Passwords in plain text

ocallagh

Just asked tesco.ie to remind me of my password. I get an email containing quite a confidential password I use for a few things. Changed it pronto..

Have you come across any other sites that store passwords in plain text?

onemorechance

There has been a thread on this. It mentions that maybe it's EU law.

EDIT: Not really EU law!

http://www.boards.ie/vbulletin/showthread.php?p=72342912

fergalr

ocallagh wrote: »

Just asked tesco.ie to remind me of my password. I get an email containing quite a confidential password I use for a few things. Changed it pronto..

I don't generally duplicate passwords.
I certainly would not trust tesco with a password I used for something else important; you've no idea when they might leak it.

ocallagh wrote: »

Have you come across any other sites that store passwords in plain text?

There is the odd debate about this on hacker news.
The argument is that its useful to be able to e-mail people their plaintext passwords, for usability reasons. Which is true.

Best practice is conventionally to store a hashed version of the passwords, and lots of people will rabidly argue 'storing plaintext is teh bad'.


Really, though, I wouldn't get too worked up about it.

First off, most people storing hashes probably aren't doing it properly; md5 isn't any good any more.
Secondly, if someone can infiltrate to where the passwords are stored on a large site, they can probably just sit and harvest the cleartext passwords coming in on the wire; for a high traffic site, they'll still get 1000s of passwords in no time at all.


The solution is not to use duplicate passwords.
Get a browser keychain or encrypted volume or whatever to store the diverse passwords in.

EyeSight

well i think its common sense to hash passwords when storing them. there ways in which it is insecure, but as far as i know it take minutes to crack one, so if a hacker got all the passwords from tesco it would take days or weeks of constant runtime to crack them all.

as for the argument that its nice to send users their passwords in clear text, i think its a lot more secure to just resend them a temporary password and make them change it to whatever they want

it takes almost no time at all to md5 a password and even if its no longer the best method, it's a great deal more secure than clear text passwords

fergalr

EyeSight wrote: »

it takes almost no time at all to md5 a password and even if its no longer the best method, it's a great deal more secure than clear text passwords

It used to be, but I was surprised not to long ago to find that it isn't really more secure now, than plain text passwords.

EyeSight wrote: »

well i think its common sense to hash passwords when storing them. there ways in which it is insecure, but as far as i know it take minutes to crack one, so if a hacker got all the passwords from tesco it would take days or weeks of constant runtime to crack them all.

If they are all salted separately, it'll take a while to crack them all; but probably only days or weeks; which really isn't much more secure than just having them in plaintext.

If they aren't salted separately, then it'll probably take the same length of time to crack all passwords, as it takes to crack the average password. (They are probably all already in dictionaries, or a GPU farm will make short work of searching the space of passwords that humans can remember).



The best thing to do is probably use a modern way of hashing their passwords, and store them encrypted.

But on the other hand, the time might be better spent securing the network perimeter; any time the attacker gets far enough in that they can access the DB is really a failure mode. I can see the business reason to want to be able to e-mail your customer their password.

stevenmu

Are more people not using SHA1 to hash passwords yet?

thebman

Storing passwords in plaintext is a bad idea from a purely PR point of view if the system does get compromised. If the company have to reveal that passwords were stored in plaintext, it is a lot worse than saying they were hashed.

So from a business perspective hashed is better than not hashed IMO even though it might seem irrelevant from a security point of view. We do live in a business world after all.

fergalr

thebman wrote: »

Storing passwords in plaintext is a bad idea from a purely PR point of view if the system does get compromised. If the company have to reveal that passwords were stored in plaintext, it is a lot worse than saying they were hashed.

So from a business perspective hashed is better than not hashed IMO even though it might seem irrelevant from a security point of view. We do live in a business world after all.

That type of argument gets overused in tech discussions. Yes, businesses do things for business reasons - but thats almost a tautology.

