentioned website will never actually store your password, but a malicious website could take your login details and then try them out on other sites.  This is especially dangerous if your username is your email address and you've reused the same password for your email account.  If the password for your email account is used for any other online account then read this and change it.  Now.

How to avoid it:

  • Use a different password for every account (more about this in my next article).

Your Password Is Stolen Directly From The Site

As I've said too many times now, a well-built login system will never store your password in plain text, but because you can't see how a website's login system is built, you can't be sure that it's following this practice.  So if a site is storing your password in plain text and its database gets cracked open, your password is going for walkies.  And even if the passwords are hashed in the database, there are things called rainbow tables, which may give hackers a chance of de-scrambling your password.

How to avoid it:

  • Use a different password for every account.
  • Use complex passwords (trust me, it helps to avoid getting rainbow tabled).

It Gets Remembered On A Public Computer

This is a bit of an edge case, but I thought I'd mention it.  If you're using a public or shared computer, then there are 3 ways I can think of in which your password can be stolen:

  1. You tell the browser to remember it.
  2. You accidentally type your password into the username field, and hence the browser automatically remembers it.
  3. The computer is infected with malware which steals it.

How to avoid it:
  • For 1 and 2, just be careful.
  • The only way to avoid the malware is to avoid public or shared computers.


This covers a whole variety of evil software which could be lurking in various places on your computer, which could take the form of viruses, trojan horses, browser plugins, or mobile apps.  Basically, anything which lives on your device snooping on you.

A lot of these will be some form of key logger, a piece of software which monitors everything you type.  All of your keystrokes are then sent to a remote location to be scanned for repeating patterns, such as [email address][tab key][a short string of text][return], which are likely to be username/password combinations.  Yet another reason to not use the same password for multiple sites, especially not your email account.

How to avoid it:
  • Keep your software up to date, including your operating system and your web browser.
  • Use a modern web browser such as Firefox or Chrome.  (Internet Explorer may be less riddled with security holes than it used to be, but I still don't trust it.)
  • Keep anti-virus software up to date.
  • Don't install anything which you don't entirely trust.
  • When you use a friend's computer, ask yourself "Do I trust this person, and more importantly, do I trust their IT skills enough to be sure that this computer is completely free of malware?".


So given that any website which you type your password into could deliberately steal that password, or accidentally leak that password, the thing you have to ask yourself any time you re-use the same password is: "Am I totally happy for the owners of this website, and anyone in the world who hacks into it, complete access to all of my other accounts which are using the same password?".  The answer should be no.  So you should never re-use the same password.

My next article will cover a few approaches to generating a different password for every site, without having to remember them all.

You should also realise by now that you can never be entirely sure that your password hasn't been stolen, even if the website is bona fide and you haven't used the password for anything else.  So my article after the next one will cover 2-factor authentication.

Until then, have fun, and watch out for the rainbow tables.

Sunday, 2 February 2014

Are You On The Right Domain? - Knowing When It's Safe To Type Your Password

You should only ever type your username and password in when you're on the domain which the account belongs to.  I.e. your Facebook password should only ever be typed when the domain name of the page you're on belongs to  You probably already knew that, but how good are you at telling when you're on that domain and when you're not?  You can take the test below to find out.

Hopefully, given that you probably use passwords on the internet, you already know how to work out what the domain is.  But for a lot of us (myself included), this wasn't part of the curriculum at school, so if you're unsure then here are the instructions.  You might want to skip straight to the test and just come back to this afterwards if you don't score 100%.

1. After the initial http://, find the first slash and discard everything after it.
2. Find the last dot before the .com (or, .net, or whatever the ending is) and discard everything before it.
3. What's left is the domain.

The Test... Type Away, Or Run Away?

For this test we'll pretend that you've got an account on the site  For each of these URLs you must decide whether or not you are on the domain   Do you merrily type away and enter your password, or run away?


