I had a feeling that many popular websites were not storing user passwords in a secure manner.
As an experiment, I tried the Forgotten Password feature for some popular ecommerce sites in India to determine their password storage and recovery policy. As a best practice, passwords are typically stored using a one way or irreversible encryption algorithm. This means that once the password has been encrypted it cannot be decrypted or reproduced by the site.
The sites that follow this practice will never send you your password in email because they cannot decrypt and determine your password. They will instead give you the option to create a new password. The site will never get to know your new password either because the new password will also undergo one-way encryption.
If a website sends you the password in plain email text then you know that either the site is storing your password in an unencrypted manner or is using an encryption algorithm which can be decrypted by the website. While some websites will send you your existing password in the email, others will reset your password and email you the new password. The latter is more painful for the customer because that gives pranksters an opportunity to bug the customer by submitting his email address in the forgotten password feature. The website will automatically reset the password without the customer’s consent, causing inconvenience to the customer.
Here are some examples of ecommerce websites that didn’t appear to be using one way encryption for user passwords:
And here’s how it should be done. Here are some examples of ecommerce websites that seemed to be following password security best practices.
What’s your take on this?
[Guest article contributed by Abhishek Rajan, General Manager at One97 Communications.]