Comments on: How Does Netvibes Store Our Email Passwords?

By: vincentweb

vincentweb — Tue, 05 Apr 2011 01:49:20 +0000

is this serious? i’m just start using this netvibes and i have all my social networking in netvibes, FB, Gmail, Hotmail, Yahoo, Twiiter and many more…i almost expose all my password to netvibes. pls tell me its ok else i’m going to delete the widget away frm my acc.

By: HeBu

HeBu — Thu, 03 Jun 2010 08:33:35 +0000

I really don’t think Netvibes abuses or gives away passwords of their users. But there were some recent Hotmail account hijacks by spammers (about half a year ago) and maybe you used the same passwords for Gmail?

But to be sure to leave Netvibes in a clean status: I entered some fake account data (username and password) in my mail and twitter widgets, before deleting them. So I hope, my logins were overwritten with nonsens data in the Netvibes database.

By: HeBu

HeBu — Thu, 03 Jun 2010 08:26:47 +0000

At least for Twitter it would be a more secure way to connect. For mail accounts it would be nice to have the option to enter the password once per session, so it would not be stored in the database, only client-side.

By: Jb

Jb — Thu, 03 Jun 2010 03:52:43 +0000

So I am an idiot and gave my passwords to Netvibes for gmail and my msnlive id and now BOTH my email accounts have been hacked to send spam. I’m currently locked out of he msn account – someone or something has changed my password and I can’t get in. DON’T Do It!

By: Matt

Matt — Thu, 22 Apr 2010 20:11:09 +0000

OAuth *would* be more secure, in that nobody sees your password and you can easily revoke access, but there’s one problem: how many email providers offer OAuth authentication? (I don’t even know if the POP/IMAP protocols would support it…)

By: HeBu

HeBu — Thu, 22 Apr 2010 11:03:58 +0000

I contacted Netvibes on this and they told me, that the passwords of the Twitter & mail widgets are stored with a two-way encryption, with “only” three Netvibes workers knowing the key to it.

In fact a bit scary. Wouldn’t it be much more secure, if they used OAuth?

Does anyone know something about how PageFlakes does the storing of the login data?

By: Matt

Matt — Tue, 18 Dec 2007 17:45:10 +0000

That’s what I thought. Scary, isn’t it?

Thanks for the well written comment.

By: Dave

Dave — Tue, 18 Dec 2007 16:22:31 +0000

It’s unlikely that your passwords are encrypted when stored on their server and even if they were encrypted, it wouldn’t help.

The essence of the problem is that they need access to your decrypted password every five minutes in order to check your email. They COULD encrypt it quite easily… creating a random key the same length as your password and XORing your password with it before storage would render the encrypted password completely secure… but where do you store the key ?

The key has to be available to the same application that has access to the encrypted password in order to decrypt it. That would be like storing your house keys under the doormat. Actually, it’s more like storing your house keys in the lock of your front door.

Because they need your plaintext password to check your account there is little point in encrypting it as they need to store the decryption key with the encrypted plaintext.

The only thing they can do is try to protect the box from malicious access to the plaintext passwords. Encryption will not help in this case.

There is no known way to decrypt md5 or sha1 other than by brute force. This is a design feature of both of these hashes.