Passwords and Libon

Users of Libon,
Wonderful that you are keeping us on our toes, you’ve helped define the product so far and we hope you continue to do soDan Palmer has raised some potential concerns over our security policy. We’d like to address those.

We obviously take security very seriously.

  • Passwords are never stored in plain text on our servers, nor are they transmitted insecurely
  • The passwords themselves are encrypted on the database and when sent via a text message go over the encrypted GSM network
  • All our API calls use HTTPS encryption and we have up to date security certificates for all our platforms, which are also within secure premises.
  • We chose to use a password reminder to help users as they moved between their PC and the mobile client.

Based on some user comments and feedback we have scheduled an update which will replace the existing process with a password reset and cryptographic (one way) hash.

Until then if a Libon user feels their mobile has been compromised (eg: lost or stolen) please contact iphone@support.libon.com and we will reset your password, if not then please enjoy Libon.

Hope this reassures everyone and keep all ideas and comments coming.

About Aurelien

Aurélien Fonteneau: mobile blogger, works for Libon at We Are Social.
This entry was posted in Libon. Bookmark the permalink.

35 Responses to Passwords and Libon

  1. Dan Palmer says:

    Thanks for responding to this point, unfortunately the response is not enough and here are some responses to your points.

    – Passwords might not be stored in plaintext on your servers, but if your servers were compromised (very possibly, see LinkedIn, Sony, etc etc) then an attacker could easily decrypt all of the passwords. If there were hashed properly this would not be possible.

    – The GSM network encryption has been known to be incredibly vulnerable and snooping messages on the network can be done with a bit of cheap kit from Ebay and a little know-how. The GSM standard is not considered secure any more.

    – You use HTTPS and SSL certificates, but do not pin the certificates and therefore a compromised (or in some cases, legitimate) Certificate Authority could be used to generate valid but fake certificates that can easily be used to snoop network traffic. I have used this method to analyse the Libon API myself, something which would not be possible if SSL had been used correctly.

    – Passwords should be hashed. There is no excuse for this. You are putting customers entire online lives at risk. Fix it.

  2. mik says:

    Good job Dan. I think they are hashing and replacing the passwords.
    Gsm doesnt matter due to ssl, unless they sent sms with password which can’t be done anymore.
    Now could you explain certificate pinning?

  3. mik says:

    This has to do something with it, idk what it is tho and dont have the password
    http://portal-on.sqli.com/en

  4. Dan Palmer says:

    I just came back here to check on the status of the issues.

    – Passwords are still being stored in a retrievable format as far as I know.
    – SSL pinning is now being done.
    – GSM is still insecure and isn’t getting any better.
    – If I go to http://libon.com/web, type in a phone number, and click get password, then on many models of phone I can watch the password pop up on their screen. That’s not only incredibly bad for the security of Libon itself, but also irresponsible as Libon will know full well that many users use the same password for many different services.
    – Also, there’s a typo on the reset dialog, it says ‘tour’ instead of ‘your’. Very professional.

  5. Aurelien says:

    Hi Dan,

    Thanks for your comment and for helping us improve the product. This is undergoing development.

    Best wishes,

  6. MsTrina says:

    Still having password problems!!

  7. Aurelien says:

    Hi MsTrina

    Could you send us your phone number and email address by email at iphone@support.libon.com ?

    Thanks

  8. Angrej singh says:

    I need password plz I m forget my password

  9. Aurelien says:

    Hi Angrej, could you send us your phone number at iphone@support.libon.com?

    thanks

  10. angrej singh says:

    07401559895

  11. Felicia Jenkins says:

    I have forgot my password. plese help!

  12. Aurelien says:

    Hi Felicia, can you send an email to iphone@support.libon.com?

  13. Felicia says:

    I have forgotten my password. Please help with a new one.

  14. Maryam says:

    I lost my password

  15. Aurelien says:

    could you both send an email to iphone@support.libon.com ?

    thanks

  16. angel says:

    hi….i need some help…im currently staying here in kuwait and i want to download libon application on the playstore but it says my country is not supported to dl the application..im just confused because my friends here in kuwait have been able to get the application…im using samsung galaxy note(n7000) and they are also usong samaung and iphone….can u please help me what to do?thankyou..

  17. apple games says:

    Hello, I got over to your web-site via Pinterest. Not an item I generally read, but I appreciate your views none the less. Thank you for creating some thing worthy of reading through!

  18. Wonderful, what a blog it is! This blog gives useful information to us,
    keep it up.

  19. altaf hussain says:

    Forget password

  20. ?? says:

    كيف احصل على باسسورد ليبون

  21. srinivas says:

    Recovery my Libon password

  22. abid says:

    I need my libon password

  23. i.am using samsung galaxy mini i.am in saudia arabian.

  24. i.am using samsung mini galaxy i forget my password.i am in saudi arabian .thankyou

  25. Mohd Rizwan says:

    I’m using Samsung galaxy grand I forget my password libon

  26. manish kumar singh says:

    Hi I manish kumar singh.i froget my libon password. Please I requested to you send my password.

  27. ishfaq.ahmed says:

    I forgot my password

  28. ishfaq.ahmed says:

    I forget my libon password plz tell me my password

  29. ishfaq.ahmed says:

    I need my Lisbon password

  30. Mahinda Senarath says:

    I forget my password

  31. samaida says:

    pls help me forget my password
    libon

  32. imtiyas says:

    Sorry iam forget my pasword need new p.w

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>