Sunday 26 January 2014

Why A Website Should Never Send You A Password Reminder

Forgotten your password?  Don't worry, the website will send you a reminder.  Actually, do worry, the website should not be capable of sending you a reminder, and here's why...

When you create an account on a website and you set up a username and password, the website should never store your password.  Instead, they should store a "hash" of your password, which is a kind of fingerprint of it.  A very basic (and insecure) version of this would be something like converting each letter of your password to a number, e.g. A=1, B=2, C=3, etc, and then adding up the digits.  So my password of "apple" would be 1+16+16+12+5, which is 50.  The website then stores your username and this fingerprint of your password in its database.  When you return to the website to log in, you type your username and password, and the website puts your password through the same algorithm as before and checks whether the fingerprint of what you typed in is the same as the fingerprint which is stored in the database, if they're different then the password must be wrong.

Obviously my "algorithm" of converting letters to numbers and adding them up is massively flawed in that there are a lot of different passwords which would all have the same fingerprint, but it demonstrates the idea, which is that:

  1. Given the value of the fingerprint (hash), you cannot know what the password was.
  2. Changing any of the characters of the password will give you a totally different hash.

Fortunately, there are "proper" hashing algorithms which are far more complex than mine, and have so many possible outputs that your chances of finding 2 passwords which give the same output are probably less than your chances of winning the lottery 2 weeks in a row (probably, I haven't actually done the maths).  This allows the assumption that if the hashes don't match then the passwords are different.

So that is why a website should never need to store your actual password.  And hence, it should never be able to send you a password reminder, because it shouldn't know what your password is.  If a website can send you a password reminder then it's built by cowboys.  Delete your account, and run away.

Resetting It Is Different

Instead, most websites provide a way for you to reset your password, usually by sending a unique link to your email.  They deem that you are the only person with access to your email (a dubious assumption), and usually the link will only work for a short period of time.

The reason why this is so different is that (although it's based on some questionable assumptions about email security), it safeguards the site against a mass leaking of passwords.  If the website is storing the actual passwords and their database is stolen, then every account on that site is now in the hands of the attackers.  But if the website is only storing the hashes, then even if someone takes a copy of the whole database, they still can't log into any of the accounts.  And managing to break into someone's email to abuse the email-based reset functionality would hopefully only compromise one account at a time, not the whole lot in one go.

Further Discussion


The algorithms used for password hashing usually have the characteristic that the fingerprint output will always be the same length, regardless of the length of the input.  You could input a single letter, or a 3GB movie file of your wedding video, and the fingerprint would still be the same length.  It's usually 32 characters, like this: d41d8cd98f00b204e9800998ecf8427e.

This means that websites shouldn't need to limit the length of your password, because they're only ever storing 32 characters.  If a website has a maximum password length, then it's a sign that maybe they're storing your actual password.  Write and complain, publicly shame them on Twitter, or use another site.

2 comments:

  1. You are probably aware but the main reason behind password length limit is DOS ... obviously the limit can be very big

    Example: https://www.djangoproject.com/weblog/2013/sep/15/security/

    ReplyDelete
  2. That's a good point, but as the blog is mostly aimed at non-techies I didn't think it was worth mentioning. But now you've mentioned it... yes, there are good reasons why a website would want to enforce some kind of password limit, but that limit should be so big that no sane person would want to have a password that long anyway.

    ReplyDelete