11

I had to use my utility company's online account information application and forgot the password. Going through the steps of resetting the password I was emailed the password in the open. I found this pretty insecure and contacted company with my concern, they basically said that they don't feel that hashing passwords is necessary since nobody but me knows my account and user name. Trying to explain implications of not hashing passwords didn't lead anywhere - I don't think they understand the problem.

Whom should I contact to force them to correctly store passwords?

This question was IT Security Question of the Week.
Read the Jan 27, 2012 blog entry for more details or submit your own Question of the Week.

Community
  • 1
positron
  • 213
  • 1
  • 4
  • This is a matter of "does it matter' if you store your credit card information with this company, you should stop, you shouldn't store this information NO MATTER WHAT as evident by all the security compromises in the last 14 months. You have to ask yourself what information exactly is stored on this website. In the case of the power utility. They have my billing address, my full name, and thats about it. – Ramhound Jan 20 '12 at 19:24
  • At this point its sort of a useless endover to attempt get them to change their security, since they obviously, are not aware the correct way to do something. If you don't store your personal information beyond your "billing address" and your "full name" both which can be found in the phone book you are safe. – Ramhound Jan 20 '12 at 19:26
  • Yes. The question does not state which other information is protected by this password. – wizzard0 Jan 20 '12 at 19:27
  • Hmmmmm my guess is they wont do anything about it until it's too late. Maybe you should make "too late" happen today. – k to the z Jan 20 '12 at 20:43
  • 2
    Contact your local government's utility commission. They may be able to get through to the company. As a public utility the company may actually be required to comply with certain regulatory oversights that might force them to implement a higher level of security. The public utility commission can tell you that. – Tim Kennedy Jan 20 '12 at 20:44
  • Or the variation of this when banks don't hash passwords. As evidenced by their ridiculous schemes requiring partial passwords and random (easy to guess) security questions. I even took issue with Which? (a uk consumer magazine) when they reviewed banks online security and awarded extra points for using partial passwords! – pipTheGeek Jan 22 '12 at 19:29
  • Loosely related: http://security.stackexchange.com/questions/4997/is-it-a-bad-idea-for-an-information-holder-to-e-mail-a-user-their-password – Steve Melnikoff Mar 27 '12 at 12:01
  • just Wow. I would strongly recommend you to do not store any personal information there. If that is the way they store the passwords, what can you expect of the other data? I wonder if some government people may take your report seriously (you can still try though). The only way I see they would do something for sure is if someone actually hack them (not suggesting you to do so). – lepe Jul 17 '15 at 00:59

5 Answers5

5

There are two sides to this problem:

  • Security implications for you

Basically, the only working mitigation is to use a different password on every account you own (And then, use a password manager like KeePass, 1Password, etc. to store them)

  • For the utility company

Hashing passwords adds security. Unfortunately, it also adds cost - to implement it, to test, etc. Password recovery procedure will change, etc, etc, etc.

Basically, you need to be a good salesman to explain their risks to them and show them that the potential losses (reputation, etc) are worse than the cost of hashing - if it really is.

So, to do that, you need to get in contact both the CISO (or CIO, or CTO), and then, after convincing him :) - approach those who will shell out the money for this.

