password security on eFestivals

[eFestivals]

There's been some instances on the news lately of some major websites having had their users passwords 'leaked', so I thought it a good idea to provide some info about how things are done here, to re-assure people that their passwords will always be safe here.

The simple version is this:-

If somehow the user data from this website was stolen, the thieves would NOT have your password details.

The passwords here are held in an encrypted form, so eFestivals - or anyone else - does not know and cannot know what anyone's password actually is.

Because of the type of encryption that is used, it's not possible for anyone to 'reverse' that encrypted password to then have a user's password. There is no unencryption method to the type of encryption that is used.

If that all sounds impossible and/or unworkable to you, I'll explain a little more. When a user enters their password to login, what they type is run thru an encryption routine to create the encrypted version, which is then compared with the encrypted version which is held in the password file, and if they match a user is then successfully logged in.

I hope this information lessens any concerns that anyone might have. If you have any questions, feel free to ask.

[MrZigster]

The bleedin' obvious question is "why doesnt everyone else do it that way then?"

Are they just crap at security? Jobs subcontracted out to the cheapest quote maybe? IT departments managed by non IT people who won't listen to the IT people? But, I mean, we're talking major IT firms here, Sony being a pretty obvious one.

And whilst I'm on a rant, why the fuck don't they do this with credit card numbers as well? Why do they need to keep our credit card numbers anyway? OK, it may save me a bit of time on paypal but I think I'm right in saying some sites keep your details even if you've only shopped with them once, regardless of how you may feel about it. Surely this attracts certain kinds of hackers?

[eFestivals]

The bleedin' obvious question is "why doesnt everyone else do it that way then?"

Are they just crap at security? Jobs subcontracted out to the cheapest quote maybe? IT departments managed by non IT people who won't listen to the IT people? But, I mean, we're talking major IT firms here, Sony being a pretty obvious one.

having been computing for 30 years, I'm seeing many of the same errors happen in web and phone developments as happened in the early days of computing. It's shockingly amateur, and shows a big problem with the teaching &/or learning of computer skills in formal environments.

Having said that, I can see how it happens. Someone builds something to ensure it works, and tends not to consider how it might be abused. And once something is in place done in a particular way then the issues around changing it in a live environment can be massive.

As it happens, it's only really down to luck that efestivals is using this particular forum software, which has implemented things in that way (in fact in a more complicated way than I've described, I've given a simple version of it). But it's some luck that we can be happy about.

[LondonTom]

Good to hear ...I am curious , I always thought everything was eventually considered "hackable" eventually? (Given computing power and time )

[eFestivals]

Good to hear ...I am curious , I always thought everything was eventually considered "hackable" eventually? (Given computing power and time )

The sorts of things that can be unencrypted eventually by throwing enough computing power at cracking the encryption are encryption methods which are designed to be unencrypted. By using encryption which has no unencrypt (such as MD5) things get FAR more difficult.

Having said that, it is sort-of possible to crack MD5 encryption even tho it has no unencrypt. The problem for people trying to crack the passwords is that the encrypted password could have been arrived at from a number of different unencrypted 'words' (or string of letters & numbers). So while it might be the case that they might eventually come up with a list of possibilities for the user's password they can't know which is right - and it's made all the harder if the user's password is not a dictionary word.

From what I've read about how LinkedIn have been doing their passwords, it seems to be the case that they've used encryption (I'm not sure if it's MD5 encryption or not, tho it might be) without doing anything more clever before the password is saved into the user database. The passwords here have more than just MD5 encryption worked on them, making them far more secure (I'm not going to give the full details, tho I guess the info is 'out there' for anyone who is that interested).

It's defo the case that the passwords here are far less easy to crack than is the case at LinkedIn - with "far less easy" meaning in reality "just about impossible" even to someone with a massive amount of computer power available to them, and all the time in the world.

[grumpyhack]

Great that Efests have taken security sensibly but the advice to people who access sites online also has to be don't use the same password for multiple sites. If a site does get cracked and your password obtained at least it will only be the password to that site.

[markeee]

Great that Efests have taken security sensibly but the advice to people who access sites online also has to be don't use the same password for multiple sites. If a site does get cracked and your password obtained at least it will only be the password to that site.

[LondonTom]

also dont write your passwords down..