Friday, August 15, 2008

Passwords and security

I use different passwords for different websites. It's a good security measure.

Today I tried to login by mistake on a website on which I don't have an account, using some of my credentials. After the login failure, I realized that now they have my user and password combination for one of my accounts. I logged into that specific account and changed the password immediately. If I would've been using the same credentials on all my accounts, this would've been a hassle.

You may find some nice hints on the web for picking strong yet easy to remember passwords and at the same time different for different websites, like this one or this one. I also made an easy algorithm for my passwords:
  1. Pick 2 words, not too short, not too long, easy to type and preferably in different languages. Let's say: hacker and frumos, which means beautiful in Romanian.
  2. Count the characters present in the name of the website you're trying to login. In yahoo's case it's 5, for blogger is 7.
  3. Count the characters in your name. 14 in my case.
  4. Form the password by joining all the above. The password for yahoo is hacker5frumos14.
The login incident reminded me of one of our users recent inquiry on the support address, asking if we store the accounts passwords in Teamness. The answer is, of course: No way!

This is a high security risk. I get annoyed each time a web service that I had registered to, emails my password in clear text.

In Teamness we store hash values. A hash value is a sequence of characters obtained from any kind of data, in this case, from the password.

The knack is that transforming the password into the hash value is a one way operation. This means that no one can obtain your password from the hash value. When you login, the application computes a hash value from the password you provided in the login page and compare it with the one stored.

Because we don't have your password, when someone forgets hers or his, Teamness doesn't send the credentials on email, but a link to a page where the user can reset it.

No comments: