Let me start by stating the following: PayPal sucks, and if you’re using it, I advise you to remove it.
Why am I saying this? Well, I’ve recently been screwed by PayPal (for the second time actually) over something as trivial as asking for my account information to be removed. Apparently, you’ve got to have quite the guts to even consider contacting these corporate overlords. And whatever you ask, they will milk every bit of information out of you, and “securely” store it.
Their password forms state a maximum of 20 characters, which if you’re familiar with hashing should be a huge red flag. If not, here’s the gist: hashing means turning a piece of data that can be of an arbitrary length, into a string of characters that has a fixed length. The output of the hash function doesn’t preserve information and therefore the original data cannot be feasibly derived from a hash. Instead, the hash is some sort of “signature”, proving that this bit of data will always return the same “signature” hash, and that only that piece of data can generate this particular hash.
Let’s look at this with an example. Open up your Linux terminal and enter the following command.
$ echo “Foo bar” | sha256sum
This command will return the value “0b64696c0f7ddb9e3435341720988d5455b3b0f0724688f98ec8e6019af3d931” which is our hash, and can be considered the “signature” of our string of text “Foo bar”. Change any letter anywhere, and the hash becomes vastly different. But every time you enter that particular string, it will always return the same hash.
This property is really powerful for password storage on servers. It means that when you enter the new password that you’ll be using for your account (i.e. creating it), the hash function can run, and that output can be stored in the server’s database. Next, when you enter your password to log in and run the same hash function again, you can compare that against what’s in the database. If it matches, great! You’ve entered the correct password. But the database doesn’t actually need to know what your password is, it only needs to know its hash. Of which the input data cannot be feasibly derived, making it very secure.
Now, on the database side, sysadmins generally want to be able to configure their systems in such a way that they can plan for the future and know how many entries they’ll be able to store on this particular server. Hashes make this very easy, you’ll always have the same fixed length value, so divide your available database storage by the length of your hashes (along with that of the other parts of your database table like usernames, ID’s, emails etc), and you can see how many entries you’ll be able to store.
Except for when you’re not using hashes.. sysadmin can’t tell how long the passwords will be if they’re just whatever length the user picks. So the (arguably incompetent) sysadmin tells the front-end chaps to limit how many characters the password can have – a minimum character length (which is good), but also a maximum length (which is terrible). And that’s exactly what PayPal has been doing. Their account passwords can be anything from 8 to 20 characters. But why? If they were using hashes, even a 1000 character password would produce a hash of a fixed length. So it’s likely that they’re storing their passwords in plain text. Not so “secure login” as they’re advertising it, is it?
So in terms of security, they’re terrible. The fact that these corporate overlords advertise the service as “free” is even worse. They don’t just manage your money.. they’re taking it forcibly. Whenever they don’t like what you do, which can be very normal stuff, they can suspend your account. Your balance is locked, and you can’t withdraw it, remove your cards or remove the account. Effectively this means taking hostage whatever you put into it.
That’s the price of “free service” at PayPal. Stealing your money whenever they see fit. Luckily for me, I have only a tiny amount of money in my currently locked account. But there’s been cases of people managing their entire businesses through PayPal, and getting thousands of dollars stolen from them by PayPal locking their account, for no apparent reason. That’s evil.
Their support team is also quite terrible. They require so many levels of confirmation, so much identifying information (that they might not be able to store securely), that it’s extremely frustrating and you spend more time just verifying yourself than actually getting them to do their job. All in all, not a very good system.
So you might be wondering what else there’s available.
It’s called cryptocurrency.
Why cryptocurrency is the future
Cryptocurrency is something that abolishes the whole idea of corporate overlords, or governmental bodies that can print money on demand. Instead, there’s a limited amount of coins (so there’s no inflation), you get put in the driver’s seat, all transactions are public (through something called a blockchain, which is a sort of verifiable transaction log), and best of all, its value is determined only by supply and demand rather than what someone somewhere determines it is.
Now, it’s often thought of that cryptocurrency is a way to make sleeping money, a “get rich quick scheme”. It isn’t as easy as that. When a cryptocurrency starts off in a stage called initial coin offering or ICO, the coins are pretty much given away. Invest then, and if the currency takes off, you’re rich. If it doesn’t.. well, say goodbye to your investment. So in this sense, it’s similar to investing in the stock market.
If however you invest your money in established cryptocurrencies, the value of it is stable, won’t inflate, and because its supply is limited by design, it will continue to slowly but steadily rise in value as time goes on. This sort of approach is similar to when you store money in the bank, they’d give you a percentage of it at the end of the year.. at least back when the cost of account upkeep was lower than what they’d give you. Good ol’ times.
Anyway, the most established cryptocurrencies right now are Bitcoin, Ethereum and Monero. Mining them is not very profitable anymore, but putting your money in it gives it a stable home. Personally I prefer Ethereum, because its blockchain is very lightweight, the client looks good and it converts the current value of your coins back to regular currencies for you. Monero on the other hand is designed with anonymity in mind, making it a great choice for purchases on the darknet. Lastly, Bitcoin.. it’s a bit overrated. Its blockchain is massive, counting over 200GB in size and takes weeks to clone to your local machine. But to its defense, it is the founding father of cryptocurrency, so it definitely deserves a honorable mention even today. Thank you Satoshi Nakamoto for creating it.
So now you know it, PayPal sucks and cryptocurrency is the future. And as always, stay curious 🙂