Passwords not held here

There are many times when we need to login to a website or app that sometimes gives us an option to use some existing login credentials from another site that already belong to us. For example, a website might invite you to use your Facebook login details, or it might ask you to use your Google or Microsoft account, as we do at Rightly in order to use our Rightly Save or Rightly Protect services.

Sometimes, users get concerned that they may be typing in sensitive usernames and passwords and that the third party website may be recording all the details. But, genuine websites and apps are not able to do that, even if they wanted to. There are a series of protocols in place that mean you can login into a website service confident in the knowledge that your details will not be captured.

If I login using my Google username and password, does Rightly see my password?

No. Rightly doesn’t get to see any of it. The way it works is this: when you log in to a website using, for example, your Google credentials, the website itself does not have access to your password. The login process using your Google credentials involves a secure authentication mechanism to keep your information private to you.

How does that work?

So, let’s use the Rightly login process as an example. With our Rightly Save service, our technology pulls together all your insurance policies into one place. To find them, Rightly asks you to login to either your Google or Microsoft account so that, later, you can give Rightly permission to find your policies. We’ll use Google as the example:

• You click on the option to login with your Google account on the Rightly site and you are redirected to the Google login page
• On the Google login page, you enter your Google username and password
• Google verifies your credentials and, if they’re correct, generates a unique ‘token’ for your session
• Google then sends this token back to the Rightly website. This the clever bit - Rightly only ever gets to see the token - not your login details
• The Rightly website receives the token and uses it to communicate with Google’s servers to verify its authenticity and retrieve some basic information about your Google profile

The crucial point to note is that at no stage of this process does Rightly get to see your Google password. The authentication is handled entirely by Google, and Rightly only receives a token that grants limited access to certain information from your Google profile, such as permission to search for insurance policies.

This approach enhances security because it ensures that your Google password remains confidential and is not shared with multiple websites.

It’s a hash

Even at the Google end, passwords are kept secure through ‘hashing’. Password hashing is a technique used to protect passwords by converting them into a different form, called a hash, before storing them in a database. A hash is a fixed-length string of characters generated by a one-way mathematical algorithm. The important aspect of this process is that it’s extremely difficult to reverse-engineer the original password from the hash.

When a user creates an account or sets a password, the system takes the password and applies a hashing algorithm to it, generating a unique hash. This hash is then stored in the system's database, instead of the actual password. The original password is discarded and not saved.

When a user attempts to log in, they provide their password again. The system applies the same hashing algorithm to the provided password and compares the resulting hash with the stored hash in the database. If the hashes match, the user is granted access. This way, the system can verify the password without ever storing or seeing the actual password itself.

Password hashing provides an additional layer of security because even if a database breach occurs and the stored hashes are compromised, it would still be extremely difficult for an attacker to reverse-engineer the original passwords from the hashes. It helps protect user passwords and reduce the risk of unauthorised access to accounts.

A bit more about tokens

Password tokens are also used when passwords need to be reset or recovered. The tokens provide a secure mechanism for verifying a user's identity without requiring them to provide their current password.

When a user initiates a password reset or recovery process, the system generates a unique token associated with their account - that long, random string of characters that serves as a one-time authentication credential. The token is then sent to the user through a secure channel, such as email or SMS.

Once the token arrives, the user is normally directed to a specific page or form on the website or application where they need to provide the token. This page usually prompts the user to enter a new password for their account. The token serves as proof that the user who possesses it has access to the email address or phone number associated with the account.

When the user enters the token along with their desired new password, the system checks if the token is valid and matches the one generated for that particular account. If the token is valid, the system allows the user to reset their password, effectively granting them access to their account.

To ensure security and prevent unauthorised access, there are several measures typically implemented with password tokens:

• Expiration: Tokens are usually set to expire after a certain period which could be a few minutes or a few hours for example, to limit their usability
• One-time use: Tokens are designed to be used only once. Once a token is successfully used to reset a password, it becomes invalid and can’t be used again
• Randomness: Tokens are generated using strong randomisation algorithms to make them difficult to guess or predict. This randomness ensures the uniqueness and security of each token
• Secure transmission: Tokens are transmitted to the user through secure channels

Password tokens provide a secure and user-friendly method for resetting or recovering passwords, as they eliminate the need for users to remember their old password while still ensuring the account's security.

Make the most of your data

Your data is yours and using secure methods, you can make the most of it. Our most recent innovation, Rightly Save, enables you to do that to find all your insurance policies and present them to you in a single place, complete with renewal dates and the type of policy.

Then we’ll set up automatic reminders so you get plenty of notice of all your insurance renewals, whether for car, home, travel, pet or any others you may even have forgotten about. That way you’ll have a chance to find a better deal before the company rolls you into a new year and a new price which you may not have had time to look at until it’s already done.

Using Rightly with your Google or Microsoft credentials helps you make the most of your data whilst keeping passwords known only to you.