Passwords, security, what it means and best practices....
By Russ Freeman, written 1363196137.
How does PurplePort manage passwords?
We don't store your password. Instead we use a one way hash function to generate a bunch of characters. When you enter your password to log in we take the password you enter, run it through the one way hash and compare the hash with the one we generated when you last entered/changed your password.
This means we don't really get to see your password and should PurplePort be the victim of a break in it will either be very difficult or as close to impossible for someone to extract the passwords from the database.
This is why we can't offer you a password reminder. All we can do is give you the ability to reset your password.
Resetting your password
This is pretty easy and can either be done via the Manage Account option on the Purple Cog and then selecting Personal...OR when you attempt to log in.
One of the common security risks with other sites is that by requesting a password reset for a known account you can confirm that an account for that email address exists because the web site will helpfully tell you when an account is not found "error, account not found". Armed with that information you now know someone has an account.
PurplePort doesn't do that. Instead we'll pretend like it worked but advise that either way, whether the account exists or not, only the account holder will know.
Log in attempts
One of the easy methods of gaining access to someone's account is to just bash away at the login page, usually using an automation tool, and hope for the best. People tend to use common passwords so trying 1,000 or so common passwords is a good first attempt.
We throttle log in attempts to reduce the ability for someone trying to use automated tools to try many passwords in a short space of time. In fact we make it annoyingly slow to make a whole bunch of automated attempts at passwords.
Password best practices
Passwords are a terrible security measure. All passwords can be figured out with enough computing power but you can certainly help yourself by doing some of the following...
Use a "pass phrase" instead of a password
Don't think "word". Instead think "phrase". It can be as long or as short as you like. A longer password is better than a short one!
Use capitals, numbers, spaces and symbols
On PurplePort you can use whatever numbers, letters and symbols you like. You could have a password like "1&£ nGF __&% "¬!000" if you like. Go crazy...only you will know how crazy it is!
- Don't use the same password for multiple services. Sure, it makes it easy to log in but then anyone getting your password from a weak service now has it for all of the other services you use.
- Don't use personal information such as your date of birth, your name, hobby keywords etc.
- Don't use whole words as the entire password even if you think swapping letters with numbers will be good. "p@assword" is just as bad as "password".
- Don't give your password to anyone else but if you must then change it as soon as possible. We might ask for your password but our advice is to always reset it to something else, tell us what it is and then once we are done helping you you can put it back.
- If you suspect your password has leaked out some how change it.