Storage of clear-text passwords: NOT!

Paw Prints: Writings of the maddog

I am the first person to admit that I am not an expert on security (o.k., there are probably several dozens of my friends who will gleefully “admit” that I am not an expert on security before I will), but I do know that storing passwords in clear-text is just not the way to go. Yet recent interactions with several web site management teams has shown me that apparently some people have not yet learned this simple principle.

With all the reported incidents of identity theft due to records and data stolen you would hope that companies would treat passwords with more respect, yet I have one “social network” site email me information on my account each month where they include my password in the email in clear-text. The very first time they did this I went onto the site, removed all my information, replaced the information with fictitious data and changed the password to “stupididiots”. Now every month I get the email from them that reminds me of how stupid they are. When I start receiving things based on the fictitious information in the mail, I will know from where and why it is arriving.

Nor is this limited to small sites created by amateurs. Recently I had reason to talk with a major site holding records for millions of people and realized that they and their staff had access to their customers clear-text passwords. “That is not a smart thing to do” I told them. They did not seem to grasp the implications, so in the next few days I will be writing a letter to their president.

You would think that with examples like Unix and Kerberos that have been around for such a long time people and sites would be a bit more careful with how they handle passwords. Simple protection techniques are not rocket science, and can make the stored passwords a lot safer.

For example, sites should convert the clear-text password received by the customer into an encrypted form immediately after receiving it, then throw away a small part (one bit would do) of that encrypted form and store the rest. This would prevent anyone receiving a database of stored passwords and (without any other knowlege) using a brute force technique to decrypt the passwords. When the customer accesses the site again, follow the same procedure, and compare the two encrypted strings. If they match, allow access.

If you are using a deterministic encryption algorithm, one that always creates the same encrypted string from the same set of clear-text, you don't have to know what the clear-text password is, only that the encrypted forms matched.

Granted, this technique also relies on the fact that people choose “good passwords”, but no choice of a “good password” will protect you from idiots who insist on storing your clear-text password in their database in clear-text.

If a customer contacts the site and tells the staff that the customer has forgotten their password, the site will need to authenticate them in some way and then generate a new password for them and allow them to change it to whatever they need. Many web sites have automated this process in a fairly robust way using one-time ULRs and one-time passwords but the methods could be improved. There should never be a clear-text password generated, shipped or stored anywhere.

I recognize that this blog is not a treatice on Internet security, and I apologize to the regular readers of this column who will say “o.k., what else is new”, but as long as we keep hearing of “stolen records” that could easily have been avoided, we need to keep beating the drum.

Comments