The real question is whether the hit to security, in terms of storing cleartext passwords, and the resulting damage, in the form of negative PR, additional problems, perceived breach of security responsibility etc if there is a breach, is greater than the business cost of making it harder for a user to access the site.
(You can couch the same argument in terms of user convenience, too.)


I don't know, for Tesco, how the numbers work out.

I think if I was Tesco, and I was making very very sure that no one could compromise my databases, and I had numbers that said I'd lose N% of customers who couldn't remember their password, by using a more complex reset scheme, I might choose to store the passwords in cleartext - for business reasons. You could argue it either way - what the best business thing to do is is not a priori clear.


I dunno why techies sometimes get a bee in their bonnet about cleartext passwords. They should spend their time educating users to not reuse passwords instead.

jgalvin

It's impossible to educate the users. Much easier to educate the developers of sites like this. The fact is, people will always reuse passwords on many different sites, and when sites email out plaintext passwords, they end up sitting in your inbox or Deleted Items folder on your computer and on your iPad where your housemate will see it. They should have a disclaimer on the sign up form "your password will be emailed back to you in plain text - if you have an iPad and a housemate, then use a unique password for this site"

boblong

stevenmu wrote: »

Are more people not using SHA1 to hash passwords yet?

Or even better, bcrypt.

Razzuh

boblong wrote: »

Or even better, bcrypt.

Thanks for that, looks intersting. I had heard about the vulnerability of MD5 and SHA1. The figures for cracking have gotten particularly ridiculous now with the Cloud Computing craze and relatively cheap computing power for rent.

SHA2 is the next step up and as far as I know hasn't had any severe mathematical weaknesses found yet, unlike SHA1 and the entirely worthless MD5. These kinds of hashes are really only good for use as checksums now.

I'll definitely look in to bcrypt when I have time. Anyone else know of anything similar?

Moonstar

I don't really find that usability suffers very much if a password reset option sends the user a temporary password, instead of the original.

ocallagh

fergalr I'd be looking at this from a data protection point of view and not from the profit line of a corporation. Just like tesco cant have customers slip on a wet floor, they should also be responsible for storing our private data in a secure manner.

Hashing will slow a hacker down - enough to inform your users their data may have been breached.

Also - it's not just safety against hackers either, staff/developers with access to the DB are not going to go to the trouble of cracking a sha1 hash, but with access to clear text passwords they may spot an opportunity..

fergalr

So, just to restate, I'm not saying 'dont hash your passwords'. If I was deploying a system, I'd be using bcrypt with a high work factor, etc.

But I am saying I can understand why some people mightn't want to go that way. And I think the case is sometimes overstated.

ocallagh wrote: »

fergalr I'd be looking at this from a data protection point of view and not from the profit line of a corporation.
Ok - what does this mean 'from a data protection point of view'?

Do you mean from a 'legally cover your ass' point-of-view, in that you must be seen to be conforming with 'best practice', to meet data protection legislation (depending on how the data protection people interpret it)? Sure, yes, from that point of view, its a good idea to hash the passwords.

But to interpret what you say literally, at face value, in terms of data-protection, as actually protecting the data:

ocallagh wrote: »

Just like tesco cant have customers slip on a wet floor, they should also be responsible for storing our private data in a secure manner.

Honestly, I doubt any serious percentage of private companies think about 'data protection' in that way. I also genuinely don't think most people care about it nearly as much as they care about slipping on a wet floor, either.

They certainly don't vote with their wallets where these things are concerned.

Its also not taken seriously as any sort of legal responsibility.
The fact is that while every website has a privacy policy that talks about SSL security blah blah, very few sites have any real resistance to any sort of targeted attack (or APT, or whatever you want to call it these days).

The state of computer security is pretty terrifically bad; this was the case 10 years ago, 20 years ago, and it hasn't really changed. Society just doesn't take it seriously, and doesn't seem to care all that much.
If anything, the risks to privacy are growing.

ocallagh wrote: »

Hashing will slow a hacker down - enough to inform your users their data may have been breached.

