U.S.P.S. Informed Delivery Vulnerable

Posted by on Feb 27, 2018 in Web Security

Informed Delivery insecure passwordsSounds like a cool idea – see what’s coming to your mailbox while you’re at work, or maybe on vacation.  That’s what the U.S. Postal Service’s “Informed Delivery” lets you do.

Just fire up an app on your phone and see what will be delivered to your mailbox today.  Imagine sitting in front of the fireplace on a frigid February morning, absorbed by a fascinating article on CompuSolver.com.   The only sounds are the occasional cracking of an ember and the constant howling of the wind.

The mail truck momentarily stops in front of your house.  Is it worth braving a wintry onslaught?  Fire up your “Informed Delivery” app and actually view photos of each envelope or package.  Pretty cool, eh?

But wait!  You suddenly remember that back when you signed up using the Informed Delivery online form, you were restricted in what characters you could use for your Informed Delivery password and in the length of your password.

Why should that bother you?  Because this means that Informed Delivery is NOT using the most secure methods to store passwords.  Passwords should be encrypted and only the encrypted characters (hash) should be saved.  These characters are automatically all safe to store and the length of the encrypted string has no bearing on the length of your password.  (See the image at the bottom of this article.)

Let me restate this – proper password policies allow any length of password – you could copy/paste the entire works of Shakespeare if you like – the site is still only going to store a hash of about 50 characters or so.  Also, you could type it in your native Martian, using any characters you like.  The encryption is still only going to use safe characters in its hash – the only thing that should be stored.  And yet, it will compute the same hash whenever you log in using your ungodly and unwordly password!

So what?  Well here’s “so what” – it means the U.S.P.S. Informed Delivery is probably storing your passwords directly – just the way you entered them.  Otherwise there would be no need to restrict the type or number of characters.

So what happens when they get hacked?  First – remember that when large organizations get hacked, the public rarely hears about it until months later.  In fact, it generally takes months, if not years, for an organization – corporate or government, to even realize they’ve been hacked.  Informed Delivery has your Social Security number info, your previous addresses and who knows what other information about you.

Here’s a tip:  Use Password-Machine.com for all your passwords.  It will never store or “remember” your password – it gets computed each time.  This way there is nothing for a hacker to get if they ever managed to break in.

the way informed delivery should do passwords