The Swedish governmental TV recently published a service where you could check if your mail address was part of the compromised ones from recent leaks. There are many things that can be said about this;
* Never use a service such as this from any source unless you are *really* sure the source is secure.
Anyone could set up a service such as this one, with the soul purpose of harvesting e-mail addresses. In this case I trust the source, and hence tried it, and got a clear confirmation that my mail address was part of the data they had. Leaked from Dropbox. Other family members had leaks from Tumblr and other sources as well…
* Never trust a site that is able send you back your password as password reminder
The way for sites to store passwords is NEVER EVER the original one. If the site can send it to you, they are proving that they are doing it wrong. They should not have the password – just have the ability to check that what you enter is correct. How can this be?
The site owner should make a “hash“, i.e apply an algoritm on your password and store the result. This way they can validate a password you enter by applying the same algoritm on the password you enter when you try to login. What is stored on the site is not the relevant password, so if the list leaks, it can’t be used. The hash algorithms are meant to be oneway, so from password you can compute the hash but not the other way around. This way they can check what you enter, but they do not have your password.
As a second layer of protection, the site owner should also “salt” the hash. This means that in addition to the hash, a “grain of salt” should be added. This makes the hash from one site different from the hash on another site, even if the same password and hash algorithm is used. Hackers make rainbox tables, i.e. big matrixes of data that gives the hash for the passwords. This as a way to circumvent the fact that the hash algorithm is one way. If salt is added, generic rainbow tables are useless.
* Trust sites with 2FA
Two factor authentication is also a great way to secure your access. Be it tokens, mobile applications or even SMS. There has been criticism that SMS wouldn’t be secure. It’s very true that an SMS is like a postcard – full content is readable for any middleman, but having said that, the SMS never physically or logically go over the same channel as you use for you IP access to a site, so any attacker do not only need to have your login credentials – he also needs physical access to your mobile phone, and that is still quite unlikely. Hence SMS for 2FA is still a highly valid mean to protect your access.
=> If the site complied with the three points above, it can be assumed to provide safe access. In addition you would also like to ensure that once accessed, you can also use the site in a safe way:
* Trust sites using HTTPS
HTTPS encrypts the session between you are the site. Back in the day, this caused a lot of load on the server side but not so much today. This will safeguard you from eavesdropping on the path between yourself and the site. Any access to the content on the path between you and the site is useless to the eavesdropper.