Archive for the ‘How-Tos’ Category

How to Store Passwords on Websites (Password-handling responsibilities of websites that store data about members)

August 7th, 2010 2 comments

The awareness of using strong passwords has significantly improved over the last few years thanks to the efforts taken by many security organizations and websites. Even a lay-man today knows that it’s important to have a strong password to thwart hacking attempts.

Unfortunately, these organizations and websites fail to mention that security of a member’s account is the responsibility of the user AND the organization that stores the password. As a result, whenever hundreds to thousands of passwords are stolen by hackers, some website managers find it convenient to blame the users for the password theft. Although mass password thefts are generally caused by phishing (in which case the user is at fault), a small percentage of it is caused by stealing or hacking the website database. Sometimes, organizations release member information to third-party companies or partner websites, which is fine as long as they take certain safety measures. As you can imagine, not everyone does this which means that the host website is also a potential point of failure.

I shall explain by providing a couple of examples and shall conclude with a test procedure that you can use to detect if a website is storing your passwords securely.

Please note that this article is only concerned with password storage and ignores security measures and breaches due to other factors.

Eg1 : Plain, Simple and Visible


This technique stores all data in plaintext. Hence, all the passwords and data are visible to anyone who has access to the database table. You don’t even need to hack the database to gain access to such information. Some employees of the organization storing this data have access to the database legally and can steal passwords if they wish. Although it’s fairly obvious that storing data in plaintext is asking for trouble, it’s popular among students and other people due to the ease of implementation.

Areas where this technique is prevalent:

  • Web applications written by students.
  • Websites belonging to Small and Medium Businesses (SMB).
  • Websites of startups. (Hardly any startups do this anymore which is a good sign)

Eg2 : Secure Passwords, Open Data


Passwords, in this case, are stored as a computed one-time hash. This prevents them from being reversed into their original form and in essence, protects the password from being recovered in the event of a security breach. Employees who have genuine access to the database can view your data but have no idea about your password. This is desirable in certain situations where member information needs to be visible to the employees as the password remains a secret known only to the member.

Areas where this technique is prevalent:

  • Web applications written by (smarter) students.
  • Startups and other SMBs.
  • Online Forums.

Eg3: Secure Data and Passwords

In this case, only the primary key is left unencrypted while every other field is encrypted using a reasonably long key. This makes locating entries in the database easy and protects the user’s information. Partner websites do not have direct access to the data and instead use intermediate accessor-functions to access data. A database hack would still protect user information unlike the previous methods.

There are several variations that are more secure which employ various techniques such as:

  • Encrypt everything and use lookup tables with hashes to access data.
  • Distribute data across multiple databases.
  • Distribute data across multiple databases that use different encryption schemes.
  • …many many more which are far more complex and more secure by several degrees…

Areas where this technique is prevalent:

  • Banks
  • e-commerce Websites
  • Government and Military Organizations

Aside from these techniques, there’s an interesting myth on which I’d like to throw some light.

Websites that use HTTPS

A website that uses HTTPS using SSL/TLS only guarantees that data transmission between the user and the website cannot be intercepted by eavesdropping attacks. This does not say anything about how the data is stored at server-side. Hence, data stored on a website that uses the HTTPS protocol is still unsecure if it employs the storage method demonstrated in Example1.

How to Find Out If a Website Stores Your Password in Plaintext?

Follow these simple steps to find out if a website hashes your password or not.

  1. Register as a new member on the website in question. If you already have an account, skip this step.
  2. Click ‘Forgot Password’ on the login page of the website.
  3. Follow the instructions to recover your password. (usually you would enter your email address or answer your secret question depending on the website)
  4. If your old password is revealed on screen or in the ‘password recovery’ email, the password is stored in plain-text, which means your password can be stolen in the event of a server-side security breach.
  5. If you are asked to click a ‘Password Reset’ link or enter a new password directly (this is website-dependent), the website stores your password as a hashed value and your password is safe from being stolen if the website gets hacked. (In this case, your old password can’t be shown to you because a hashed value cannot be converted into its original form)
      I hope this article has helped you realize that having a strong password is pointless if the website that you use it for stores it in plaintext.

Update: got hacked on March 3rd, 2011 (see here and here) and had all its users’ account passwords stolen since all the user passwords were stored in plaintext. It’s disappointing that someone as accomplished as Greg Hoglund (whose book on Rootkits still remains one of my favourites) used passwords stored as plaintext on his website. A security firm headed by a security researcher making such a basic mistake is simply unforgivable. I hope you won’t make the same mistake.

