Comments on: How Does Netvibes Store Our Email Passwords? http://www.webmaster-source.com/2007/12/18/how-does-netvibes-store-our-email-passwords/ Useful Resources For Webmasters Fri, 21 Nov 2008 19:39:28 +0000 http://wordpress.org/?v=2.6 By: Matt http://www.webmaster-source.com/2007/12/18/how-does-netvibes-store-our-email-passwords/#comment-594 Matt Tue, 18 Dec 2007 17:45:10 +0000 http://www.webmaster-source.com/2007/12/18/how-does-netvibes-store-our-email-passwords/#comment-594 That's what I thought. Scary, isn't it? :D Thanks for the well written comment. That’s what I thought. Scary, isn’t it? :D

Thanks for the well written comment.

]]> By: Dave http://www.webmaster-source.com/2007/12/18/how-does-netvibes-store-our-email-passwords/#comment-593 Dave Tue, 18 Dec 2007 16:22:31 +0000 http://www.webmaster-source.com/2007/12/18/how-does-netvibes-store-our-email-passwords/#comment-593 It's unlikely that your passwords are encrypted when stored on their server and even if they were encrypted, it wouldn't help. The essence of the problem is that they need access to your decrypted password every five minutes in order to check your email. They COULD encrypt it quite easily... creating a random key the same length as your password and XORing your password with it before storage would render the encrypted password completely secure... but where do you store the key ? The key has to be available to the same application that has access to the encrypted password in order to decrypt it. That would be like storing your house keys under the doormat. Actually, it's more like storing your house keys in the lock of your front door. Because they need your plaintext password to check your account there is little point in encrypting it as they need to store the decryption key with the encrypted plaintext. The only thing they can do is try to protect the box from malicious access to the plaintext passwords. Encryption will not help in this case. There is no known way to decrypt md5 or sha1 other than by brute force. This is a design feature of both of these hashes. It’s unlikely that your passwords are encrypted when stored on their server and even if they were encrypted, it wouldn’t help.

The essence of the problem is that they need access to your decrypted password every five minutes in order to check your email. They COULD encrypt it quite easily… creating a random key the same length as your password and XORing your password with it before storage would render the encrypted password completely secure… but where do you store the key ?

The key has to be available to the same application that has access to the encrypted password in order to decrypt it. That would be like storing your house keys under the doormat. Actually, it’s more like storing your house keys in the lock of your front door.

Because they need your plaintext password to check your account there is little point in encrypting it as they need to store the decryption key with the encrypted plaintext.

The only thing they can do is try to protect the box from malicious access to the plaintext passwords. Encryption will not help in this case.

There is no known way to decrypt md5 or sha1 other than by brute force. This is a design feature of both of these hashes.

]]>