Shameless plug/seizing the moment: Ping Brigade (https://www.pingbrigade.com/) does everything over HTTPS, stores passwords using bcrypt and never emails them to you.
Edit: Wow, that was a quick downvote. Just wondering since when is building a better product than the giant of the industry and showing it off on HN compels people to click the downvote button?
Just to be clear: there is no significant difference between either of these and simply storing in plaintext.
"In a recoverable form" means that a) there's a single key with which to decrypt the passwords. If I can get the password list, the key isn't far away. And it might not be worth the effort to track it down, since it's practically equivalent to have the (two-way) encrypted passwords and to have the plaintext.
In most companies, the database is significantly more accessible than any encryption keys. For goodness sake, marketers typically have query access to the DB.
And the issue of emailing a password is different. The problem there is that if I gain access to your email account, I can quickly search "password" to discover your private passwords that a company, not you, chose to drop into your email account.
But to be clear, user-created passwords should be stored one-way hashed and never emailed.
> For goodness sake, marketers typically have query access to the DB.
That's a bit of a straw man, don't you think? Even if marketers have access to the database, they shouldn't have read access to the passwords table in a properly configured system. If they do, it's time to fire your DBA.
> The problem there is that if I gain access to your email account, I can quickly search "password" to discover your private passwords
Sometimes it's worse than that. I recently had to do a password recovery on a site, and they sent the password not only in plain text but also as the very beginning of the email. As such, gmail helpfully showed "example.com" as the sender, with "Password: P@ssword1" right in the body preview snippet. You could see it without even having to open the email.
It may not be a common exploit, but if I was checking my gmail at work, a coworker that knew I had an account on this website could just send a recovery request and glance over my shoulder at just the right time and grab my password without my knowledge. Not good.
I wish Google would implement some sort of algorithm that could determine password-looking text and a) not show it in the preview, and b) require user interaction to display it when viewing the actual email body.
This is something I admit I don't quite understand. How are encryption keys stored in a way that makes them significantly less accessible than the database? I'm interested in the nitty-gritty details of this.
Trying not to be pedantic, but this is something everyone should know.
If I can pull a list of two-way encrypted passwords, breaking that is way faster than extracting passwords from a properly crypted list. Essentially it's a huge list of short (almost known plaintext) messages. If you know a cryptosystem that will resist attack in that circumstance, please share.
Properly crypted, passwords admit to local brute forcing, which is bad for any particular account.
"Recoverable" passwords, the whole list admits to statistical attacks that break the whole list.
Playing devil's advocate, but this still prevents lots of web-based attacks. Provided you store the encryption key on the filesystem, or in memory and the encrypted passwords in the database usually you'll get access to only one part.
But it gets better! If you have access to the encrypted passwords, but not the key, then they're safer than hashes, since the attacker cannot try to bruteforce them (he could try bruteforcing a very very long encryption key of course...)
In the most likely implementation of reversably encrypted passwords, an attacker who gets read control of the database can trivially brute-force passwords. Encryption isn't magic.
But in the meantime, I'm curious about what web-based attacks relevant to password storage reversably encrypted passwords protect against. Were you thinking SQLI? Because I do not believe this to be the case.
Let's assume I store base64 encoded versions of encrypted passwords in my database. The key is 128 random bits in a file in the filesystem. How does sqli get you anything useful? Why do you not believe that's "safe"? (let's ignore other attacks or better solutions. Just sqli)
Update: from other posts, I'm guessing you're assuming that anyone with sqli has other problems too, and that's why you don't think it's safe from sqli?
I'm not going to answer this, because I don't want to deal with the 15 counterfactuals someone else is going to come up with for how they'd deal with the way I'd implement this attack (now that they've heard one way to do it). I think you should take my word for it.
I just want to underlay a point here that the previous poster may not have made explicit, i can give you 20 attacks, and you can most definitely think of 20 different ways to prevent whatever it is i'm talking about, the point is, you do not know what i'm going to do in advance as an attacker. Thats why hashed passwords are an important element of security, sure in a theoretically perfectly secure system, it does not matter at all, the problem is, you are not smart enough to get it perfectly right, nobody is, that's why you have the safest "failure modes" you can practically muster.
