Lunarpages Web Hosting Forum

Author Topic: Is an email redirect less secure as a login?  (Read 50192 times)

Offline pgoso

  • Space Explorer
  • ***
  • Posts: 9
Is an email redirect less secure as a login?
« on: September 11, 2017, 06:41:15 PM »
Currently I use an email address from LP which is redirected to an encrypted email to login to important websites.  I like being able to quickly change where my emails go if I have to. I'm not sure about the security level with this though? Is the security level any different than if I used my actual encrypted email address?


Offline MrPhil

  • Senior Moderator
  • Berserker Poster
  • *****
  • Posts: 6427
Re: Is an email redirect less secure as a login?
« Reply #1 on: September 12, 2017, 05:16:55 AM »
I'm not sure I've heard of this method before. I can't tell if you're directly signing on with some special email address as an ID, or an email is received by certain websites and logs you in that way (or authorizes you to log in for a short period of time). Could you provide a link to a description of the steps involved?

Regarding security levels, a chain is only as strong as its weakest link. Any unencrypted email could be intercepted and read, and then spoofed. Email addresses are out in the open (not encrypted). Without understanding more about how this login system is supposed to work, I can't say anything more than that.

Add: Some websites hash the password in Javascript, at the browser, and send that to the server. It avoids sending the password in the clear, but the hashed password could still be intercepted and read (and later spoofed), so I'm not sure it's much of an improvement. Perhaps if the server also sent a hash "salt" as part of the sign-on panel, that could then be a unique password per session (of course, this means storing the password clear text on the server, so it can be rehashed each time, which is its own security complication). Then, a password over an SSL-encrypted link would be far more secure than a clear text password over non-SSL. More and more sites are over SSL now (or at least, sensitive information such as logins), so that should help.
« Last Edit: September 12, 2017, 07:45:04 AM by MrPhil »
Visit My Site

E-mail Me
-= From the ashes shall rise a sooty tern =-