Keeping your data safe is something we take very seriously, so this post takes a closer look at how we keep your personal and tax information safe from prying eyes. This isn’t intended to be an academic document, but rather a quick overview of how some of our security works. I’ve opted for ease of understanding over pedantic correctness.
There are two things that you give us that we know we must keep secret: your password & your personal and tax information. We use your password to encrypt your information, so let’s first look at how we handle your password.
While you’re using SimpleTax, all of the traffic sent between our server and your web browser is encrypted using Secured Socket Layer (SSL). That’s the lock or green bar you see in your address bar. This ensures that if someone found a way to listen in on the conversation, he wouldn’t be able to understand what was being said.
But even if he were able to listen to the unencrypted conversation, we still want to keep your password a secret. So, instead of transmitting your password, we transmit a fingerprint of your password. This works much like a human fingerprint in that it uniquely identifies a person, but doesn’t tell you much about that person’s features. This way we know that the password you typed is correct without ever transmitting the password itself.
The method we use to generate the fingerprint is called hashing and we use a hashing function called MD5. All a hashing function does is take in a piece of data and then spit out a string of characters, making it difficult to guess what you put into it when you just look at what you got out of it. For instance, have a look at the following MD5 hashes and try to guess the password that generated each one.
They were “simpletax” and “$impletax”, respectively. Now, an attacker could be clever and have a big list of common passwords and their MD5 hashes. These do exist and they’re called rainbow tables. A sophisticated computer setup can generate a rainbow table of every 5 character password in a matter of minutes. As the length of a password increases, the amount of time it takes to create a rainbow table grows exponentially. So, if it takes 10 minutes to make a rainbow table for every 5 character password, it might take 10 hours for every 6 character password.1
Since these tables are out there, we salt your password before we hash it. Salting your password means that we manipulate it so that existing rainbow tables are useless; an attacker would have to create a new rainbow table that takes into account our salting method to break your password—something that takes a considerable amount of time.
We also need to store your personal and tax information safely in our database. The database is physically housed in a secure location and you can’t access it directly. Even so, we need to account for a worst-case scenario: either someone physically taking the server, or someone hacking one of our accounts and breaking into the server remotely—both very difficult, but not impossible.
For this reason, we encrypt your information using several other hashing and salting algorithms with your password as the key.2 When it’s all said and done, even we can’t view your data. This is also why we don’t have a password reset option. When you lose your password, it’s gone, along with the key to decrypt your data. You can change your password, but you need to know your old password so our software can decrypt and re-encrypt your data.
So that’s how we keep your data safe. We never transmit your actual password, only a fingerprint of it. When we do transmit that fingerprint, or your personal and tax information, it’s done over an SSL connection. And when we store your data, it’s encrypted so that only the person with the password can view it.
1 We hash your password on the client side so it isn’t immediately readable while in transmission, in addition to the SSL encryption. ROT13 or adding 100 to each character’s byte value would have worked just as well, but creating a rainbow table with our client salt would take an attacker much more time. This is primarily to thwart eavesdropping.
2 MD5 is not used to secure your password or data on our server. Your password (already an MD5 hash) is salted again using a unique-to-each salt generated by a popular key-derivation function and hashed again using a different algorithm.
Updated April 1, 2013 to clarify that MD5 is not used to secure your password or data on our server.