It's vulnerable to a known-plaintext attack. Eg, you have an account on the system, so you know your own password. You can encrypt your password with different keys until it matches the stored, encrypted version. Then you know the master key.
Edit: Of course you did say 128 bits, which is pretty good. But if you do manage to break it, you do have the master key, which can't happen with hashed passwords.
You couldn't. It's not possible. If you don't know, then it's not possible to pre-compute. Many people fail to understand that. Rainbow tables (while sounding magical, are not).
Edit: But they are great for standard unsalted hashes. md4, md5, sha1, sha512, etc.
> Playing devil's advocate, but this still prevents lots of web-based attacks. Provided you store the encryption key on the filesystem, or in memory and the encrypted passwords in the database usually you'll get access to only one part.
Why would you assume this? It's entirely possible that a compromise will allow file system access, which will give the DB and the key. As for memory storage, you've got to have the key somewhere so that the machine can restore itself after a reboot. An in-memory-only key isn't a very practical solution. It's also entirely possible that you memory-only key will find its way to the swap file, again vulnerable if FS access is gained.
> But it gets better! If you have access to the encrypted passwords, but not the key, then they're safer than hashes, since the attacker cannot try to bruteforce them (he could try bruteforcing a very very long encryption key of course...)
This isn't necessarily true. Hashes are not intrinsically easier to break than encryption. Some hashes (such as bcrypt) are based on an encryption anyway.
you've got to have the key somewhere so that the machine can restore itself after a reboot
In many very secure systems, this "somewhere" is in the brains/completely secondary data stores of a group of admins who enter that key when a reboot occus.
I think it's unlikely enough to ignore it here, though. Is someone who's willing to send an email in plaintext going to do this? Why bother when simply hashing would do the job more effectively?
I agree it's possible for high security situations where passwords need reversibility, though. e.g. I wouldn't be surprised if Intuit used a system like this when they store passwords for external services. (They should still be hashing users' primary passwords, though.)
I should have clarified that I was referring to accessing the swap as root. This also requires another privilege escalation, and is a separate issue I probably should have left out.
If an attacker gets access to the database, chances are very very good they can get access to the key as well. Very few services correctly separate privileges well enough that an attacker can not gain more access once they have database access.
However ... for the sake of argument, just pretend there's only a 50% chance the attacker can get access to the key. Would you rather there be a 50% chance that you leak EVERY password in the database (regardless of strength) or would you rather lose the people who pick passwords in the 5% because you've used bcrypt?
If you are storing something in database which needs to be decrypted (i.e., you are storing credentials to access some other system) it is common sense not to have that key in the database.
The key should be provided to your application on startup.
Or sometimes, the key can be in the wallet and that wallet can open only during startup of the application: application should prompt admin to enter password needed to open the wallet.
At least that how I design my systems... Maybe I'm wrong...
Hey... If you want to be secure that what you need to do. The keys must not be easily accessible.
Anyway application which need to be secure are not the one you also would like to be restarted automatically or unattended: automatically restart can in many cases just make situation worse (i.e., data corruption)
You can always pay big bucks and use Oracle Database with Transparent Data Encryption: in that case, you need to enter password to open the wallet only on startup of a database.
We're required to have our sensitive data on an encrypted volume by a client (a major financial firm). Sometimes, calling the 24/7 techs to enter a passphrase is a perfectly appropriate solution, especially if you have enough capacity to let a server or two wait until the morning.
I had to ask this as I am dealing with a DotNetNuke based system right now which stores authentication details in a table (aspnet_membership) with the passwords encrypted with a private key (in web.config in IIS) and a password salt.
How would one go about securing such a system where there is no option but storing encrypted passwords that are reversible?!
You can change it so that DotNetNuke (really aspnet_membership) uses hashed passwords. They are then not recoverable, but DotNetNuke will allow a user to request a new password which is then emailed (rather than a slightly safer "reset password" link)
I wish it was that easy. Working in higher ed means dealing with legacy and proprietary systems at low budgets. "Change the system" isn't always the option in the real world a lot many times.
Because the email server (or application server or whatever is creating the text for that email) can access it to decrypt it. If that server gets hacked, then you can decrypt all of the passwords.
As an example: The password list might consist of entries encrypted with a public key. The private key might only exist on an air gapped laptop with its communication ports filled with epoxy in a secured facility using trusted humans to enter the encrypted password and retrieve the decrypted plaintext.
I have no reason to believe the above is true, but there is also no reason to automatically believe there is a mechanism available to attackers of a compromised machine to decrypt all encoded materials on the machine.
That's not true. Some people say "We keep your password encrypted" instead of in plaintext, and make the dubious claim that they are then safe. It's good to help them understand the distinction that even if the passwords are encrypted, it's still a problem if they are recoverable.
There's absolutely a distinction. Reversibly encrypted passwords aren't ideal, but it does at least make a database dump less useful to someone who manages a SQL injection exploit.
No, it means that getting the actual raw passwords is now a fun little puzzle for anyone who gets SQLI.
News flash for the (hopefully small) collection of people who may be kidding themselves on this point: unless you've gone to significant lengths to mitigate this specific problem, if you give up the SQL for your website, you've probably given up the box, too.
How likely is it that you're THAT company, the one that hardened their database server and app architecture so that it can survive someone who compromises SQL, and that you actually have SQLI? And, if you're THAT company, how likely is it that you're storing reversably encrypted passwords? And if you're THAT company, how likely is it that you're simply mailing them back to customers on request? It's not likely.
One would hope that the encryption key wouldn't be in the database.
The point remains - there is a benefit to reversibly encrypted passwords versus plaintext ones. It's certainly not ideal, but it's better than nothing.
Respectfully, who gives a shit if it's in the database? If you lose the database, you lose the box. You're done. Whatever information you were storing reversably anywhere in your data center, you are going to lose.
Don't store reversably encrypted passwords: full stop.
Hardly. The SQL injection may have occurred with a limited-access SQL user. The encryption algorithm might be strong enough to give you years or decades of protection against brute forcing. etc. etc. etc.
> Don't store reversably encrypted passwords: full stop.
Absolutely. I'm just pointing out that "there's no difference between plaintext and reversibly encrypted passwords" is a blatant lie.
You already responded to the comment where I said it's possible to rig up a database so that your app server might survive SQLI, so let me just wrap this unproductive little thread up by saying: I don't believe you. If I see you mailing user passwords back to users, I will bet on SQLI losing all those passwords every time, at any odds.
Nerds like us are always going to come up with some twister counterfactual scenario where someone somewhere could do something unexpected. I don't care. None of this is relevant to the issue at hand. This company probably isn't even encrypting passwords, but whether they do or they don't: if they get owned up, they're losing all of them.
If your email provider supports CRAM-MD5 or DIGEST-MD5 authentication (on SMTP, POP3 or IMAP) — they're storing your password either in plaintext or reversibly encrypted.
If your ISP provides PPPoE, PPTP or IPsec-less L2TP connectivity and support CHAP, MS-CHAPv2 or PEAPv0/EAP-MSCHAPv2 authentication — they're probably storing your password in plaintext.
And while the email providers'd better start dropping this practice (as most mobile phones nowadays support SSL/TLS) and use TLS, ISPs are better stay with plaintext passwords. Wiretapping Ethernet, DSL line or open WiFi hotspot is orders of magnitude easier than hacking into the database. Obviously, that's only until the day majority of SOHO routers and other client hardware would support EAP-TLS.
CRAM-MD5 and DIGEST-MD5 are terrible for exactly this reason; a similar argument is part of the reason nobody uses HTTP digest auth. Mitigating this vulnerability is part of the motivation for SRP, which is computationally hard to brute force and non-reversable.
An active attacker having access to the DB, may use encryption to his heart contents.
If encryption's badly implemented (for example, using algorithm prone to chosen-plaintext attacks, or encrypting without salting so same plaintext are always encrypted to same ciphertext) no knowledge of key material is required to gain access to fairly significant number of accounts.
That attack isn't unique to a system with reversible encryption. If I can change the e-mail column, I can do this on any system with one-way password hashing too.
No you can't (or rather, it's not very useful). Sure, you can set someone's password to something you know that way - but since you've already got write access to the database, you might as well do it directly.
This is a flaw of any system that sends your password back to you in plain text, that is not shared by systems that don't.
If I can change your e-mail in the database and have it send me your password reset e-mail, I'm in. Write access to the database is a huge issue in that case whether or not passwords are hashed, encrypted, or plain text.
Not always. For example, in case of website with open registration, an active attacker may exploit SQL injection and register new accounts (with arbitrarily chosen passwords), observing new records in DB.
Which, with proper encryption, likely won't get you anywhere. If the encrypted password is hashed with the username (or something else unique/random to the record) as an add-on salt, you won't even be able to find out which users are using one of the 500 most common passwords this way.
You can see why it's not particularly useful arguing about encryption with you; for instance, the way you'd encrypt passwords, you'd need an "add-on salt" to keep password ciphertexts from being directly comparable.
The likelihood of me personally explaining why that's broken is low, because my sense is that you would immediately adopt some variant (but not exactly that) as part of "what you meant by proper encryption", and then mint another counterfactual from that.
64 comment-thread go-rounds later, you have indeed come up with a reasonably strong password storage system. Of course, you did it by cadging free consulting from the thread, missing the point that virtually nobody who builds these systems would even know that they needed that consulting in the first place.
We could play a similarly fun game by arguing about how an attacker would coerce a shell out of an SQLI flaw. Or: better yet, we can not do that, and just assume you're mostly wrong.
The worst part of this attitude --- and it's not unique to you, it's a nerd trait, and I certainly have it in spades myself --- is that it strongly suggests my best incentives are to be as un- informative as possible, so as not to have to waste time refuting further counterfactuals that you invent post-facto.
> 64 comment-thread go-rounds later, you have indeed come up with a reasonably strong password storage system.
The reasonably strong password storage system is a one-way hashing with bcrypt. That'd be the way I store them, grumpy asides like "the way you'd encrypt passwords" not withstanding. No need for "free consulting", thanks, especially when delivered in such a manner.
My point is not "you should use reversible encryption". My point is "reversible encryption is not the same as plaintext storage", a point borne out by people using HTTPS, PGP, etc.
I don't like getting a plaintext password sent to me via e-mail any more than you do. That's completely besides the point.
Even if the password were irreversibly encrypted, if I can read your e-mail, I can still access your account in most systems. I can reset your password, and either follow the link they e-mail you, or see the random password they generated for you.
I think #2 is more on you for accessing your e-mail securely, and less on Pingdom. Pingdom is only saving a hacker a little bit of time.
Email is traditionally transferred using unencrypted connections. Once in your mailbox, email is often saved and/or indexed for easy search, which is often unencrypted and/or outright unprotected. And worse, your email provider can discover your password by simply signing in as you.
Lets say you want to give the user a 1 step process to get back into their account.
You can 1) Email the password or 2) Email a unique link which lets them reset the password for their account.
If you do #1 the person likely used that password on other accounts. Now you've not only compromised access to your service, but any other that has the same password.
IF you do #2 the user sets a new password and gets into his account. No record of the new password is left anywhere. An attacker with access to the email account can still compromise your service, but now he has no idea what the old password was.
I once opened a password reset e-mail from my (former) bank while at work and wasn't hugely pleased to see my password pop up in plain view for a coworker to see.
Your use of the word "implemented" gives me pause.
I hope you mean "We've plugged the standard bcrypt library into our web app." and not "We found a pdf describing bcrypt on the internet and one of our 'rockstar ninja warlock' devs stayed up for a week writing an implementation that no one else is using and no one has reviewed."
As we see from this thread, people really need to stop assuming that a site will store their password securely. Find a system that allows you to use a unique, random password for each site and use that instead. Do not trust any site to store your password in a secure fashion as relatively few actually do. If someone can get into the password database on a site, it probably doesn't matter if they have your password or not, because they can usually still access everything directly anyway by looking up your user id and performing the relevant queries.
The danger in plaintext storage is that your password to other valuable sites may be exposed by a leaked database dump or similar. This is not a concern if you use a randomly-generated unique password for each site you visit.
Everything is just much safer this way. With some companies making kind of legitimate arguments for plaintext password storage, just assume that your password is NEVER secret to the admins of a site or anyone who may break in and steal their information. Things would be much nicer for everyone involved if we did this.
There are systems in place that make this pretty easy. Personally I use a home-grown method: pwgen -c xx, copy and paste the coolest-looking password displayed, email to myself encrypted, and decrypt with my secret key and copy and paste any time I want to use a site. There are also things like LastPass, KeePass, websites that generate hashes of passwords salted with another phrase or target site URL (copy and paste final output), websites that output a simple character lookup table based on a user phrase, etc. I believe that an interested party could make one of these things work well enough for use among the general people (especially with automated sync platforms from Google and Mozilla). We need to stop relying on anonymous third parties for our personal safety.
I encourage people to use SHA1_Pass. I wrote it and provide full source code under the GPL license. It's free as in freedom and beer. I use it because (as you stated) sites don't do the right thing and have other priorities.
As conscientious users and devs, we have to take matters into our own hands.
You are right. But again, speaking about Pingdom...they are monitoring company...if they treat our password in that way, how do they treat our other private data...We are putting there our http passwords, right? This is a good way to find out if you should really use some service, or not.
It would be nice if there existed a browser extension that would warn the user anytime they are about to register on a site with password storage issues like this. Of course, there would need to be some sort of community maintained repository for tracking which sites are doing this.
Either the user is using the same password on multiple sites. Then this would be a real security issue, independent of the fact if some of the sites store the password in plaintext.
Or the user is using different passwords for different sites. Then you don't really need to care how a single site handles your password.
One reason is that if they are storing the password in a recoverable format, it tells you something about how much you can trust the security of that site in other ways. Even if you're using a different password, you may be much more hesitant about what other information you are willing to put into a site that doesn't take security seriously.
Either the user is using the same password on multiple sites. Then this would be a real security issue, independent of the fact if some of the sites store the password in plaintext.
Nevertheless, the vast majority of users do - and that's unlikely to change in the near future. It's just too easy.
Many users (the majority? I've seen no statistics for this, but everybody I know falls into this group) do, however, keep several passwords, and assign them to sites based on a combination of 1) how likely the site is to compromise the password (sites that email out plaintext score very poorly) and 2) how much the user cares about the security of that particular account. Which suggests the following use case for fourk's hypothetical plugin: user wants to know what password to use, sees that fooneti.cs is one of those sites that stores easily recoverable passwords, and chooses to use one of the disposable ones.
> Then you don't really need to care how a single site handles your password.
Sure, but if I'm choosing between two sites that offer a similar service, knowing that one is insecure is going to strongly influence me to use the other. It's information that's worth having.
Although, this brings up a point - if the list is crowdsourced, companies may have incentives to report their competitors are insecure. There would have to be some way of erasing "insecure!" votes - but then you end up relying on a (hopefully benevolent) dictator.
What's a good solution? pg can't be everywhere at once!
Because it's poor security, and the user might care. I don't want to use a site that is so lax about security that they store passwords in plaintext. I don't want them to have any of my information, because they're clearly not competent enough to keep it secure. Whether I'm reusing passwords is irrelevant here.
Also, it's a fact that a lot of users reuse passwords. Pretending that it's not the case or claiming that it's the wrong thing to do is pointless. Good security should address the real world, not some silly idealized one.
If the site has control over my money or my public persona, then I very much need to care how they handle my password.
It is not uncommon for databases to be stolen via lost laptops, human error, or sloppy security. When this happens, I would prefer that the database not contain my plaintext password.
If someone obtains my password through such a leak, it won't help me that I've used a distinct password for that website.
It's bad news when a bank leaks their customer list. It's catastrophic news when a bank leaks their customer passwords.
If you don't store the passwords in the first place, they can't be leaked.
If every user used different passwords on every single site, this submission would be hardly newsworthy and barely discussion worthy. In a perfect world, sure, every user would have a unique 14+ character password for every site they register on. In a perfect world, every site would implement basic password encryption. Unfortunately, reality != perfect world.
The detection process is somewhat wrong. In many sites, they store passwords in plaintext or reversible plaintext--but they send mere link to reset. So, you don't really know, how they're storing. IMHO, most of new startups store passwords for the sake of learning. Definitely, there needs to be some disclosure on how they'll store passwords.
