Storage of clear-text passwords: NOT!

Paw Prints: Writings of the maddog
I am the first person to admit that I am not an expert on security (o.k., there are probably several dozens of my friends who will gleefully “admit” that I am not an expert on security before I will), but I do know that storing passwords in clear-text is just not the way to go. Yet recent interactions with several web site management teams has shown me that apparently some people have not yet learned this simple principle.
With all the reported incidents of identity theft due to records and data stolen you would hope that companies would treat passwords with more respect, yet I have one “social network” site email me information on my account each month where they include my password in the email in clear-text. The very first time they did this I went onto the site, removed all my information, replaced the information with fictitious data and changed the password to “stupididiots”. Now every month I get the email from them that reminds me of how stupid they are. When I start receiving things based on the fictitious information in the mail, I will know from where and why it is arriving.
Nor is this limited to small sites created by amateurs. Recently I had reason to talk with a major site holding records for millions of people and realized that they and their staff had access to their customers clear-text passwords. “That is not a smart thing to do” I told them. They did not seem to grasp the implications, so in the next few days I will be writing a letter to their president.
You would think that with examples like Unix and Kerberos that have been around for such a long time people and sites would be a bit more careful with how they handle passwords. Simple protection techniques are not rocket science, and can make the stored passwords a lot safer.
For example, sites should convert the clear-text password received by the customer into an encrypted form immediately after receiving it, then throw away a small part (one bit would do) of that encrypted form and store the rest. This would prevent anyone receiving a database of stored passwords and (without any other knowlege) using a brute force technique to decrypt the passwords. When the customer accesses the site again, follow the same procedure, and compare the two encrypted strings. If they match, allow access.
If you are using a deterministic encryption algorithm, one that always creates the same encrypted string from the same set of clear-text, you don't have to know what the clear-text password is, only that the encrypted forms matched.
Granted, this technique also relies on the fact that people choose “good passwords”, but no choice of a “good password” will protect you from idiots who insist on storing your clear-text password in their database in clear-text.
If a customer contacts the site and tells the staff that the customer has forgotten their password, the site will need to authenticate them in some way and then generate a new password for them and allow them to change it to whatever they need. Many web sites have automated this process in a fairly robust way using one-time ULRs and one-time passwords but the methods could be improved. There should never be a clear-text password generated, shipped or stored anywhere.
I recognize that this blog is not a treatice on Internet security, and I apologize to the regular readers of this column who will say “o.k., what else is new”, but as long as we keep hearing of “stolen records” that could easily have been avoided, we need to keep beating the drum.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
News
-
2024 Open Source Professionals Job Survey Now Open
Share your expectations regarding open source jobs.
-
Arch Linux 2023.12.01 Released with a Much-Improved Installer
If you've ever wanted to install Arch Linux, now is your time. With the latest release, the archinstall script vastly simplifies the process.
-
Zorin OS 17 Beta Available for Testing
The upcoming version of Zorin OS includes plenty of improvements to take your PC to a whole new level of user-friendliness.
-
Red Hat Migrates RHEL from Xorg to Wayland
If you've been wondering when Xorg will finally be a thing of the past, wonder no more, as Red Hat has made it clear.
-
PipeWire 1.0 Officially Released
PipeWire was created to take the place of the oft-troubled PulseAudio and has finally reached the 1.0 status as a major update with plenty of improvements and the usual bug fixes.
-
Rocky Linux 9.3 Available for Download
The latest version of the RHEL alternative is now available and brings back cloud and container images for ppc64le along with plenty of new features and fixes.
-
Ubuntu Budgie Shifts How to Tackle Wayland
Ubuntu Budgie has yet to make the switch to Wayland but with a change in approaches, they're finally on track to making it happen.
-
TUXEDO's New Ultraportable Linux Workstation Released
The TUXEDO Pulse 14 blends portability with power, thanks to the AMD Ryzen 7 7840HS CPU.
-
AlmaLinux Will No Longer Be "Just Another RHEL Clone"
With the release of AlmaLinux 9.3, the distribution will be built entirely from upstream sources.
-
elementary OS 8 Has a Big Surprise in Store
When elementary OS 8 finally arrives, it will not only be based on Ubuntu 24.04 but it will also default to Wayland for better performance and security.
Call staff access
A far better approach would always be to provide an audited, supervised mechanism for password renewal combined with advice to change the newly generated password immediately.