And here are the answers:
  1. Yep, that's a subdomain of www on the domain  Type away.
  2. Again that's fine.  This is the "naked" domain without the www subdomain.  Type away.
  3. Yep, that's a subdomain www2, still on  Type away.
  4. Nope, that's, not to be confused with  Run away.
  5. Yep, that's a subdomain of http-www on  An odd URL, but it still belongs to
  6. Nope, that domain is, with a subdomain of www.wobble.  Run away.
  7. Nope, that domain is, with a subdomain of  Weird.  Run away.
  8. Nope, that domain is with a subdomain of http-www.wobble.  And is not necessarily anything to do with  Run away.  More about strange top-level domains below.
  9. Yep, that's, with a 2-level subdomain of  Add odd choice for a subdomain, so I would definitely raise an eyebrow, but technically it does belong to
  10. Nope, that's a domain of login.html, with a 3-level subdomain of  Again more about odd top-level domains below.
  11. Yep, that's fine.  You can ignore everything after the /, so the www.login.php is part of the URL path, not part of the domain.
  12. Nope, that's, very different to  Note the difference between the digit 1 and the letter l.  Be careful.  I admit that I've deliberately put the URLs in a font which makes these 2 characters hard to distinguish, but I wanted to ram home the point that you should read what's in your browser's address bar very carefully.
  13. Nope, that's  Not necessarily anything to do with

So how did you do?  Well actually, the test was a trick.  The answer is that you shouldn't have typed your password in on any of those URLs, because none of them have https:// at the beginning, meaning that your connection to the server is not secure and the password you type could be read by eavesdroppers when you submit the form.  In fact, without https you don't actually know that you're looking at the right domain, as someone could be intercepting the traffic and serving you totally different pages to the real ones.

The Bottom Line

  • The right domain.
  • HTTPS.

If in doubt then open a new tab and type the address yourself.


A domain name consists of a global top-level domain (gTLD) and then one or more child subdomains with the dot character (period/full stop) being what separates each subdomain.  The gTLD is the end part of the domain, most commonly .com, .net, .biz or .org.  Each country also has its own gTLD, e.g. .fr, .de, or .uk.  In some countries, such as the UK, this domain is itself divided into a few subdomains such as,, and  Domains under or are then available for sale to the public, whereas and are reserved for the government and educational establishments respectively.

When a member of the public buys a or domain name they buy the level underneath, e.g.,  They then control this domain, which means that if they want to add further subdomains they can, so they could add, or even several levels of subdomain like  All of these subdomains are controlled by the owner of, so you know that any domain under is in their control.

In general, if you trust a domain, then you are safe to trust any subdomains underneath it.  For example, if you have an account with, then it's safe to type your password on

In some situations the owner of a domain will give control of subdomains to its users, a good example of which is this blog.  I don't own, but when I created my blog on Blogger I was given the ability to create pages on  In most of these situations though, you will find that there is never a log in page on the parent domain.  E.g. there is no log in page on; when you log into Blogger you log in on  For this reason it's worth being aware of the domain which you create your account on, and making sure that you only ever type your password in on that domain in the future.

New Global Top-Level Domains

Until recently there was a fairly limited set of global top-level domains, which consisted mostly of .com, .org, .net, .biz, one for each country, and a few others.  But this list is now being expanded, with private individuals being allowed to purchase their own global top level domain, such as .pepsi.  So instead of, they can now have www.pepsi.

This is why I included a couple of strange-looking gTLDs in my list of domains.  Just to make you aware of the fact that domain names won't necessarily end in familiar-looking .com or .org anymore.

Why WWW?

Traditionally, most websites serve their web traffic on a subdomain of www..  Bear in mind that most web servers will also be dealing with email traffic and potentially other things, so people like you visiting with your web browser are just part of what the site is handling.  For this reason it's customary to serve "normal" web traffic on www., and to deal with other things on other subdomains such as mail. or ftp..  Some sites, such as Twitter, serve their web traffic on the naked domain of and don't use a www subdomain.  There's nothing special about www though, zzz would work just as well.

More fun and games soon...

Sunday, 26 January 2014

Why You Should Take Your Email Security Seriously

My email, not that valuable, right?  Probably contains some nice conversations with my mum and maybe the odd gas bill.  Probably not the kind of information that I want public, but not really worth putting effort into protecting.

Well, if that's your attitude then consider this...

