{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 可以哭但决不认输i 的问题《How do sites like Meebo store usernames and passwo》','https://www.manongdao.com/q-776298.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I recently used Meebo and I must admit I'm a little paranoid about typing my IM login information into a site like this. How do they store my username and password for each of the separate IM services? I only feel comfortable when a site takes my password and does some type of irreversible, one-way function on it, but it seems that Meebo would have to store my passwords in a way that they could retrieve them at anytime in order to facilitate the automatic logon into the separate IM services they support. Am I justified in being paranoid about this?
EDIT: I found this excerpt from Meebo's privacy policy:
Third Party IM Service User Names and Passwords. Meebo allows you to access third party IM services by logging into your account through Meebo (the "Third Party IM Services"). In order to access your Third Party IM Service account, you must enter your applicable user name(s) and password(s) on the Meebo Service. To use the basic IM services on the Websites, Meebo does not store the password(s) of your Third Party IM Service accounts on our server. If you wish to utilize advanced features of the Services, such as automatic sign-in, storage of your password(s) may be necessary.
Jeff Atwood posted on this topic a while back in this article: Please Give Us Your Email Password.
Yes, you are justified. When you give your username/password to a site, any site, you really have no idea/guarantee what they are going to do with it and how they will protect it.
Yes, you are.
Take note of lines 2 and 3. In order to do #3, Meebo needs your password; (unless there's some cooperation between the IM provider and Meebo (which is possible but unlikely)) it has, at some point between those lines, your plaintext password.
Congratulations, you no longer have complete control over your IM account; as far as the IM service cares, Meebo is you.
In other words: do you trust Meebo not to abuse your password? Do you trust Meebo to protect your password? Do you trust that Meebo won't be hacked and your password stolen? As far as I see, there's no way to tell (unless you're Meebo, which you're not).
It boils down to this: do you trust Meebo's promises?
Here's my $0.02: Convenient? Check. Horribly insecure? Check.
Oh, and to answer the question in the title: best practice would be "encrypt the password, don't keep the plaintext anywhere (any longer than absolutely necessary)". However, I've seen too many databases with plaintext password fields; some businesses apparently see encryption as waste of effort until Something Really Bad Happens. Does Meebo? I don't have a way to tell.
unless they have contracts with each of the vendors in which they create a hash and pass just the hash, they will need to store your information.
They explain it how they send the data from the browser to their servers here; RSA-encryption in javascript before form submission.
http://www.meebo.com/security/
EDIT: Clarification, they don't specify how they store it, but presumably it's a two-way encryption, maybe with the user's password as the key?
On the meebo blog they discuss their security features in more detail. Here is the summary:
"We store a salted hash of your [meebo] password, NOT The password itself. "
"[we use your] Meebo account password to temporarily decrypt the passwords for your IM accounts. We only keep the decrypted version in memory, and we forget the decrypted version as soon as you log out."
So the service seems pretty safe. If you want to be extra safe don't log in with your meebo account, instead log in with your IM details.