Iszi
  • 27,027
  • 18
  • 99
  • 163
wizzard0
  • 249
  • 1
  • 6
  • A class action suite? Are you serious? Unless his banking information is connected to his account and stored in a plain text format what exactly would be his damages? – Ramhound Jan 20 '12 at 19:30
  • And the get sued because I am probably the only person that contacted them about this issue and they will need a scapegoat... – positron Jan 20 '12 at 19:31
  • @Ramhound Not my damage, but you know that most people use the same password for everything, so the password they have in utility company's database is probably the same for their bank account, etc., along with the same user name I am sure. – positron Jan 20 '12 at 19:33
  • @Ramhound well, that depends on the company. Unfortunately, I've seen too much databases with credit card data in the open. Hope this isn't the case. – wizzard0 Jan 20 '12 at 19:40
  • @camokatu - People using the same password for everything would be a problem EVEN IF they encrypted their database and stored your password the correct way. I still don't understand the point of a class action suite in a case like this, there would be no damages, I mean if people were unable to even sue Sony for their actions ( using secure versions of server software with known exploits ) then what chance do you have? – Ramhound Jan 20 '12 at 19:41
  • @camokatu yes, the scapegoat problem is serious. Honestly, there is no real way to push the (big) company, unless you exactly know that they violate some specific standard (like PCI DSS or whatever privacy protection laws you may have in your country) – wizzard0 Jan 20 '12 at 19:42
  • Well, I think i'll cut out the class action option from my answer :) – wizzard0 Jan 20 '12 at 19:47
  • @Ramhound I agree. And I am not looking to sue anybody, just thought they would do the right thing and fix it – positron Jan 20 '12 at 19:48
  • @wizzard0 I think I'll leave it this up in the air right now, and possibly choose another utility provider or start changing my password every 3 month as rep suggested. LOL. – positron Jan 20 '12 at 19:50
3

Submit it to plaintext offenders?

Switch to another utility company?

Lobby your local politicians to pass legislation that companies that do not use secure hashes (e.g., bcrypt or at very least salted hash) on their password data are liable for identity theft damages from any compromise of their systems?

The fact of the matter is that as an end user, you cannot assume sites handle your passwords correctly and aren't going to attempt to use it maliciously, so you should never reuse passwords on systems you don't personally manage. There's no way to know your data is being handled securely without either working there or doing some illegal hacking (not recommended unless they explicitly give you permission to attempt to compromise their systems), even when they aren't dumb enough to send you your password in plaintext.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
3

In the United States, any system that handles a certain volume of customer payment method details (credit/debit card numbers, bank account numbers, etc) must be PCI compliant to operate legally. If the system you describe has your credit/banking details and allows you to view them through that web interface, you may have valid cause to report them for non-compliance.

Alternately, if the website stores certain details or a combination of details regarding your personal identity, they may be required to follow other regulations pertaining to the storage of Personally Identifiable Information (PII). In some cases, even just your first and last name together can be considered PII. (Example: The name "John Smith" stored separate from any other personal details is not PII, but "Joachim Schlichenmeier"* would be.)

I'm not personally aware of the procedures for reporting such violations to any entity that is capable of acting upon them, so for that I would suggest you consult with an attorney. Of course, you'll have a much better case if you at some point are subject to identity theft and the root cause can be traced to your utility company's bad practices.

Beyond that though, I suggest you follow the recommendations others have posted here. Use long and complex passwords for all websites & applications, and do not re-use passwords across any websites & applications. Additionally, limit the information you give these websites & applications to only that which is absolutely necessary for them to serve their purpose.

If there really is no need for the site to permanently store your credit card details, leave that little "remember this" box un-checked. Especially follow this for places you know are un-trustworthy, like your utility company. If you can make payments over the phone or via postal mail, I would suggest pulling all of your payment info off of your profile on the website (if it's there at all) and switching to one of the old-school methods.

*Note: The name "Joachim Schlichenmeier" is intended to be fictional. Any relationship to an actual person, living or dead, is purely coincidental.

Iszi
  • 27,027
  • 18
  • 99
  • 163
2

Contact the marketing. Tell them, thay you will leak the information, how seriously they take their duties.

Btw.: What's the name of the company? If they don't think it's a problem, we should talk about it in the open. :)

Most customers will not know the security issues, and use their password not just there, but at multiple other places too. They should not only hash it, but salt it too.

user unknown
  • 494
  • 5
  • 11
2

I suggest Responsible Disclosure. Contact the company, offer to keep the vulnerability quiet for a limited amount of time, giving them an opportunity to fix it.

In the meantime, make sure you're not using the compromised password anywhere else, make sure you don't have any valuable information stored on their systems, and if you can afford to, cancel your account.

tdammers
  • 1,776
  • 9
  • 14
  • Responsible disclosure? He's done that. The fact that they don't think it is important means he should just disclose it, so other customers can make responsible decisions. – Bradley Kreider Feb 02 '12 at 23:32