Someone hacks into your email, they make the assumption that you're probably signed up to one or several social networking sites such as Facebook, Twitter, Instagram, or whatever the latest fad is.  So they go to each one of these sites, type in your email address and hit "I forgot my password".  Then they check your email for the password reset email and boom, they're in.  So in about 10 minutes they've also got access to all of your social network accounts.  And because they reset the passwords, you are blocked out.  That frape which your friend did last week now seems like nothing compared to the streams of embarrassing and financially-sensitive information being posted to your Facebook wall and Twitter account, including that email to your mum about your yeast infection.  And you can't even log on to do anything about it.

Next are all the other accounts.  A few quick searches of your email for "account", "welcome" and "registered" bring up a whole host of other sites which you've got accounts on.  Same technique with the password reset, and boom, your online identity is pretty much stolen, and you're going to have one heck of a time getting it back again, if you even can.

Next up is the money.  First stop, Amazon.  You've probably got your card details stored, right?  So a quick password reset job on Amazon will leave the crooks spoiled for choice as they peruse the pages of the vast online store, buying themselves new clothes, and buying a few inflatable sex dolls and books about gynaecology for you, preferably delivered to work.  When the credit limit is reached, it's onto your bank account...

This will hopefully be more difficult, as most banks have 2-factor login systems (more about those in another post).  But by now I'm hoping you've taken on board my point: your email is the only thing between you and total online annihilation.  Maybe even offline annihilation too, when you receive you bank statement.

In my next posts I will cover ways in which you can help to keep your email account secure, using 2-factor authentication and good strong passwords.

Why A Website Should Never Send You A Password Reminder

Forgotten your password?  Don't worry, the website will send you a reminder.  Actually, do worry, the website should not be capable of sending you a reminder, and here's why...

When you create an account on a website and you set up a username and password, the website should never store your password.  Instead, they should store a "hash" of your password, which is a kind of fingerprint of it.  A very basic (and insecure) version of this would be something like converting each letter of your password to a number, e.g. A=1, B=2, C=3, etc, and then adding up the digits.  So my password of "apple" would be 1+16+16+12+5, which is 50.  The website then stores your username and this fingerprint of your password in its database.  When you return to the website to log in, you type your username and password, and the website puts your password through the same algorithm as before and checks whether the fingerprint of what you typed in is the same as the fingerprint which is stored in the database, if they're different then the password must be wrong.

Obviously my "algorithm" of converting letters to numbers and adding them up is massively flawed in that there are a lot of different passwords which would all have the same fingerprint, but it demonstrates the idea, which is that:

  1. Given the value of the fingerprint (hash), you cannot know what the password was.
  2. Changing any of the characters of the password will give you a totally different hash.

Fortunately, there are "proper" hashing algorithms which are far more complex than mine, and have so many possible outputs that your chances of finding 2 passwords which give the same output are probably less than your chances of winning the lottery 2 weeks in a row (probably, I haven't actually done the maths).  This allows the assumption that if the hashes don't match then the passwords are different.

So that is why a website should never need to store your actual password.  And hence, it should never be able to send you a password reminder, because it shouldn't know what your password is.  If a website can send you a password reminder then it's built by cowboys.  Delete your account, and run away.

Resetting It Is Different

Instead, most websites provide a way for you to reset your password, usually by sending a unique link to your email.  They deem that you are the only person with access to your email (a dubious assumption), and usually the link will only work for a short period of time.

The reason why this is so different is that (although it's based on some questionable assumptions about email security), it safeguards the site against a mass leaking of passwords.  If the website is storing the actual passwords and their database is stolen, then every account on that site is now in the hands of the attackers.  But if the website is only storing the hashes, then even if someone takes a copy of the whole database, they still can't log into any of the accounts.  And managing to break into someone's email to abuse the email-based reset functionality would hopefully only compromise one account at a time, not the whole lot in one go.

Further Discussion

The algorithms used for password hashing usually have the characteristic that the fingerprint output will always be the same length, regardless of the length of the input.  You could input a single letter, or a 3GB movie file of your wedding video, and the fingerprint would still be the same length.  It's usually 32 characters, like this: d41d8cd98f00b204e9800998ecf8427e.

This means that websites shouldn't need to limit the length of your password, because they're only ever storing 32 characters.  If a website has a maximum password length, then it's a sign that maybe they're storing your actual password.  Write and complain, publicly shame them on Twitter, or use another site.