Don't email me my password!

06 September 2015 - Security

I'm sorry, but this post has been born purely our of frustration. Yesterday, as part of a support ticket with my domain provider about an old account, they sent me my login details...

Including my password.

In plain text.

You can see where this is going!

I'm not going to go into how companies should be storing your passwords - as there's PLENTY of information online already. However, pretty much all of this information follows one big theme... Do not store your passwords in a retrievable format! I don't care if they're encrypted or not - the point is that no-one should be able to decrypt them. Regardless of who they are. This includes support teams, development teams, even the owner of the company.

If an attacker gets access to your system, then they also have access to all your users' passwords. And many users share their passwords across many different sites - so it's not just their account on your site that you're risking.

I thought this was a very well known issue, so it really surprises me that a company like my domain provider (I'm not going to mention names here) is emailing plain text passwords around in support tickets.

Password should be hashed (and salted). When a user first creates the account, it's this hash that should be stored in the database. Hashes are one-way, meaning you can't reverse it and get the password back out again. Then when a user needs authenticating (eg. when logging back in), the same hashing algorithm gets run against the password they enter, and it's the hashes that get compared, not the raw password itself.

Ideally, users should be using a completely different password for every site they use. Personally, I use LastPass, which helps a great deal with this and I'd highly recommend. However, most users do not do this, and do share the same password across multiple sites. This means that if you're being irresponsible in how you store your users' credentials, you're not only risking the security of their account on your site - but also on any other sites in which they're sharing the same password.

Below are a couple of recommended resources for web security. If you're dealing with users' personal details then I'd say they should be recommended reading.

There's no excuse to storing users' passwords in plain text. None whatsoever.


Recent Posts

Featured Posts

.NET Oxford Links