Be careful where you type in your Passport password . . .

November 20, 2005

Rocky and Grant’s little story about the password generator over at Gibson Research reminded me of a little episode I had recently with one of the local .NET community members.

Basically this nice chap had decided to put together a little community site that allowed users to log in and share content, but rather than force them to remember yet another username and password combination they decided allow them to type in their Passport username and password.

Ummm – okay – pass. The key detail I have left out here is that the site is not a member of the Passport network, so they essentially take your username and password and store it in their database (whether it is hashed or not is irrelevant).

No – I am not going to link to the site.

Posted by Mitch Denny
Filed in Uncategorized
5 Comments »

5 Responses to “Be careful where you type in your Passport password . . .”

  1. Kieran Jacobsen Says:

    November 20, 2005 at 12:00 am

    Yeah i think i know the site. There are a few weird uses of passport i have seen. Another i know is using the MSN Messenger API to do logins from what i can work out, looks could, but it is doggy, esp when your passport account is associated with so much these days (betas, betas,and more betas!)

  2. Tatham Oddie Says:

    November 23, 2005 at 12:00 am

    The site in question does actually use the Messenger API under the covers to validate the credentials. The problem then arises that signing in to MSN kills your other sessions, which users don’t like.

    Solution:

    1. user provides credentials

    2A. if cached (and hashed) credentials aren’t in the DB, validate them against MSN. if they pass store them in the DB with an expiry date of 3 months

    2B. if cached (and hashed) credentials are in the DB but don’t match what the user enterred, we are optimistic and assume that they have just changed their passport password – MSN validation is retriggered

    Unfortunately for the geeks of the world this isn’t a good system – however for the 5,000 you members on the site it is a perfect solution.

    The authentication system is currently been updated to also all basic email accounts for those who are Passport skeptics (which they should be).

  3. Mitch Denny Says:

    November 24, 2005 at 12:00 am

    I just can’t take hashing in the database seriously when the credentials aren’t collected via an SSL connection.

    When your users are niave about security it is YOUR JOB to protect them.

  4. RockyH Says:

    November 24, 2005 at 12:00 am

    Aside from the fact that the credentials get sent to the site in clear text which is a bad thing anyway, a user should never trust their other credentials to anyone else. Especially if it is a web site that they have no way to validate or vet.

    It is just like handing your credentials to someone you pass by on the street. If a site needs people to log in to use it, it needs to create site specific credentials or use the Passport system as it was intended. Any site that asks for you to enter your credentials from other systems that it will store (in any format) is just blatantly dangerous.

    It doesn’t matter if you’re a geek or not, this is a very bad way to capture users’ Passport accounts for use on the site. Use passport as it was intended, or don’t use it at all.


Leave a Reply