NETELLER does not encrypt passwords

[Tapin]

[ QUOTE ]
I'd reasonably expect that a developer could write a system helpful enough to tell whether an attempt is one or two letters off.

[/ QUOTE ]
I'm sorry, but you know nothing of which you speak.

Good hashing functions change approximately half of the output bits for every bit change in the input. This is Hashing 101. Determining whether a given string was "one or two letters off" requires either a so-weak-as-to-be-pointless hashing algorithm, or a collosal amount of iterative effort that won't be accomplished in real time during a support phone call.

This is all meta-discussion, however, since it's quite apparent that NT's backend password storage is insecure and their developers are unfamiliar with standard operating procedure.

(I'm baffled that they not only can see user's passwords, they can even see user's failed attempts at passwords. Yiiikes.)

[ QUOTE ]
I'm sorry, but you know nothing of which you speak.

[/ QUOTE ]
Alright, alright, I bow to the one with practical experience in corporate backend security. [img]/images/graemlins/grin.gif[/img]

[PrincipalSkinner]

I would hope (and assume) that the "security guy" whom you dealt with is vetted a bit more thoroughly than the run-of-the-mill customer service rep. Having spoken at length with a couple of these neteller "security guys", however, I can assure you that neteller security does not inspire confidence in any regard. [img]/images/graemlins/shocked.gif[/img]

[Tapin]

[ QUOTE ]
Alright, alright, I bow to the one with practical experience in corporate backend security. [img]/images/graemlins/grin.gif[/img]

[/ QUOTE ]
Funny, but this stuff is indeed part of my job.

One which I'm neglecting by posting on 2+2 in the middle of the day, I might add. Whoops.

[B Dids]

Or moreover that when the user is getting it wrong, they're giving hints on how to get it right. I'm pretty sure that's not policy right there.

[MrMoo]

There is no "semi-correct". It's either correct of incorrect.

<font class="small">Code:</font><hr /><pre>
[/Users/me]$ echo blahblah | md5
7ec306b6fa01510ffc4e0d0fac97c23e
[/Users/me]$ echo blahbla | md5
1c0cb377e98d89d226530fe42a22c9d4
</pre><hr />

Can you tell if those are close?

I'm not trying to be a jerk here but your way off base. I think your personally doing a disservice to people here by making claims which are completely incorrect.

As to the issue at hand, this is a HUGE deal. I still can't believe they're doing this. I'm shocked. Any database developer with even an ounce of intelligence knows this is a gigantic security hole.

Think about it like this. Most likely ANY of their support staff has access to all the passwords for any user. The DB administrators certainly have access to this info. ANYONE who cracks into this site will have access to this info. Given the inept decision to do this in the first place, I can't imagine the security for their site is anything more than pathetic. Now think of how much money is available. Thats a pretty big incentive for someone to get access to this info.

[HigherAce]

[ QUOTE ]
Here's an example. Say your password is "love". When encrypted, "love" turns into "$ds2sdf". You store "$ds2sdf" in the database as the encrypted password. Now when someone types in "love" as the password, it is encrypted to "$ds2sdf" and compared to what is in the database. It matches so it authenticates you. However, other combinations of characters can also encrypt to "$ds2sdf" so there is no way to decrypt "$ds2sdf" to love. (There is a way to get a user's password in this case. It is called brute force cracking. Basically you try every possible combination of characters, encrypt each one and compare to the encrypted password. It would take a very long time, assuming you have a decent password.)

[/ QUOTE ]

Wow never knew how internet encryption worked. So if my pw was love, but sand gave the same encrypted value...either would work as my pw?

[Tapin]

[ QUOTE ]
Wow never knew how internet encryption worked. So if my pw was love, but sand gave the same encrypted value...either would work as my pw?

[/ QUOTE ]
To be clear, that's not how "internet encryption" works, it's the standard procedure for hashing and password checks.

Yes, a "hash collision" could result in two different strings resulting in the same hash; it's a known issue, and the reason why people who are interested in super-secure systems don't typically use MD5 for their hashing algorithm any more (see here).

The probability of finding two single-word English phrases that hash the same in MD5 or SHA1 (the two most common algos) is astronomical even by gamblers' standards.

[PLOlover]

[ QUOTE ]
This bothers me quite a bit. I was putting in the wrong password a few times and they closed my account. I called to get them to reopen it and the security guy told me that the password I was putting in was close to the right one, but I was just adding 3 extra letters to the end.

[/ QUOTE ]

Really weird this exact same thing happened to me too. Seriously. The password limit length there is 20 characters I was told. They said they didn't know why the system let me input 23 in the first place.

Yeah, not confidence inspiring.

[pankwindu]

Wow. This is rather horrifying to be honest. As others have elaborated, it is Security 101 that passwords should never be stored in retrievable form. Only one-way hashes should be stored, period. CS reps/hackers/con men should never be able to get the password from storage. If the user forgets it, CS reps should have to reset to a new one, not be able to look up the old one.

Sure, your average web forum or whatever can get away with storing passwords, but it is simply inexcusable for a site that deals with money. And if their security department doesn't understand this incredibly basic security concept, who knows what else might be lacking.