Typepad Update

As I mentioned yesterday I raised a bug report against Typepad because of its insecure password handling. This is the response that was waiting for me this morning.

Thank you for your feedback on this. We will keep this in mind for future updates to the system.

While we cannot share specific technical details on how user information is stored in TypePad, it is stored securely. The email you received is not an indicator of how this information is protected.

Please let us know if you have any other questions.

That clearly comes from someone who doesn’t really understand the problems. Notice how she tried to reassure me that my password is stored securely despite all appearances to the contrary. I don’t believe a work of it. If my password is stored securely then it should be impossible for Typepad to send it to me as it should be impossible for anyone in Typepad to find out what it is.

I’ll press on.

2 comments

  1. It’s not inconceivable that they’re storing the passwords encrypted in the database, instead of hashed, and that the mail-your-password program has the key to decrypt the password before it’s sent to the user. (It’s not a good technique, but it’s possible.) A significant fraction of Typepad users are not techinically savvy, and might have a hard time going through the process of resetting their password.

  2. You’re right that it’s not inconceivable. And you’re right that this wouldn’t be a good technique. As I said above, the only system that I think is acceptable is having the passwords encrypted using a one-way encryption algorithm so that no-one in Six Apart can possible find out my password. That’s obviously not what is happening though.I strongly suspect that their excuse for doing this way will be something similar to your explaination about non-technical users. But I don’t think that making things easier for users justifies making things less secure.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.