Collecting Passwords

This statement from Bruce Schneier is interesting,

How to harvest passwords: Just put up a password strength meter and encourage people to submit their passwords for testing. You might want to collect names and e-mail addresses, too.

It points out how easy it is for someone to collect passwords. A couple of human weaknesses are at play here:

  • People tend to trust programs they come across on the internet (and websites and services) . More-so if it looks new and shiny.
  • People tend to use the same password on multiple sites.

The internet’s a very dynamic environment, and with the rise of Web 2.0 we have lots of interesting new sites appearing daily. Most of them ask us to register, to provide a username and a password.

And behind every interesting new site are people (the programmers). Most of the time their intentions are honourable, providing an application online (and often for free). But what if a website’s intentions are more devious? What happens when you register an account and type in a (new) password? Usually it gets encrypted and stored in a database. It would be a simple task for the programmer to change the code and get it to store your password in some other way. And if people continue to use one or two password for all sites this information becomes a little more valuable.

In other words it would be easy for the programmer of any new and interesting web site to collect user names, email addresses, and your favourite passwords.

So always be cautious of where you type your password, it can be a valuable thing.

Don’t always trust websites. There are a few exceptions – Google for example does an excellent job with their users’ security.

And whenever possible don’t reuse important passwords on websites you don’t trust.

Leave a Reply

Your email address will not be published. Required fields are marked *