?

Log in

No account? Create an account

Password security - John C. Kirk

Mar. 9th, 2008

12:55 am - Password security

Previous Entry Share Next Entry

When I signed up with Facebook last year, I mentioned that I didn't like the "find friends" option. Basically, it asks you to give them the password for your webmail account so that they can look at your address book and see whether any of your friends are already registered. I, however, was disinclined to acquiesce to their request; with my password, they would be able to impersonate me (sending emails on my behalf), intercept incoming emails, and even lock me out of my own account. I'm not saying that the Facebook programmers in particular would necessarily do any of these things, but I prefer to be cautious about handing out that type of information.

This may seem a bit paranoid, but I read an interesting post today at Coding Horror: A Question of Programming Ethics. Basically, somebody wrote a shareware program called "G-Archiver" that will store a backup copy of your GMail messages on your hard drive; in order for this to work, you obviously have to provide your password. However, it turns out that the program was emailing all these passwords back to the programmer. Oops.

In fairness, you need to type your password into your computer somehow if you want to get at your email; this could be through a web browser or a dedicated email application (e.g. Outlook Express). So, you have to make the trade-off: who do you trust? Personally, I'm willing to trust Microsoft applications, although I know that other people disagree. I'm also willing to trust Firefox. However, open source isn't a panacea; just because something can be read, that doesn't mean that anyone has actually read it, particularly if it's obscure. It's also worth mentioning that the same thing could be done on other platforms (e.g. a Mac); this isn't a virus, it's the program doing exactly what it was designed to do.

Comments:

[User Picture]
From:rjw1
Date:March 9th, 2008 01:00 am (UTC)
(Link)
and indeed just because you can read the source doesnt mean the binary you installed form the internet doesnt have extra stuff. of course if you compile it yourself its safer. but unless you actually read the code you will never know.
(Reply) (Thread)
[User Picture]
From:totherme
Date:March 9th, 2008 02:32 am (UTC)
(Link)
And indeed, reading and compiling the source yourself is no absolute guarantee, as Ken Thompson's truly moby hack demonstrates.

It's neither an OSS problem nor a proprietary problem. It's a general life problem. As M said in "Die Another Day": "knowing who to trust is everything in this business".
(Reply) (Parent) (Thread)
[User Picture]
From:totherme
Date:March 9th, 2008 02:35 am (UTC)
(Link)
Actually, it may have been "in this game". I'd look it up, except that I haven't.
(Reply) (Parent) (Thread)
[User Picture]
From:susannahf
Date:March 9th, 2008 03:52 pm (UTC)
(Link)
You know that that's not the only way to find friends, right? You can type in email addresses manually, or you can import a contacts file, which it even tells you how to save it for lots of different programs (including outlook and outlook express). This is the method I tend to use, as it also means I can filter out addresses that I don't want to be included.
While I agree that the "give us your password" method does encourage poor security, and that I wouldn't trust Facebook with any vaguely sensitive data, it's not like they don't give you any other options, and I've had worse experiences with other services - like the ISP who wouldn't give me any technical support unless I told them my password over the phone, and the university department who handed out pieces of paper with both username and password printed on them and the injunction never to change the password...
(Reply) (Thread)
[User Picture]
From:elvum
Date:March 9th, 2008 04:51 pm (UTC)
(Link)
I don't think any software development methodology or instance of a methodology is secure against programmers being naughty - even Microsoft have had issues in the past.
(Reply) (Thread)