Storage of clear-text passwords: NOT!

Paw Prints: Writings of the maddog
I am the first person to admit that I am not an expert on security (o.k., there are probably several dozens of my friends who will gleefully “admit” that I am not an expert on security before I will), but I do know that storing passwords in clear-text is just not the way to go. Yet recent interactions with several web site management teams has shown me that apparently some people have not yet learned this simple principle.
With all the reported incidents of identity theft due to records and data stolen you would hope that companies would treat passwords with more respect, yet I have one “social network” site email me information on my account each month where they include my password in the email in clear-text. The very first time they did this I went onto the site, removed all my information, replaced the information with fictitious data and changed the password to “stupididiots”. Now every month I get the email from them that reminds me of how stupid they are. When I start receiving things based on the fictitious information in the mail, I will know from where and why it is arriving.
Nor is this limited to small sites created by amateurs. Recently I had reason to talk with a major site holding records for millions of people and realized that they and their staff had access to their customers clear-text passwords. “That is not a smart thing to do” I told them. They did not seem to grasp the implications, so in the next few days I will be writing a letter to their president.
You would think that with examples like Unix and Kerberos that have been around for such a long time people and sites would be a bit more careful with how they handle passwords. Simple protection techniques are not rocket science, and can make the stored passwords a lot safer.
For example, sites should convert the clear-text password received by the customer into an encrypted form immediately after receiving it, then throw away a small part (one bit would do) of that encrypted form and store the rest. This would prevent anyone receiving a database of stored passwords and (without any other knowlege) using a brute force technique to decrypt the passwords. When the customer accesses the site again, follow the same procedure, and compare the two encrypted strings. If they match, allow access.
If you are using a deterministic encryption algorithm, one that always creates the same encrypted string from the same set of clear-text, you don't have to know what the clear-text password is, only that the encrypted forms matched.
Granted, this technique also relies on the fact that people choose “good passwords”, but no choice of a “good password” will protect you from idiots who insist on storing your clear-text password in their database in clear-text.
If a customer contacts the site and tells the staff that the customer has forgotten their password, the site will need to authenticate them in some way and then generate a new password for them and allow them to change it to whatever they need. Many web sites have automated this process in a fairly robust way using one-time ULRs and one-time passwords but the methods could be improved. There should never be a clear-text password generated, shipped or stored anywhere.
I recognize that this blog is not a treatice on Internet security, and I apologize to the regular readers of this column who will say “o.k., what else is new”, but as long as we keep hearing of “stolen records” that could easily have been avoided, we need to keep beating the drum.
Comments
comments powered by DisqusIssue 270/2023
Buy this issue as a PDF
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
OpenMandriva Lx 23.03 Rolling Release is Now Available
OpenMandriva "ROME" is the latest point update for the rolling release Linux distribution and offers the latest updates for a number of important applications and tools.
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
Call staff access
A far better approach would always be to provide an audited, supervised mechanism for password renewal combined with advice to change the newly generated password immediately.