How do sites like Meebo store usernames and passwords?

Question

How do sites like Meebo store usernames and passwords?

I recently used Meebo , and I have to admit that I'm a little paranoid about entering my login information IM into a site like this, How do they store my username and password for each of the individual instant messaging services? I only feel comfortable when the site takes my password and makes it some kind of irreversible one-way function, but it seems that Meebo will have to store my passwords so that they can receive them at any time, to facilitate automatic login The individual IM services that they support. Can I make excuses for this paranoid?

EDIT: I found this excerpt from the Meebo Privacy Policy :

Usernames and passwords of third-party IM users. Meebo allows you to access third-party instant messaging services by logging into your account through Meebo (“Third-Party IM Services”). In order to access your third party instant messenger account, you must enter your respective usernames and passwords in Meebo. To use basic instant messaging services on websites, Meebo does not store the password of your third-party IM accounts on our server. If you want to use advanced features of the Services, such as automatic login, you may need to store your passwords.

Jeff Atwood published this topic in this article: Please give us your password by e-mail .

+6

security passwords

Andrew Garrison Jul 15 '09 at 17:04

source share

7 answers

Yes you.

+4

Spencer ruport Jul 15 '09 at 17:07

source share

Yes, you are justified. When you give your username / password to a site, on any site, you really do not know / do not guarantee what they will do with it and how they will protect it.

+3

Rob di marco Jul 15 '09 at 17:08

source share

if they do not have contracts with each of the suppliers in which they create a hash and transmit only a hash, they will need to store your information.

+2

Russ Bradberry Jul 15 '09 at 17:07

source share

On the meebo blog, they discuss their security features in more detail. Here is a summary:

"We store a salty hash of your password [meebo], not the password itself.

"[we use your] Meebo account password to temporarily decrypt the passwords for your IM accounts. We only store the decrypted version in memory, and we forget the decrypted version as soon as you log out."

So the service seems pretty safe. If you want to be more secure, do not log in to your meebo account, but log in with your chat details.

+2

wassname Oct 14 '10 at 21:33

source share

They explain how they send data from the browser to their servers here; RSA encryption in javascript before submitting the form.

http://www.meebo.com/security/

EDIT: Clarification, they do not indicate how they store it, but presumably this is two-way encryption, perhaps with a user password as a key?

+1

John Jul 15 '09 at 17:08

source share

Meebo encrypts your individual account password with your meebo account password. The password for your meebo account is called bcrypt-ed. Therefore, Meebo does not know any of your passwords if you are not logged in. http://blog.meebo.com/?p=2220

+1

Vijay raghunathan Oct 2 '10 at 15:19

source share

Piskvor · Accepted Answer · 2009-07-15T19:19:30+0000

Meebo to Piskvor: Give me your password for IM, I will sign up for you.
Piskvor to Meebo: This is "12345".
Meebo for IM: Hi, I'm Piskvor; to prove this, my password is "12345"
IM for Meebo: Hi, you really are Piskvor; there is also a message for you from the user "average".
Meebo to Piskvor: There you get a message from the user "average".
(etc.)

Pay attention to lines 2 and 3. To make No. 3, Meebo needs your password; (if there is no collaboration between the IM provider and Meebo (which is possible, but unlikely)), at some point between these lines your plaintext password is.

Congratulations, you no longer have full control over your IM account; as for IM service, Meebo .

In other words: do you trust Meebo not to abuse your password? Do you trust Meebo to protect your password? Do you believe that Meebo will not be hacked and your password is stolen? As far as I can see, there is no way to say (unless you are Meebo, and you are not).

It boils down to this: trust Meebo promises?

Here are my $ 0.02: Convenient? Check it out. Awfully insecure? Check it out.

Oh, and to answer the question in the title: the best practice is to "encrypt the password, do not leave open text anywhere (longer than absolutely necessary)." However, I have seen too many databases with clear text fields; some companies seem to believe that encryption is a waste of work, while something is really wrong. Miebo? I can not tell.

How do sites like Meebo store usernames and passwords?

More articles: