Tired of looking for errors in log files? Use OneTrueError - Automatic exception management for .NET.

Emailing passwords is no proof of storing passwords as plain text

There is a site named plaintextoffenders.com which lists sites which they claim store plain text passwords, i.e. not hashed or encrypted. As proof they let users email screenshots to them.

Many of the screenshots looks like this:

Welcome XXX,

bla bla,

Username: XXXX
Password: XXXX

or changed the password

Dear YYY,

You have successfully changed your password to: XXXX

There is nothing that says that those passwords is stored in plain text in the database. When you register your account or change the password you do type it in the HTML form. Hence it’s sent as plain text to the web server, which then can be used to generate the welcome email.

The only time you *might* have proof of someone storing your password as plain text is if you can request it (like a “forgot password” form). The password might not have been hashed, but it can still have been encrypted. It’s not as secure as hashing (if a potential hacker gets access to the encryption key), but more secure than storing plain text.

Update

I’ve misinterpreted what their goal was. This page explains it.

Email using port 25 is not secure. But most email providers today uses SSL when sending and retrieving emails, which means that man in the middle attacks are not possible. You are only vulnerable for the “email attacks” if the attacker has done the following:

1. Gain access to the router that you or the web site is on (or hacked your computer)
2. Your email provider do not use secure transfers of emails (as most do today).

The chance is imho quite slim which makes this security issue trivial compared to others.

What I’m saying that it’s always important to shed a light on security problems, but don’t scare the users by making them sound bigger than they are.

This entry was posted in Uncategorized. Bookmark the permalink.
  • http://www.facebook.com/michel.renaud Michel Renaud

    Unless I’m mistaken, SSL is only between your computer and the mail server. E-mails are still stored as plain text on mail servers, and may even reside on more than one mail server “while the e-mail made its way between two servers”. At least that used to be true. So e-mailing passwords is a bad idea, just like e-mailing credit card information. One ISP in the province of Quebec was sending signup confirmation e-mails to new customers, with all their information including full credit card info (number, expiration date and security code). Somehow the company didn’t see anything wrong with that…!

    • http://www.gauffin.org jgauffin

      Saying that emails are stored in plain text on the servers is generalizing. Most email servers are probably using databases to store the emails. The folder in which the DB is stored in are probably protected by the file system. To gain access to the emails will be tricky. Especially on larger providers. imho hackers would probably not target email server as their first choice.

      That said, emailing credit card information is plain stupid since it’s a direct way to a bank account. Gaining access to my facebook accocunt by finding my password isn’t really a problem. But let’s take your reasoning a step further. All sites have a “reset password” link. Someone wanting to get your password could just use that function and then hack the email server.

    • JonasGauffin

      Well. So you say that it’s a security risk because someone can hack your ISP, Mail Server or computer?
      If someone succeeds with any of the above you have more serious problems than a password in an email.

      • Rh

        Okay.

        Sending a password in plaintext in an email is very bad… there are no ‘buts’.

        1) Say you leave your webmail logged in. I search “password” and have ALL of your passwords instantly.

        2) You cannot guarantee the security of the email message, maybe you recover it securely from your mail server, but your mail server had to receive it too, and store it.

        3) email is often stored in plaintext on your computer by your e-mail client.

        E-mail was never meant to be a secure medium…

        You say it’s a slim chance… Yes. for ONE user. If a website serves millions of users, the chances that this kind of poor security practice is exploited at least once gets to be unacceptably high.

        • http://blog.gauffin.org/ jgauffin

          1. If you leave your computer logged in you would have loads of problems.
          2. SSL is what I would like to call secure (NSA excluded)
          3. Read number #1.

          If someone actually manages to hack your email provider they could just analyze all emails, create a script which requests new passwords for the sites discovered in the emails and they would gain access to all sites either way.