Sunday 26 January 2014

Why You Should Take Your Email Security Seriously

My email, not that valuable, right?  Probably contains some nice conversations with my mum and maybe the odd gas bill.  Probably not the kind of information that I want public, but not really worth putting effort into protecting.

Well, if that's your attitude then consider this...

Someone hacks into your email, they make the assumption that you're probably signed up to one or several social networking sites such as Facebook, Twitter, Instagram, or whatever the latest fad is.  So they go to each one of these sites, type in your email address and hit "I forgot my password".  Then they check your email for the password reset email and boom, they're in.  So in about 10 minutes they've also got access to all of your social network accounts.  And because they reset the passwords, you are blocked out.  That frape which your friend did last week now seems like nothing compared to the streams of embarrassing and financially-sensitive information being posted to your Facebook wall and Twitter account, including that email to your mum about your yeast infection.  And you can't even log on to do anything about it.

Next are all the other accounts.  A few quick searches of your email for "account", "welcome" and "registered" bring up a whole host of other sites which you've got accounts on.  Same technique with the password reset, and boom, your online identity is pretty much stolen, and you're going to have one heck of a time getting it back again, if you even can.

Next up is the money.  First stop, Amazon.  You've probably got your card details stored, right?  So a quick password reset job on Amazon will leave the crooks spoiled for choice as they peruse the pages of the vast online store, buying themselves new clothes, and buying a few inflatable sex dolls and books about gynaecology for you, preferably delivered to work.  When the credit limit is reached, it's onto your bank account...

This will hopefully be more difficult, as most banks have 2-factor login systems (more about those in another post).  But by now I'm hoping you've taken on board my point: your email is the only thing between you and total online annihilation.  Maybe even offline annihilation too, when you receive you bank statement.

In my next posts I will cover ways in which you can help to keep your email account secure, using 2-factor authentication and good strong passwords.

Why A Website Should Never Send You A Password Reminder

Forgotten your password?  Don't worry, the website will send you a reminder.  Actually, do worry, the website should not be capable of sending you a reminder, and here's why...

When you create an account on a website and you set up a username and password, the website should never store your password.  Instead, they should store a "hash" of your password, which is a kind of fingerprint of it.  A very basic (and insecure) version of this would be something like converting each letter of your password to a number, e.g. A=1, B=2, C=3, etc, and then adding up the digits.  So my password of "apple" would be 1+16+16+12+5, which is 50.  The website then stores your username and this fingerprint of your password in its database.  When you return to the website to log in, you type your username and password, and the website puts your password through the same algorithm as before and checks whether the fingerprint of what you typed in is the same as the fingerprint which is stored in the database, if they're different then the password must be wrong.

Obviously my "algorithm" of converting letters to numbers and adding them up is massively flawed in that there are a lot of different passwords which would all have the same fingerprint, but it demonstrates the idea, which is that:

  1. Given the value of the fingerprint (hash), you cannot know what the password was.
  2. Changing any of the characters of the password will give you a totally different hash.

Fortunately, there are "proper" hashing algorithms which are far more complex than mine, and have so many possible outputs that your chances of finding 2 passwords which give the same output are probably less than your chances of winning the lottery 2 weeks in a row (probably, I haven't actually done the maths).  This allows the assumption that if the hashes don't match then the passwords are different.

So that is why a website should never need to store your actual password.  And hence, it should never be able to send you a password reminder, because it shouldn't know what your password is.  If a website can send you a password reminder then it's built by cowboys.  Delete your account, and run away.

Resetting It Is Different

Instead, most websites provide a way for you to reset your password, usually by sending a unique link to your email.  They deem that you are the only person with access to your email (a dubious assumption), and usually the link will only work for a short period of time.

The reason why this is so different is that (although it's based on some questionable assumptions about email security), it safeguards the site against a mass leaking of passwords.  If the website is storing the actual passwords and their database is stolen, then every account on that site is now in the hands of the attackers.  But if the website is only storing the hashes, then even if someone takes a copy of the whole database, they still can't log into any of the accounts.  And managing to break into someone's email to abuse the email-based reset functionality would hopefully only compromise one account at a time, not the whole lot in one go.

Further Discussion


The algorithms used for password hashing usually have the characteristic that the fingerprint output will always be the same length, regardless of the length of the input.  You could input a single letter, or a 3GB movie file of your wedding video, and the fingerprint would still be the same length.  It's usually 32 characters, like this: d41d8cd98f00b204e9800998ecf8427e.

This means that websites shouldn't need to limit the length of your password, because they're only ever storing 32 characters.  If a website has a maximum password length, then it's a sign that maybe they're storing your actual password.  Write and complain, publicly shame them on Twitter, or use another site.