Hey Lifehacker, In a time where our online data needs to be more secure than ever, how do companies still get away with storing our passwords in plain text? More specifically, how do we lobby for a standard and secure way for Australian companies to store our passwords? I believe the UK Data Protection Act covers such things over there.
Recently I forgot my Telstra password, and when requesting the password it was sent in plain text to my phone, which makes me assume that it is stored in those systems in plain text. Can anything be done about this? Thanks, That’s Just Plain Dumb
Picture: Getty Images
Dear TJPD,
Firstly: just because you’ve been sent this particular password in a text message, that doesn’t mean that it was stored in an insecure fashion. It could have been retrieved from a secure database to generate the message. Text messages themselves aren’t particularly secure — you can optionally add encryption to some devices but that only works for incoming messages if the sender uses the same system. However, because people generally keep a close hold on their phones (and the sensible people use passcodes as well), then sending texts for password retrieval (and two-factor codes) is widely accepted. Either way, how messages are transmitted is a distinct issue from how passwords are stored.
To your broader point: while it might be desirable for minimum standards for data security to be introduced across all industries, to be blunt I wouldn’t hold your breath — the current federal government seems much keener on cutting out existing regulations than on adding new ones. That doesn’t mean you can’t write to your local member expressing your concern, but it seems unlikely that much is going to happen. You arguably have more leverage with individual companies — a data breach resulting from a lack of secure storage is a major PR blunder, and highlighting that fact might scare some providers into improving their approach.
Incidentally, the UK Data Protection Act doesn’t mandate any specific requirements for how information is protected, in part because it’s intentionally broad — it covers data stored in non-electronic form as well — and in part so it isn’t tied to a particular technology. The Information Commisioner’s Office (which oversees the law) definitely advises against plain text storage of passwords, however.
Cheers
Lifehacker
Got your own question you want to put to Lifehacker? Send it using our [contact text=”contact form”].
Comments
5 responses to “Ask LH: How Can We Force Companies To Store Our Passwords Securely?”
If Telstra can retrieve your password, it’s possible for someone else to. The only safe assumptions is, if Telstra can do this, your password is not securely stored. I’d be recommending that you have a specific password for any Telstra accounts, and if possible completely different contact details as well (which probably isn’t possible due to the excessive government requirements for personal details).
Yup. Having the ability to retrieve your password is kind of like the (incomplete) definition of insecure password storage. This was the terrible mistake that Adobe made, and that led to them being widely criticised (discussed in this Ars article).
Secure password storage involves at least a cryptographically secure random salt, a well-chosen one-way hash function, a good and many iterations of that hash. In terms of the hash function: md5 or sha1 = bad. SHA256, bcrypt, scrypt = good in varying ways.
Good document on the topic is the OWASP password storage cheat sheet.
Basically, if they can send you your password they’re doing it wrong.
What the above said. The second you can ‘retrieve’ something instead of resetting it, you’ve got an insecure system. Fact.
Proper security should make it so the company can’t view your password without significant effort. Some places retrieve passwords and provide them in plain text via text or email claiming that they were encrypted while stored. Well if they could decrypt it to send it to me there isn’t much effort in securing it my my mind. At current passwords should be stored as a salted hash this makes rainbow tables ineffective and forces a bruit force attack to get the password (a lot of effort). I like to argue that under the Australian privacy act personal data must be stored securely at a reasonable cost. Given that setting up a website to use hash standard only requires a couple lines of code salted hash shouldn’t be too much more and setting up encryption and decryption probability needed more code. A key issue with systems that claim to use encryption is that the key is often on the same server as the passwords. I on the other hand don’t like putting my front door key under the mat. There is no spare key. I have tired to ask places to usdate their security for passwords before but unfortunately still no luck.
And ffs, store my personal details encrypted, not just my password.
All I needed was my email and birthday to get my password sent to me.
SMS isn’t secure, my birthday is not private information and my email is the very thing that a hacker probably wants access to.
So now a hacker trying to get my data just has to either get access to my sms and they have everything.