alasdair.info

Tuesday, September 25, 2007

Genes Reunited and password security

I am sure many people have heard of friends reunited, a site that allows you to get back into contact with people you went to school with. I think of it as a pre-cursor to facebook. A colleague of mine has an account with them and was surprised when he received an email from friends reunited that contained half his password. He queried this to discover that this useful "feature" sends the password with all but the last four character replaced by stars. So if your password is "password1" (one of the most common passwords) you would see "*****ord1". Assuming I intercept this email I can now narrow the search space. I know the password is 9 characters long and ends ord1. Not hard to put into a dictionary attack. In fact I might go for password1 on my first attempt.

So how does this relate to genes reunited you might ask? Well Genes reunited is a sister site that allows people to research their family tree. I have an id on this site (I do not have an id on friends reunited), so I thought I would see if genes reunited was the same. Well here is what I found:

  1. They also send the last four characters in the email.
  2. To get the password emailed all you need to do is give them your email address and they will send the password to your email address.
  3. If you log in and look at your account information they display in the web page your password.
  4. Their Privacy policy has the following clause:

    However, it remains each Member's responsibility:

    to keep his/her password secret.
So while it is my responsibility to keep my password safe genes reunited does the following:
  • Stores my password on their systems either unencrypted or in a reversible form.
  • Echo's it to my screen when I am logged on
  • Emails it out on request in clear text.
  • Emails half of my password, and my password length unbidden.
something does not quite add up.

To be honest I am not too worried about emailing the password as someone would need to be able to snoop my emails, or get into my email account and tons of things would be broken if this were to occur.

The thing that worries me is this seems to show a lack of understanding of security. You do not display someones password, you do not send it, or any part of it, unbidden and you avoid storing the password in a reversible form at all costs (although I am sure many sites do this last part I would rather not know :) ).

So in the short term I am going to cancel my account and in the future I think I will take a little more care with who I sign up with.
Alasdair

No comments: