It never ceases to amaze me how many sites completely ignore generally accepted password safety practices.
A few weeks ago, I applied for the Google Computer Science Summer Institute. Google outsourced the online application to eResources, who claims to be “Your Trusted Technology Partner.”
Earlier in the year, I had created an account on this site and filled out some basic information. For some reason, the password wasn’t saved in my password manager of choice, and I couldn’t remember it. After a few guesses, I hit the “Forgot Password” link, typed in my E-Mail address, and was sent the message shown below.
Yes. That’s right. They sent me my password. In plaintext. In an E-Mail.
Mind you, I’m not particularly upset that they sent me my password in an E-Mail (although it isn’t particularly secure). I don’t really care how they sent it to me. They could have sent twelve angry weasels each bearing one of the twelve keys necessary to open a secret underground fortress that contained my plaintext password deep in one of its seventeen dungeons. I would still be pissed. The issue isn’t that they gave me my password, the issue is that they had my password to give to me.
Passwords should never be in plaintext on the server.
There’s a common misconception with this. Just because it’s encrypted on your server doesn’t mean that it isn’t in plaintext. If I could somehow extract my password based on the information stored on your server, then as far as I’m concerned, you’re storing my password in plaintext. And that is not okay.
Why is this important? Well, it’s very simple. Your server might be compromised. The contents of your database might be released. Many internet users use the same password on multiple websites, and if you accidentally leak their password in plaintext, all of their other accounts are in immediate jeopardy. Plenty of high-profile sites have been compromised. It can happen to you!
What’s the alternative? Hash the passwords, and with a unique salt for each user. When a user submits their password to you, concatenate the salt and hash the combination. You may then store this hash (and the salt, separately) in your database and perform the same hashing routine each time a user tries to log in. Their passwords are never written to the database, and their passwords can’t be extracted from the hashes. Better yet, even if two users have the same password, their hashes are completely different (thanks to the salt).
More information on safely hashing passwords is readily available, you just have to look. For example, ensure you are using a suitable hashing algorithm.
Shortly after I noticed this basic password security violation, I notified both Google and eResources of the issue. I carefully selected a subject line likely to grab attention: “Password Security Concern”. A representative from eResources sent me back the following email promptly:
Thanks for expressing your concern. I will pass it on to the administrators of this program.
While I recognize that this isn’t as secure as a reset password link, your password is stored in an encrypted format and then decrypted before it is emailed to you.
While, yes, encrypting the passwords is more secure, it’s roughly the equivalent of preventing intruders from entering your house by simply closing the door. If I’ve somehow gained access to your database, I likely have the ability to access your code as well, which means I can just decrypt everything. Passwords need to be non-reversibly hashed.
Don’t get me wrong. eResources is not alone in their blatant disregard for even the most basic levels of password security. There are, unfortunately, thousands of other incompetent or uninformed companies on the web making the same mistakes. This, however, does not make the offense excusable.
Google certainly knows better than this, and has a direct responsibility to ensure that their users’ data remains safe. They have yet to respond to my email.
eResources is not Google, but by using them, Google endorses their product. Google is putting their scholarship applicants’ passwords on the line, and this is simply not acceptable.