Microsoft India got hacked on February 12th, 2012 and had all user account passwords stolen (see here) because they were stored in plaintext. One would think that at least Microsoft would know how to store passwords. Sigh.

Use ATI Radeon Xpress 1150 Graphics on Windows 7

May 9th, 2009 87 comments

If you’re reading this, you’re probably running Windows 7 in 800×600 or 1024×768 resolution with a default PnP monitor even though you’ve got an ATI graphics card  that supports higher resolutions.

ATI was quick enough to release Windows 7 drivers for higher-end cards which you can download here but if you try to install the setup with an older graphics card (such as an ATI Radeon Xpress 1150), the setup fails to install because the graphics card is not supported. I wasn’t surprised, as my graphics card wasn’t mentioned in the release notes of the Windows 7 drivers but I tried installing the Vista equivalent (Catalyst version 9.3) hoping that would work, which unfortunately didn’t.

Without these drivers, you can’t load screensavers, use Aero or use taskbar previews and the display appears slightly blurred.

I found a solution by using an older driver (so old that it isn’t even mentioned on ATI’s Older Releases page) and although the Catalyst software didn’t work, the display driver works fine and I can use Aero, view taskbar previews and pretty much do everything else.

You will need to download ATI Catalyst Driver version 7.11 for your card to work properly with Windows 7 which you can download here for the 32-bit version or here for the 64-bit one. Although the drivers are for Vista, they will work for Windows 7 as well. I haven’t been successful running a higher version of ATI’s drivers, so let me know if you’ve succeeded running a higher version.

Windows 7 RC boots faster and even runs slightly better than Windows XP and I haven’t had problems with application compatibility so far and I advise you all to give it a try.


Update 1:

Version 8.12 works as well. Download it from here

Thanks icxz!

Update 2:

I was forced to reinstall Windows 7 RC for irrelevant reasons, and this time Windows 7 automatically downloaded the driver for the Radeon Xpress 1150 Card after the OS setup was complete.

The update appears as a recommended download in Windows update and although it states that the driver publish date is 27th April 2009, the actual driver is version 8.421.000 and was released in September 2007. The driver installed by ATI’s 8.12 Catalyst setup is version 8.561.000 which was released in December 2008.

ati_winUpdate ati_winUpdate2 Win Update

ati_driver1 ati_driver2 Driver Details

Games work perfectly fine and so does Aero and Aero Peek although I personally feel that games ran noticeably faster with the v8.12 driver. Also, the pre-startup screen logo animation is not displayed with the default driver that Windows installs.

Still, I recommend updating the driver to version 8.12.

I haven’t had the opportunity to try this on the retail version of Windows 7 yet, but I’ll update this post as soon as I do.

Update 3:

If you use DriverMax, it suggests a newer driver for the ATI Radeon Xpress 1150 having version 8.593.100.0 released on 27th April 2009. I guess this was the driver that Microsoft intended to bundle with its Windows update (read Update 2) so I went ahead and installed it.


The driver worked fine until I started a couple of games, which is when I noticed that this driver cannot resize the screen to a lower resolution. What it does instead is reduce the resolution of the game instead of the screen. For example, I chose 800×600 resolution for a game and instead of resizing the screen, the driver maintained the usual 1280×800 resolution for the screen and reduced the game to 800×600 resulting in the game taking up only a small portion of the screen.

After uninstalling the driver and reverting to the previous one, everything was back to normal. Moral of the story: DO NOT install version 8.593.100.0 !!!

Using Umbrello on Windows

March 25th, 2009 4 comments

umbrello Window
Some of you might already know that some KDE Applications have been supported on Windows and MacOS after version 4.0.

I wanted to install Umbrello on my Windows XP Machine and I consulted the documentation to learn more about the installation process. KDE is nice enough to provide an installer for Windows but it’s terribly slow since all the packages are downloaded using a single thread which will take you at least 3 times longer than if you had download the individual packages manually with a download manager application.

I tried searching for help online, but there isn’t any useful information on how to go about doing this, so I’ve decided to write one.

Anyway, I decided to download all the packages manually and use the installer to unpack them into a single directory. Unfortunately, the KDE Website doesn’t mention which packages Umbrello needs so I had to use the installer and its log dumps to figure out which URLs it was drawing the packages from.

