minutia press.
Clear text passwords

I object to sites that ask for PINs or passwords and then store them in clear text. Especially when they don't tell you they'll be stored in clear text. This means that people use PINs that they probably use elsewhere, and admin people at that site can see their PINs.

WebStac (the wash u registration) system is such a site. I forgot the PIN and called the admin line to have it reset, and instead they just told me what it was and what it had been since the beginning of time. Suppose I had used one of those PINs for my bank account. Buttabing, the admin guy can withdraw all my money and leave me penniless.

What's worse is that when I called to complain, hardly anybody knew what I was talking about, and those who did know didn't seem too alarmed by the state of affairs.

There should be a law....


I've been complaining about the WebSTAC pins for awhile and I've met with the SIS (Student Information Systems) people that wrote the software.

Apparently they are dealing with some wonderful legacy software in their old mainframe which requires them to keep the passwords plaintext and shorter than 10 characters. Until they take the mainframe away (which is still used by a lot of people) they'll be stuck with insecure passwords.

Posted by: Ed at January 11, 2005 10:05 PM

Right, so I asked them to put a warning on the web page where you set passwords:

Warning: our passwords are stored in clear-text. You should pick a PIN for our system that you use on no other system.

Posted by: rkc at January 11, 2005 10:15 PM

They apparently use the same system for wustlconnections.com, the alumni website. If you click the `forgot password' link, they don't reset your password; they email it to you in plaintext.

Posted by: nik at January 13, 2005 12:26 PM

I disagree. Encrypting your password would not add any more protection than is already provided.

First, the admin you consider already has your password regardless of how it is stored in the database. This person has access to enough points of entry to grab your password.

Second, the above obviously applies to an attacker as well. If the web server or database is compromised, your data is too. Little changes by having your data encrypted.

Little would change if they all of the sudden stored everyone's pin with some reasonable ciphertext. To note, there is one additional perceived benefit which is the notion that at least with ciphertext in the database you have to login to release your plaintext password/pin to the malicious operator. The problem is that skilled malicious operators can remain undected for extremely long durations [1]

There are ways of actually increasing your security rather than just perceived security. Creating your ciphertext locally before passing it on to the network is one technique that removes the ability for the remote admin or attacker to snap your credentials. This relies on the local machine being secure which it probably isn't in most places.

With added security comes complexity and latency; tradeoffs many don't want.

Personally, I'd be more concerned with the rampant spread of malware across networks and the speed with which malicious operators are able to command massive networks (exceeding /13 in size).


1: http://news.bbc.co.uk/1/hi/world/americas/4163237.stm and http://www.acxiom.com/PrintVersion.aspx?ID=2289&Country_Code=USA

Posted by: David at January 28, 2005 1:45 AM

The advantage I had in mind is that if I use the same password at multiple places, then a given admin can only gain access to my stuff at that one particular site he or she admins, and not use my clear-text password to gain entry elsewhere.

Posted by: rkc at February 5, 2005 10:14 AM

What you believe is being prevented is most certainly not the case. The power you as a user have is to not share your acesss credentials across realms.

As an operator or developer, encrypting passwords in a database does not add anything, at the most it simple provides a tiny hurdle for even the most mediocre of attackers.

Personally, I will admit that I "feel safer" by knowing my password is encrypted. The reality, however, is that nothing has become more secure and if I forget my password I can't be reminded of it -- only permitted to change it.


Posted by: David at February 11, 2005 12:31 AM