Plain text passwords are bad. Period. Don’t do it.

In conversation with a support representative for my domain registrar regarding me locking out my account I was able to discern they store at least some part of my password in plain text. For you’re viewing pleasure, here’s the conversation and how it played out. You’ll easily be able to find the spot where the representative gives the clue that they have access to at least some portion of my password in plain text. Please, please, please, don’t ever store passwords in your applications in plain text. Think about this whenever you decide you need security in your system. Just read what happened to PHPBB (one of the largest PHP-based forum software deployed worldwide).

Again.. Don’t ever think it’s alright to store passwords in plain text. Anywhere.

Catherine P.: Hello, you’ve contacted **** Live Support! How can I help you today?
Jason Hunt: Hello….
I can’t log into my account… I have reset my password and then tried
logging in with the changed credentials and it says I am now not able
to log in due to failed attempts.

Jason Hunt: username: ****
Catherine P.: Wait a minute please
Jason Hunt: waiting
Catherine P.: I’ll check
Jason Hunt: thank you
Catherine P.: Could you please provide me with 2 first and 2 last symbols of your new password
Jason Hunt: ** **
Catherine P.: You account was locked due to 6 failed attempts to login
Jason Hunt: seems an odd request… unless my password is stored in PLAIN TEXT *grrr*
Catherine P.: I’ll unlock it in a moment
Jason Hunt: thank you
Jason Hunt: and, please, get rid of plain text passwords… that is unsecure and concerning to me as a customer
Catherine P.: Now your account is unlocked
Jason Hunt: I am logged in.. thank you
Jason Hunt: please log a service request to have the passwords changed from plain text to hashed
Jason Hunt: very high priority
Catherine P.: You can chenge this password
Catherine P.: if you like
Jason Hunt: yes I can.. but what difference does it make if YOU can still read it?
Catherine P.: We can’t read it
Catherine P.: It is saved in our system
Catherine P.: We don’t have access to it
Jason Hunt: You wouldn’t have asked for the first two and last two symbols in my password otherwise
Jason Hunt: at least SOME part of my password is stored in a format that is plain text that you can read and verify. Insecure
Catherine P.: We usually don’t ask whole passwords
Catherine P.: Anyone can log in using part of password
Jason Hunt: fact is… you should NEVER have access to ANY part of the password… should be another security question
Jason Hunt: you mean I can log in with using only four characters of my password?
Jason Hunt: how secure is that?
Catherine P.: Sorry, can not
Jason Hunt: that’s better
Catherine P.: I have mistyped
Catherine P.: I’msorry
Catherine P.: and also we have secure connection
Jason Hunt: please
log a service request to have ANY portion of plain text of user
passwords removed from the services provided by ****

Catherine P.: So nobody will be able to steel your password
Jason Hunt: I
don’t care if it’s a secure connection… YOU have access to my
password… if I use it on any other site… YOUR staff could be the
ones to steal it

Jason Hunt: not that I don’t trust your staff… but I just don’t trust your staff
Catherine P.: Please write your suggestion at ****
Catherine P.: It is our forum
Jason Hunt: I think I’ll blog about it
Catherine P.: Our developers will fix it
Jason Hunt: I certainly hope so
Jason Hunt: thank you, again, for helping me with this
Catherine P.: We’ll do our best to make your information secure
Catherine P.: You are always welcome.
Catherine P.: If you have any other questions feel free to contact us again.

Advertisements

2 thoughts on “Plain text passwords are bad. Period. Don’t do it.

  1. My ISP does that too. One possible option is that you password is stored encrypted but logic can be written to match str.Decrypt().BeginsWith && str.Decrypt().EndsWith and assign that authentication method only to CustomerService roles. Catherine P is not expected to know all that.

  2. Peter, I agree that it can be decrypted to only give the customer service representative the ability to see only certain characters of the password but it would be my preference, as a consumer, if they simply reset my password to a temporary, randomly generated password that I need to change the first time I log in.JH

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s