To use umbrello on Windows, you can either download the KDE libraries and source code and compile it yourself using Visual C++ 2005 or MinGW, or you can download the precompiled binaries and libraries and use them directly. To be honest, there’s no point in compiling KDE yourself since the source code files are as large as the precompiled binaries so you’re better off downloading the binaries.

Umbrello is present in the kdesdk package which is about 5.3MB and you need to download additional libraries as well along with the kdesdk package. The installer only mentions 32 packages in the package dependencies list but there are actually 35 of them (don’t worry though, the installer installs all 35 if you choose to download the packages automatically)


The installer needs the MD5 hash of every package you want to install so make sure you have them too. After you have downloaded all the package files, place them in a temporary directory and start the Installer. Then choose to Download and Install from the Internet. (Although the install from Local Directory option exists, it didn’t work for me)

After that choose the directory where you placed all your packages in the temporary directory selection screen and choose the kdesdk Package for download. Click past the package dependencies page to install KDE.

If you downloaded all the 35 packages correctly (1 package = binary + binary.md5 + libraryArchive + libraryArchive.md5) then the installer will skip directly to installation and it will install KDE on your computer. If not, it will download the missing packages and install it once it is complete.

That’s it! KDE is installed and you can run Umbrello from the Start Menu Shortcuts or from the bin folder in the KDE directory (C:Program FilesKDE by default)

That was the gist of what you need to do to be able to run Umbrello on Windows. Now for step-by-step instructions.

1)  Download the KDE Mirror List from here. If the link is dead you can choose one of the mirror sites from here:

ftp at
http at
ftp be
http be
ftp de
http de
ftp dk
http dk
ftp es
http es
ftp nl
http nl
ftp tw
http tw
ftp us
http us
http us
http us
http ca
http cn
ftp de
http de
http ro
ftp ro
ftp cz
http cz
ftp pl
http pl
ftp pl
http pl
ftp se
http se
ftp gr
http gr
ftp it
http it
ftp be
http be
ftp is
http is
ftp ie
http ie
ftp jp
http jp
ftp gr
http gr
ftp ie
http ie
http it
ftp fi
http fi
http au
ftp us
http us
ftp au
http au
ftp kr
http kr
ftp us
http us
ftp us
http us
http fr
ftp ru
http ru
http uk
http de

Choose any of the websites given above although you should preferably choose a website which is closer to your location for faster download speeds. Most of these websites allow directory listings, so you should be able to see a list of directories on the website.

2) Navigate to stable -> 4.2.1 -> win32.You will now be able to see all the KDE packages in this directory. You don’t need all of them so don’t download them all. You need to download 143 files which are listed below:

The total file size should be about 154MB.

Note: You will also need to download the Visual C++ 2005 SP1 Redistribution Package if you don’t already have it.

3) Place all these files in a single directory. Now start the Installer and choose Install From Internet.


4) Click Next and choose the End User Install Mode.


5) In the next screen you will need to enter a Download Path. Choose the directory where you stored all the downloaded packages and click Next.


6) The next screen displays all the KDE releases which are available for download. As of writing, the latest KDE version is 4.2.1 stable but choose a newer version if it is available. If a newer version is available, ensure that you are downloading the correct packages.


7) In the next screen you will need to select KDE packages which you wish to install. Since we only want Umbrello, check the kdesdk-msvc Package but you can add any other package that catches your fancy but keep in mind that the extra packages that you’ve selected might need other packages as well. To be honest, you don’t need to worry so much. The installer will automatically download the required packages, although it will take a lot longer than if you do it manually. Click Next.


8)  If you’ve done everything correctly, the installer should jump directly to the installation part and the installer window should look something like this:


If not, there’s no need to worry. The installer will download the other packages for you and then start the installation process.

9) You’ve successfully installed KDE on your computer. If the installation is successful you should see a screen like this:


Now all you have to do is navigate to KDE 2.4.1 Release -> Development from the Start Menu and click on Umbrello. Alternatively, double-click on the Umbrello icon in the <KDE_Install_Directory>bin folder.


Umbrello should now start. :)



Note: Umbrello on Windows has many bugs and crashes when you right click and select the export to image option. If you use the Main Menu, you can export the diagrams as images and it wont crash. It might also crash while closing Umbrello. KDE for Windows is still a work in progress and they’ll fix these bugs in future versions so keep checking for newer, stable releases.