Bcrypt, deployed properly, yes. Typical deployment of MD5 (salted if you are lucky), no, not at all.

ocallagh wrote: »

Also - it's not just safety against hackers either, staff/developers with access to the DB are not going to go to the trouble of cracking a sha1 hash, but with access to clear text passwords they may spot an opportunity..

Honestly?
Rank and file employees shouldn't have access to the database, in an organisation of the size of tesco. DB access should be locked down to a tightly controlled set of people, all of whom are well vetted, and all of whom have more than enough access and ability to A) crack the hashes capture the password in the clear, on the way in C) turn off the security features.



Like, I guess my main argument here, is that from a protecting-the-data point of view, hashing the passwords is just an abysmal failure mode action.

At the point where the haxor has gotten read access to the password database, the 'protecting-the-data' mission is already completely lost.

Yes, it does happen. Because as a society, across the board, holistically, we don't really take security seriously.

Fine. But if someone tells me they are keeping their passwords in the clear, but are putting their effort into a detailed defensive strategy to keep bad guys away from the DB, I think that's ok too.

fergalr

I believe in defense in depth.


But look:
What if guy responsible for guarding the nuclear warheads came told you that they were putting dud warheads on half the nukes, so that if hackers managed to launch one, there was a 50% chance it didn't kill any one?


Would you say 'defense in depth, well done, medal for you'?

Or would you fire him, because his way of thinking about warhead security was just off the deep end?

fergalr

stevenmu wrote: »

Are more people not using SHA1 to hash passwords yet?

http://www.golubev.com/hashgpu.htm

Recovery speed on ATI HD 5970 peaks at 5600M/s MD5 hashes and 2300M/s SHA1 hashes.

Thats 2.3B SHA1 / second.
The space of 6 char single case alpha numeric is:
36^6 = 2,176,782,336

So that card will take 1 second to search that space for all passwords, against however many SHA1 hashes you got to check.

How complex are the passwords people are using on a typical online store?

You can rent GPU time on EC2.

ocallagh

fergalr wrote: »

Honestly, I doubt any serious percentage of private companies think about 'data protection' in that way. I also genuinely don't think most people care about it nearly as much as they care about slipping on a wet floor, either.

Hey - sorry for the lame reply. It's getting very late and I was just about to nod off. I agree with a lot of what you say but this is what I am trying to get at. Companies do have an obligation to protect our data so I don't see it any different to protecting our health! Sure it's on a different scale, but it's the same principle. The more we interact with online services, online payments etc the more of a threat identity theft becomes. It may not be law, but there's nothing to stop an individual suing for negligence in regards data protection.

I don't see hashing as a failure mode. You say yourself there is nothing a company can do to prevent a targeted attack (which would more than likely take just a few hours to implement) so all layers of security become a fail point. Each layer of security essentially switches from prevention to damage limitation and that makes the difference when it comes to hashing. Hashing the passwords with strong encryption in this case will be the most effective layer of security buying a few weeks at least. It's also incredibly cost effetcive to implement. I know you agree with it, but what I'm trying to impress is the importance of it which is where we differ.

ocallagh

fergalr wrote: »

I believe in defense in depth.


But look:
What if guy responsible for guarding the nuclear warheads came told you that they were putting dud warheads on half the nukes, so that if hackers managed to launch one, there was a 50% chance it didn't kill any one?


Would you say 'defense in depth, well done, medal for you'?

Or would you fire him, because his way of thinking about warhead security was just off the deep end?

If they managed to delay the launching of a nuke by a few weeks to give us time to restore the security and switch the passwords he'd get a medal!

fergalr

ocallagh wrote: »

Hey - sorry for the lame reply. It's getting very late and I was just about to nod off. I agree with a lot of what you say but this is what I am trying to get at. Companies do have an obligation to protect our data so I don't see it any different to protecting our health! Sure it's on a different scale, but it's the same principle. The more we interact with online services, online payments etc the more of a threat identity theft becomes. It may not be law, but there's nothing to stop an individual suing for negligence in regards data protection.

