NETELLER does not encrypt passwords

[kurosh]

This bothers me quite a bit. I was putting in the wrong password a few times and they closed my account. I called to get them to reopen it and the security guy told me that the password I was putting in was close to the right one, but I was just adding 3 extra letters to the end. So that means they can see your password and what you're trying to enter as your password.

Does this bother anyone else?

[samr]

Yes, this does bother me.

Would you mind calling them and asking them about their policy?

[stone_7]

THis is pretty common for banks. I work with many different banks in my job and many of them have support personnel for their webpages that can see this info.

I think you may not understand how Web encryption works.

When you enter the password, your browser uses encryption to send the password to Neteller (you can tell by looking at the URL of the login page - if it starts with https, it's encrypted).

After your password reaches the Neteller servers, it is decrypted. That's why the Neteller personnel can see it.

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

HTH.

[stinkypete]

[ QUOTE ]

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.


[/ QUOTE ]

this is incorrect.

[Xcalibur]

[ QUOTE ]
I think you may not understand how Web encryption works.

When you enter the password, your browser uses encryption to send the password to Neteller (you can tell by looking at the URL of the login page - if it starts with https, it's encrypted).

After your password reaches the Neteller servers, it is decrypted. That's why the Neteller personnel can see it.

Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

HTH.

[/ QUOTE ]

I'm pretty sure he is not questioning web encryption. Some services (example AOL) does not let its customer care representitve see sensitive customer information like credit card on the accounts or passwords since it opens them up into much abuse.

It is only a matter of policy on the companies to ensure customer security. I know I am definately disturbed that neteller would let its customer care representitive know what your password is. I sure hope they at least have detailed background checks on their employees.

[herk]

Passwords are almost always stored in an encrypted form using a one way hash. User enters their password, a one way algorithm is applied resulting in a new value (which is the one that should be stored), and there is NO way to take the encrypted form and restore it to it's original. On login the same algorithm is applied to whatever the user entered and that encrypted value is compared to the stored encrypted value.

If neteller stored their passwords properly there would be no way for employees to browse customer passwords at will.

[AliasMrJones]

[ QUOTE ]
Even if Neteller were to take an extra security step and store your password on its servers in encrypted form, staff whose job it is to work with passwords would be able to decrypt and view passwords at will.

[/ QUOTE ]

This is 100% wrong. In most applications, passwords are stored encrypted and noone, not even the person who wrote the application can see the password as stored in the system. It uses one-way encryption. Basically, you can encrypt a password and see if it matches the stored encrypted password, but there is no way to unencrypt an encrypted password. (I hope that makes sense.)

Here's an example. Say your password is "love". When encrypted, "love" turns into "$ds2sdf". You store "$ds2sdf" in the database as the encrypted password. Now when someone types in "love" as the password, it is encrypted to "$ds2sdf" and compared to what is in the database. It matches so it authenticates you. However, other combinations of characters can also encrypt to "$ds2sdf" so there is no way to decrypt "$ds2sdf" to love. (There is a way to get a user's password in this case. It is called brute force cracking. Basically you try every possible combination of characters, encrypt each one and compare to the encrypted password. It would take a very long time, assuming you have a decent password.)

This one-way encryption protects users' accounts from abuse by even employees. Windows works like this, unix works like this. A homegrown web application may or may not work like this. (You might wonder, then, how do you help someone who forgot their password? You have to set a new password for them since there is no way to retrieve their current password. If you call your network admin at work and tell him/her you forgot your password, they will tell you the same thing -- they can set a new password for you, but there is no way to get your current password. It is because of this one-way encryption.)

Neteller may or may not do this, but any truly secure system will employ this type of password encryption.

[ QUOTE ]
This is 100% wrong. In most applications

[/ QUOTE ]
Within your first seven words you contradicted yourself. [img]/images/graemlins/wink.gif[/img]

But you're right in the basic premise: often passwords can also be checked by staff via a checksum (correct or not correct or semi-correct).

If that were the case, I'd reasonably expect that a developer could write a system helpful enough to tell whether an attempt is one or two letters off.

But whether this is true on the desktop or not, most large institutions don't seem to use undecryptable vital information (either that or my newspapers are broken).

[Sponger15SB]

[ QUOTE ]
I was putting in the wrong password a few times and they closed my account.

[/ QUOTE ]

Wait, so you don't just have it entered automatically for you by firefox so you just have to hit the sign in button?