Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

Plain text passwords leave subscribers vulnerable

20 February, 2014
Many online companies are still storing and sending plain text passwords leaving subscriber user credentials vulnerable to cyber-crime


In the wake of the exposure of 2000+ online user credentials from Tesco.com a short time ago, people have been once more advised not to use the same login credentials across different sites. Whilst users are being encouraged to take a more secure approach towards reducing their own vulnerability online, there continues to be gaping holes in the security of online service providers.



One glaring example of how companies are taking liberties with the privacy of subscribers is the storage and transmission of plain text passwords, a practice that has always been denounced as unsafe but one which demonstrates an almost unbelievably cavalier attitude towards data privacy in today's environment of increased cyber-criminal activity and advanced threats.



We're all faced with the need to provide user names and passwords to many internet sites that we interact with, whether it's ordering a pizza online, viewing the latest gas bill or becoming a member of an online community. Usually, this results in a confirmation e-mail on first registration containing a link back to the site. Requests for password changes contain a similar link where the password can be changed on a secure web-page.



However, sometimes an e-mail is sent to the subscriber containing all the login details including the user name and password in plain text as can be seen in the example below which was sent to us by a reader:



Comm100 plain text password security vulnerabilitySo why is this a problem and how does it expose the recipient? We spoke to Stefano Ortolani, a security researcher at Kaspersky Lab and he told us that there are a number of reasons why this is bad.



"Mailing passwords in clear-text is strongly inadvisable due to multiple reasons", Stefano explained. "Firstly, every single server that routes the email (these are known as Mail Transfer Agents - MTAs) could have potentially read the mail content and therefore, the password. Secondly, even if the content was encrypted, the server sending the email would still have the password stored somewhere in clear-text (most likely in its database). This can lead to immediate access to passwords if someone hacks such a server, using a flaw on the hosted web site for instance".



This implies that in plain text, the user credentials are available to be accessed at all stages, whether stored on the online service provider's server, whether in transit or whether in the user's e-mail inbox. With auto-login to e-mail addresses, computers left switched on and logged on, having your passwords stored in your e-mail is extremely insecure.



Former ethical hacker and current VP Cloud Solutions at SafeNet, Jason Hart elaborated more on this point and re-iterated that the password needs complete protection at all stages of storage and transit and that the most reliable way of providing this protection is through encryption. He told us, "All online stores and websites should be encrypting all passwords both in storage and transit, as well as not simply relying on basic username and password for user authentication".



This alludes to the fact that although encryption may be currently the most reliable protection, the future may see this change as multi-factor authentication technologies become more accessible and reduce the current reliance on the userid/password model of data access.



There is also the need for users to resist the temptation of using the same password across multiple sites - this was the root cause of the recent Tesco.com compromise. In the case of the Comm100 example in our illustration, if the user had deployed this password across multiple sites, then the storage and transmission of this password in plain text would have compromised the users credentials for ALL the sites this password was used on.



Comm100's poor protection of its user's credentials would imply that the company has a poor security posture overall, thereby making it more vulnerable to hackers. Having gained easy access to so many user credentials, these hackers would therefore have the potential to make further inroads into the wider digital presence of those users.



SafeNet's Jason Hart went on to comment on the need for users not to share passwords between sites. He told us, "Customers should refrain from using the same passwords across multiple accounts – something which unfortunately many people often do. It’s clear that there is a need to improve awareness about the dangers of both re-using and sharing passwords amongst both consumers and service providers."



It's not as if the technology isn't there for the service providers to use. Jason explained, "With technology now available such as One-time Password Authentication products that can generate highly secure one-time passwords to authenticate users, there really is no excuse for passwords being sent in plain-text.”



Comm100 declined to comment.



Jonathan Newell is a broadcast and technical journalist specialising in security systems and transport safety. He contributes to a range of titles in the technical press. He shares his time between the UK and Kazakhstan



 


Bookmark and Share