I'm not really sure in what sense they have an obligation.

There's some legislation that says things like that; but the social practice is that such an obligation doesn't really exist.

Maybe they should have an obligation.


But its a little like asking an end user, in 1997, if they thought their computer should crash.
Most of them furiously answered it wasn't on.

But ask them if they'd pay an extra 3K for the same computer, if it didn't crash, to defray the additional costs, and most would have refused.


Its interesting that you mention identity theft.
I personally think the solution to identity theft is happening in a really weird way - we aren't really investing in stopping identity theft - we are accepting - as a society - that its sort of an inevitable frictional cost - and instead we are providing mechanisms to prevent the damage it does (allowing people clear their records, etc).


Its strange - its like Facebook and privacy.
You can use a service that preserves your privacy. But people haven't 'voted' for that. Instead the social problems are being dealt with by discarding privacy, and instead expanding the social norms of what is considered allowable behaviour.

I'm not saying that's the best thing to do - but its worth noting that it is another potential point of stable equilibrium for the system.

ocallagh wrote: »

I don't see hashing as a failure mode. You say yourself there is nothing a company can do to prevent a targeted attack (which would more than likely take just a few hours to implement) so all layers of security become a fail point. Each layer of security essentially switches from prevention to damage limitation and that makes the difference when it comes to hashing. Hashing the passwords with strong encryption in this case will be the most effective layer of security buying a few weeks at least. It's also incredibly cost effetcive to implement. I know you agree with it, but what I'm trying to impress is the importance of it which is where we differ.

I guess my point is that an attacker penetrating in far enough to get access to the DB, if they are any way competent, probably also owns enough of the infrastructure to cover their tracks, while they intercept the cleartext passwords as they enter the system. As such, the hashes aren't doing much.


I do think a company could probably prevent a targeted attack succeeding - or go a long way towards reducing the threat of one succeeding.
But very few are willing to make the infrastructure investment required to do that - probably not none; I would guess that companies like amazon, or large banks, would probably be pretty well defended.

The average retailer isn't taking things this seriously; and customers aren't insisting on it.

That's where the problem lies, as such; given that, hashing the passwords is really fixing the wrong problem; scare resources should probably be directed at the perimeter, or at keeping people adversaries from the core resources.



Your point about cost effectiveness of hashing, is well made - it is certainly cheap to implement.

Its an interesting discussion - I'm not really disagreeing with anyone here; its interesting to toss the ideas around.


Actually, one thing I do believe, is that we need more society wide discussion of our information infrastructure - covering all these issues. As you say, its becoming increasingly important, and its still a topic thats inaccessible to much of society's traditional decision making mechanisms.

Maybe that's not a bad thing - I like the decisions nerds tend to have made - but its not exactly democratic, in some senses, for changes that are shaping society so deeply.

fergalr

ocallagh wrote: »

If they managed to delay the launching of a nuke by a few weeks to give us time to restore the security and switch the passwords he'd get a medal!

Thats a fair point, too, and another way of looking at it.

My point is that if someone designing a system, starts putting defense-in-depth beyond a certain point, its bad design.

Sometimes defense in depth makes sense; sometimes it doesn't; it depends on where you want to draw your 'this is unacceptable failure' box around.

kayos

ocallagh wrote: »

Just asked tesco.ie to remind me of my password. I get an email containing quite a confidential password I use for a few things. Changed it pronto..

Have you come across any other sites that store passwords in plain text?

Ok just a small point here but just because they can send you your password in plain text does not mean its stored as such

fergalr

kayos wrote: »

Ok just a small point here but just because they can send you your password in plain text does not mean its stored as such

Ah, it effectively does.
I mean, ok, lets say they rot13 it; its still effectively stored in plain text.

So maybe they apply a cipher, requiring a key to decrypt the passwords; the password is still being decrypted, on demand, by some part of the system that is probably less secure than the backend DB.
That means its effectively being stored in plain text; it is not being stored in an unreversable way.