How do sites like Meebo store usernames and passwords?

views:

925

answers:

+4 Q:

How do sites like Meebo store usernames and passwords?

I recently used Meebo and I must admit I'm a little paranoid about typing my IM login information into a site like this. How do they store my username and password for each of the separate IM services? I only feel comfortable when a site takes my password and does some type of irreversible, one-way function on it, but it seems that Meebo would have to store my passwords in a way that they could retrieve them at anytime in order to facilitate the automatic logon into the separate IM services they support. Am I justified in being paranoid about this?

EDIT: I found this excerpt from Meebo's privacy policy:

Third Party IM Service User Names and Passwords. Meebo allows you to access third party IM services by logging into your account through Meebo (the "Third Party IM Services"). In order to access your Third Party IM Service account, you must enter your applicable user name(s) and password(s) on the Meebo Service. To use the basic IM services on the Websites, Meebo does not store the password(s) of your Third Party IM Service accounts on our server. If you wish to utilize advanced features of the Services, such as automatic sign-in, storage of your password(s) may be necessary.

Jeff Atwood posted on this topic a while back in this article: Please Give Us Your Email Password.

+2 A:

unless they have contracts with each of the vendors in which they create a hash and pass just the hash, they will need to store your information.

Russ Bradberry 2009-07-15 17:07:24

i think this is the most likely scenerio

djangofan 2009-07-15 17:09:27

+4 A:

Yes, you are.

Spencer Ruport 2009-07-15 17:07:33

yes he/she is, what? Justified or paranoid? haha

Russ Bradberry 2009-07-15 17:15:19

Justified in being paranoid. I would never give out a password to a social networking site.

Spencer Ruport 2009-07-15 17:16:49

I hope this is not the case, it's such a convenient service.

Andrew Garrison 2009-07-15 17:23:40

@average: Eeeexactly. Meebo has your password (and NEEDS to store it). That's the price for convenience; a textbook example of a security/convenience tradeoff.

Piskvor 2009-07-15 19:00:42

+2 A:

Yes, you are justified. When you give your username/password to a site, any site, you really have no idea/guarantee what they are going to do with it and how they will protect it.

Rob Di Marco 2009-07-15 17:08:03

+1 A:

They explain it how they send the data from the browser to their servers here; RSA-encryption in javascript before form submission.

http://www.meebo.com/security/

EDIT: Clarification, they don't specify how they store it, but presumably it's a two-way encryption, maybe with the user's password as the key?

John 2009-07-15 17:08:17

this explains how the information you type gets sent to Meebo, not how they store it or how they send it to the other vendors.

Russ Bradberry 2009-07-15 17:12:16

Good point - They don't list how they store it anywhere that I could find other than implying it's encrypted and/or "secure".

John 2009-07-15 18:07:58

+3 A:

Meebo to Piskvor: Give me your IM password, I'll login for you.
Piskvor to Meebo: It's "12345".
Meebo to IM: Hello, I'm "Piskvor"; to prove it, my password is "12345"
IM to Meebo: Hello, you are indeed "Piskvor"; there's also a message for you from user "average".
Meebo to Piskvor: There's a message for you from user "average".
(etc)

Take note of lines 2 and 3. In order to do #3, Meebo needs your password; (unless there's some cooperation between the IM provider and Meebo (which is possible but unlikely)) it has, at some point between those lines, your plaintext password.

Congratulations, you no longer have complete control over your IM account; as far as the IM service cares, Meebo is you.

In other words: do you trust Meebo not to abuse your password? Do you trust Meebo to protect your password? Do you trust that Meebo won't be hacked and your password stolen? As far as I see, there's no way to tell (unless you're Meebo, which you're not).

It boils down to this: do you trust Meebo's promises?

Here's my $0.02: Convenient? Check. Horribly insecure? Check.

Oh, and to answer the question in the title: best practice would be "encrypt the password, don't keep the plaintext anywhere (any longer than absolutely necessary)". However, I've seen too many databases with plaintext password fields; some businesses apparently see encryption as waste of effort until Something Really Bad Happens. Does Meebo? I don't have a way to tell.

Piskvor 2009-07-15 19:19:30

and even if the creds are encrypted, a compromised database includes the compromised encryption key.

Dustin Getz 2010-01-03 22:44:26

+1 A:

Meebo encrypts your individual account password w/ your meebo account password. Your meebo account password is bcrypt-ed. So Meebo doesn't know any of your passwords unless you're logged in. http://blog.meebo.com/?p=2220

Vijay Raghunathan 2010-10-02 15:19:07

+1 A:

On the meebo blog they discuss their security features in more detail. Here is the summary:

"We store a salted hash of your [meebo] password, NOT The password itself. "

"[we use your] Meebo account password to temporarily decrypt the passwords for your IM accounts. We only keep the decrypted version in memory, and we forget the decrypted version as soon as you log out."

So the service seems pretty safe. If you want to be extra safe don't log in with your meebo account, instead log in with your IM details.

wassname 2010-10-14 21:33:30

ansaurus

tags:

views:

answers:

How do sites like Meebo store usernames and passwords?

related questions