Whenever you register for something online, you are reminded of the importance of a "strong" password. It's good advice. But just as users are expected not to use "password" as their password, the software and sites we use are expected to be careful with the password once we hand it over. How do we know our password is safe once it leaves our fingertips? Well, we don't for certain. But there are some things that help.
Once your web browser, or any software, gets hold of the password, it holds on to it as briefly as possible. The longer it hangs around, the more likely that it could be revealed, either accidentally via a bug or maliciously by snooping software. Passwords are typically overwritten in memory as soon as they are done with, reducing the risk. (Today's web browsers will retain passwords indefinitely, for your convenience, but only with your approval.)
The next obstacle for the password is crossing the internet from your computer to the server hosting the web site without someone in the middle slurping it off the wire or out of the air. The solution here a secure connection, which today many web sites support. A secure connection prevents an attacker impersonating a site by authenticating the other party's identity. It also prevents an attacker intercepting the password in transit by encrypting the conversation in a way that can't be cracked in any reasonable time.
The server might seem like the weakest link, since it must retain your password permanently to compare with the log-in password. But, actually, the server doesn't need to retain a copy of your password any more than a lock needs to retain a copy of your key. A security-conscious site instead generates a "hash" from your password, using a complicated one-way mathematical process, and stores that instead. When you try to log in, the password you supply is subjected to the same process, and you only get in if the result is the same as the stored hash. This way, if an attacker does gain access to the server, they can't get your actual password which could be disastrous, especially if you've used the same password on other sites.
Mind you, if a site doesn't use hashing, or does it wrong (which, as you might expect from something complicated and mathematical, is possible) then your password is vulnerable. Incorrect security certificates occasionally find their way into the system that authenticates secure connections, allowing attackers to masquerade as legitimate sites. A bug in your browser could conceivably expose your password. Heck, there might be a key logger installed between the keyboard and the computer, sucking up every keystroke for attackers to later mine for passwords.
It's a scary world. Your password will never be perfectly safe. But then what is? You wouldn't leave your car unlocked or take it to a garage with a bad reputation.
As long as you treat your passwords with the same kind of care - don't flaunt them in public, use reputable sites with good security and so on - you can be reasonably sure they are safe.
- © Fairfax NZ News