Java 2 Ada

Viadeo passwords are not secure: can you trust web 2.0 applications?

By Stephane Carrez 2008-09-11 21:14:39

My first answer is NO never trust them unless you have the proof and confidence that they do it right.

Last day I experimented the Viadeo Lost password feature. Shortly after I received an email and I was very surprised, and chocked, to see my password displayed in clear text in the email. You could say that it's nice, after all this is your password and they give it back to you upon your request. This is a big security breach. If they are able to send me my password in clear text, it means they are not storing it in a secure way. If their database is hacked, user passwords are available: the hacker can connect on your behalf. More, after looking at the user profile, the hacker can easily guess other information and try to login on other applications (your home, your work, ...). Why? Because most people use the same password in every application.

DO NOT trust Viadeo. Use a password that is not sensitive.

My second answer is YES you can trust those applications but look at them and get information from them.

We, at Planzone, are taking the security aspects as critical to our business. Passwords are encrypted and they cannot be decrypted. More, we are using SSL connections for the authentication (login), as well as during the complete session. The password and any information you type is crypted over the network: nobody can get nor stole it.

How is it done? It's well known and easy. When the password is recieved, it is encrypted with SHA-1 (Secure Hash Algorithm) using a private key. The result is saved in the database. It is proven, mathematically, that you cannot retrieve back the password from the hash value. To authenticate someone, the login password is encrypted too and the password verification is made on the hash value. If the hash are identical, the passwords used to create the secure hash are identical. This is why, at Planzone, if you use the Lost my password link, we cannot send you the password. Instead, we send you a secure key that allows you (for the next 24 hours) to change your password.

There is nothing terrific about this. This is just good security practices!

The next step for all these application is to rely on OpenId for the user identity. Done right, this could solve some security issues.