Password security is a shared responsibility between the company storing the password and the user who chooses what password to store. As a user, you rarely know the full extent to how a company manages the storage of passwords so the responsibility truly rests on your shoulders to choose unique passwords for each service that you use.
This is simply not realistic. I've got hundreds of accounts online. I cannot remember a truly unique password for each. It's not possible (not for me at least). I can't even remember all the sites I've got accounts.
A lot of people implement their own hash ("I use a base password plus the second letter of the url and the number of letters in the domain: dumbe18"), but this is not unique per site, and these hashing schemes don't tend to be as unique or as hard to figure out as one might imagine.
There are utilities now that try to help, but I've not found one that's even remotely convenient when it comes to accessing sites on multiple computers, my phone, and my tablet. Not to mention I'm putting my trust in a 3rd party to handle all of my passwords when I do this.
I use the SuperGenPass Password Generator bookmarklet. It generates site-specific passwords by hashing the site's domain name with your master password. You can save bookmarklet offline or host in on your own web server so you can generate passwords when you are away from your home computer.
The only problem is when SuperGenPass's generated passwords are not compatible with some site's unusual password restrictions. They I have write down a one-off password. A cool idea: a password generator bookmarklet that knows the site-specific password formats. The formats could be extensible (by bookmarklet developer and end users), analyze HTML5 form validation rules, or websites could publish a machine-readable password description microformat.
Personally, I think it's more realistic to place your trust in one verifiable source (i.e. using the cross-platform KeePass with the encrypted database stored on Dropbox) than assume that "hundreds" of different organizations are all going to implement adequate authentication strategies.
What seems oddly unrealistic to me is that if one company exposes your password, you now have to not only remember all of the hundreds of sites you have accounts on, but log in to each one and change that one password that you always use.
I agree the current system is broken, but asking users to remember hundreds of passwords is no less broken. As for KeePass, the problem is that I can't get integration with a browser on my phone or tablet, so I'm left jumping back and forth between apps every time I need to log into something. Not to mention there's no official KeePass implementation for the Mac (unless I want to run on Mono). I also frankly think it's unnecessarily complex, but maybe I should give it a try again.
I really don't understand how you can take the stance that it doesn't matter if a site has proper password security. Why are you bothering to use KeyPass if you don't care about security in the first place?
On 99% of all websites I can use special characters in my passwords. The only exception are my online banking sites, where I'm forced to restrict myself to [\d\w] one one of the sites and to [\d] on the other site.
LiquidWeb also does this from my experience. Sign-up for a new account and have them call you for verification. Their verification question is "What is your password?".
crunchbase has a nice list of competitors: http://www.crunchbase.com/company/pingdom Watchmouse appears to have some pretty high end customers. (including twitter, AT&T and verisign )
The fact that they sent it in an email in response to a user request means that they are at least storing it in a reversible format. Given that they sent the password in plaintext via email, I see no reason to believe they are competent enough to set up a reversible system that is more secure than plaintext (e.g. rot13 isn't more secure but isn't technically plaintext; storing an encrypted password with the key isn't more secure). In all likelihood, they are storing in plaintext or an equivalent.
The story only details the sending of a password in plain text. You are right in that this provides no evidence of the password being stored in plain text.
It is equally plausible, without further evidence, that pingdom is merely changing the password (a likely case if the password is not retrievable) and emailing the new password.
I tested this with my pingdom account for which I know the password. The email I received contained my password and not a new password. This confirms that pingdom is storing passwords in a retrievable fashion, whether that be plain text or some form of non-one way encryption.
It's not inherently bad. It's a trade-off between security and convenience. Believe it or not, most of the time, business managers are far more concerned about the user experience and the convenience of use rather than information security.
It's not black and white. It's a decision with trade-offs either way.
Is there any guarantee that this actually entirely removes your data from their databases? How do you know they don't just toggle an `active` column for your row in the users table?
I'd be interested in seeing the correlation between return on investment and level of basic security-related competence at the point at which the company first attempted to raise VC money.
Moreover, because I really love HN, I'm going to run a 50% off discount at https://www.pingbrigade.com/signup/hn.
Edit: Wow, that was a quick downvote. Just wondering since when is building a better product than the giant of the industry and showing it off on HN compels people to click the downvote button?