Did you know that a webmaster can discover your password without hacking into your computer or internet connection? We are all aware of the hackers infiltrating databases, infecting computers with malware and keylogging software, and other exploits or hacks online. However, stealing passwords online can be extremely easy, and in most cases there is almost nothing we can do to stop or detect it. After all, they have earned your trust already to join their newsletter, blog, forum, community, or service. It’s not hard for them to steal your login details. Remember, a rogue developer can write code to steal credentials, even on a trusted website. It doesn’t require a whole company to be evil for your data and other accounts to be compromised.
Stealing Passwords With Account Login Pages
Whether it’s your bank or social media page, you are trusting the web service to check your credentials and provide secure access to their network when you log in to an online account. However, even a website using proper SSL (for HTTPS connections) can maliciously steal your password with just a few lines of code. Unfortunately, even mass distributed and mostly trusted software such as WordPress can be altered to discover your passwords.
By default, online software will take your password and encrypt it before doing anything. It is stored as a “hash”, which is a long string of numbers, letters, and symbols. This protects your password from potential hackers who access the database. It also allows employees of the website or service to access the database without being able to see your actual passwords. However, in order for this to happen there is a point in which the website must be provided your password before it’s encrypted.
In PHP a login form will most likely send two $_POST variables to a file responsible for verifying your details. It will consist of something such as $_POST[‘username’] or $_POST[’email’], and $_POST[‘password’]. This is where a malicious webmaster can grab your password. Of course, they may have already saved your actual password when you signed up, but they have the opportunity to do it every time you log in as well.
Because the raw password is sent in the $_POST array before it’s encrypted and saved to the database, or compared to a hashed / encrypted password in the database, the unethical webmaster can do anything they want with your login details. They can save your email and password to a file, email it to themselves, or really do anything they want. You may be wondering why a webmaster would want the login details for users on their own site. Surely they don’t need to know your password to view your account details on their own service. That is true, but consider the following…
Why Unique Passwords Matter
Once an evil webmaster has your email or username and password stored with no encryption, they can attempt to log in to other online accounts you may have. If they get into your actual email provider, they will be able to recover other accounts by sending you password reset emails and changing your passwords online. Without proper recovery methods, a hacker can take over your entire life just by accessing your email. Once they know enough about your name, home address, phone number, and more they can use social engineering to convince employees of reputable companies such as your bank to give them more information. With enough of your data, hackers can pretty much do anything they want: open up new credit cards in your name, sign up to new accounts, buy things online, issue bank transfers, and even remove other recovery methods you have had in the past. This can take weeks or months to solve, and if you have your social security number stolen you can even be taken advantage of for years to come – even if any debt the hacker racks up is forgiven.
When you sign up to a website or service, it is okay to use the same email address that you use on other sites. Of course, you will be even more secure if you use a different email address, phone number, and password on every single sign up form. However, this is not always realistic. At the very least though, you can use a different password. The problem is that it can become very hard to remember each of your passwords, so I recommend coming up with a mental formula of sorts to make this easier.
Creating a Password Formula for Uniqueness
Let’s take a look at the password “Hello123”. Obviously this is not secure, but let’s pretend this is the base of our desired password. Perhaps our password formula can be the following:
Start with first letter of each "real word" in the website address, or first letter of website if no real word + one exclamation mark ( ! ) for each syllable, and & for each set of 3 syllables + base password + at sign ( @ ) if your email is used to sign up, or hashtag ( # ) if you sign up with a phone number, or $ if you sign up with anything else (ex: username) + your middle name
In this case, signing up at Facebook would mean we use the password: Fb!!Hello123@middle
Signing up at bankofamerica.com would mean we use the password: Boa&&Hello123@middle
Joining Twitter could mean we use: T!!Hello123$middle
Joining SomeRandomPhoneService would mean: Srps&&Hello123#middle
As you can see, we have created a mental formula that we can follow to modify our password uniquely for each site. This might be hard to remember or annoying to type, but it’s more secure than writing all of your passwords down on paper or storing them in your computer. All you have to do is remember 2-4 rules for password modification and the original base password.
Memorizing Unique Passwords is Worth It
If you use unique passwords, you are helping yourself avoid the drastic results of a mean spirited webmaster stealing your login credentials. Even if they do steal your password, it is highly unlikely that they will be able to figure out your password formula for using unique passwords. If you do write them down and use wildly different passwords then you will be even safer. Whatever you do, don’t use the same password for every website.