[Jake]

The other day I logged into the Kijiji app on my iPhone and I got a warning that my password was easy to guess since it was based on a common word. Then it proceeded to list the word that is part of my password.

First, my password is a rare word but it is also mixed case and contains numbers and specials characters. Second I assumed that companies like Kijiji (i.e. Ebay) don't keep your passwords stored like that. Otherwise what is to stop a dishonest employee from scraping all the passwords and selling to the highest bidder. Or is there some client side check done without sending any data back to Kijiji?

I kinda understand salting and encrypting enough to know how little I know. But I assumed Kijiji/Ebay did this. Or am I completely misunderstanding the issue?

All my passwords are different and I don't store any personal or financial information on Kijiji but I still like to keep my accounts secure.

Any and all tips gratefully accepted.

 

[Ed7789]

Like you said, you just signed into Kijiji. That's how they had your password in a non-hashed form.

While I don't know Kijiji specifics, the password field on your device is not usually protected. It's only masked.
All the security measures come into effect when you click that little "Submit", and the protection at that point differs. I wouldn't be surprised that they send the password in encrypted cleartext (clear text, but encrypted by the transport protocol). More security robust applications will hash (one-way operation) on your device, send that hash over and then hash again.

If they do store passwords in cleartext, that's inappropriate practice on their behalf.

 

[Dr.Dave]

The other day I logged into the Kijiji app on my iPhone and I got a warning that my password was easy to guess since it was based on a common word.

Are you using a password manager like iCloud Keychain? It can operate with apps that are set up to use it and checks for common words in passwords. See Set up iCloud Keychain

 

[Jake]

Thanks Dave. Mystery is solved. Keychain was off. But now that you mentioned it I did recall using the autofill with my username and password when I was asked to login to the app. A little checking and under Settings | Password I found AutoFill Passwords was on and it listed 5 entries. At the top was an exclamation saying Security risks were found. When I looked it said Detect Compromised Passwords was on and all 5 entries had "Easily guessed password" beside it. Which is weird because they are all different passwords with a mix of 10 numbers, letters and special symbols.

Also, I am familiar with Google security check. I had a few accounts flagged there due to hacks and changed them a while ago.

I guess I will need to reevaluate my password habits.