Plain Text Password Storage
Heya,
I should have saved this post for Halloween because it’s that scary.
But I couldn’t help myself. A few weeks ago, I ran across this site which is all about shaming sites that store passwords in plain text. It’s like the SSO.tax site, but for plain text passwords.
How can you tell if a site is storing your password in such an insecure way?
The easiest way to know is to see if a site can send you your current password in plain text. (Not a one time password, though that isn't great either.) If this is the case, they either:
store your password in plain text and sent it
encrypt and store your password, but then decrypted it to send to you
Both of these are problematic. (I’m going to ignore the question of whether it makes sense to send sensitive, static credentials over email, which is itself not always secure.)
The first is worse than the second, but both are bad.
Keeping passwords in plain text means that anyone with access to the database can see the passwords. These are likely to be reused across multiple systems, but will certainly give access to private account data in the current system. Who has access to the database? Who knows, but more people and systems than you think have read access.
The second option, storing an encrypted password, throws up an obstacle: the attacker must, in addition to database access, gain access to the encryption key and algorithm. But if they do, you’re in the same pickle—widespread access across many accounts.
One way hashes make it much harder to find the password of users, since anyone who wants the unfettered password has to start with the universe of likely passwords and hash them, to see if they match. (For the security minded folks, I’m ignoring a salt because if an attacker can get your password hashes, they likely can get the corresponding salts too.)
The developer FAQ of the plain text password shaming site lays it out in a straightforward manner:
Users use the same password for most of the services they use (let’s be honest, you do this too), so when your product gets hacked, you will be exposing your users to having most of their online accounts stolen.
While it seems the home page of the site hasn’t been updated since 2021, the linked GitHub repo has issues opened in 2024. 2024!
It’s a bummer that systems with plain text password storage are still in use today.
Folks, hashing has been around since the 1950s! Smart folks have been promoting bcrypt (or at least avoiding fast hashing algorithms for passwords) for over a decade.
If you are going to store passwords, hash and salt them using a state of the art recommended algorithm and number of iterations. Most modern web frameworks make this pretty easy using bcrypt or similar: Java/Spring, Node, ASP.NET, Ruby on Rails/Devise, Node.
Dan