If you create an account online somewhere, how do you know that the employees and drivers of the website do not misuse your login credentials?

Very short: you don’t know.

When it is purely about your login details, it usually comes with it.

Generally, websites do not store the passwords themselves but a kind of fingerprint of your password.This way, employees or attackers cannot simply have user-readable passwords.

When you log in and fill in your password, a new fingerprint is created and is compared to a saved fingerprint.This allows the website to check if your password is correct, but not your password is stored.

However, within companies that offer online services, there are always people who have access to all the data.Also the data you would normally see when you log in.

Furthermore, there are websites that do not store their passwords securely.Or you may have a simple or short password, or a password that you’ve used more often on other websites.

A fingerprint of such a password is easily traced to the password you have used.

If so, a hacker or malicious employee of such a company where you log in can theoretically find out which password you use and that you are using.

Via sites like https://haveibeenpwned.com/ you can find out if your data has been leaked.

You don’t know that, you have to rely on it.There are sometimes logs, but they can sometimes be adapted by employees.

You make sure you are using unique data, so don’t use the same password anywhere.
What’s better is that the website has an integration on existing authentication: for example, Facebook/Google/Microsoft.For businesses, you can think of Active Directory integration. Then the company does not get the login details, but only a signal that you are who you say you are, established by Facebook/Google/Microsoft. If you are not familiar with a completely different challenge, the question is whether you should do what you want online.

So that’s one of the things you don’t know exactly!

Besides that you don’t know if that company’s employees use the data, you also don’t know how good or bad it is secured and a malicious third party using that data.

I cover that at this time you have to assume that this data can be abused.

To repeat the mantra; Use a password manager and log in with generated passwords only!

Not.But nowadays I use Google login, expecting it to have thought about it. If I have to invent a password, I will no longer sign in.

You don’t know.

But there is also little reason for employees to use your login credentials if they already want to do something.The data can usually be viewed via the backend without the specific need for your account information. Also through the backend there will be data to add or modify.

If you need to reuse login data, use the same username with password for different sites/AccountA, then there is a theoretical chance than they try to log in to another application.

But nowadays it is already standard to store passwords of users so that they are no longer readable for people.A formula that works only one side is used. Only when the same data is filled in again, the same will look like the saved password. This allows employees to not read the used password and therefore not use it on other sites.

In addition, it is advisable to take advantage of 2 factor authentication.This is then usually a combination of something you know (username and password) and something that you have (e.g. a phone). A code will then be sent to your phone, and you’ll also need to enter this code on the site.

Leave a Reply