4

In the last couple of weeks I've come across two fairly large companies who seem to not have stringent password security:

  1. Tesco - they store passwords in an "encrypted" format, yet they can decrypt the password and then email it to you when you click "I've forgotten my password"
  2. Plusnet - they store passwords again in some form of plain text/encrypted format but decrypt it and show it to you when you click "i've forgotten my password". Not as bad as Tesco, they don't send you the password by email, however they send a "recover password" link and on clicking that a browser window opens which shows your password in plain text (admittedly over a https connection).

My question is, what is the reason behind this? Both Tesco and Plusnet are storing customer's credit card details so surely security should be at the forefront of their mindset.

I want to know if I am wrong for believing that they are storing passwords insecurely. Will they have processes, policies and technologies in place which make this situation secure enough that the way they store their passwords is trivial?

Will they have special two way encryption that cannot be cracked by hackers? e.g. the same way that https, or API's work with a private key?

Will they have adequate security on their databases such that this will never be an issue, hackers will never get access to the data? (Judging by linkedin, sony and yahoo this is always going to be an issue!).

Or am I right in believing that it is wrong, and if so why? Are company's ignorant? i.e. they don't understand/know that what they're doing is wrong? Are they arrogant? i.e. they think that no-one will ever hack them? Or is it something else?

Thank you.

Thomas Clayson
  • 223
  • 2
  • 9
  • 2
    This question, as it stands, seems too much like a call for opinions that will likely be unsubstantiated, as such it doesn't really fit in with the Q/A style that StackExchange aims to be. – Scott Pack Aug 20 '12 at 15:38
  • Agreed. It reads like a rant, rather than a question. I totally agree with you (I've been heavily involved with the problems with Tesco) but it's just not a good fit for StackExchange. – Polynomial Aug 20 '12 at 15:41
  • I disagree. I am looking for objective answers that help me to understand the situation. Am I wrong for thinking that large companies are doing it insecurely? A the end of the day Tesco and Plusnet are two huge companies who will have resource which far outweighs my knowledge of the systems and security in place. I'm looking for answers like "they'll probably use x,y,z so you are wrong in your assumption" or (as we have) "it is bad that they do this for a,b,c reasons". – Thomas Clayson Aug 20 '12 at 15:42
  • 1
    @ThomasClayson Sadly the answer isn't that. It's "we don't know why they do it." There's a whole host of possible reasons: conflicting business priorities, financial issues, management resistant to change, new projects, incompetent dev team, plain old ignorance, etc. We can provide you with conjecture galore, but StackExchange is the place for facts, not guesses. – Polynomial Aug 20 '12 at 15:45
  • @Polynomial I guess you've just answered my question then. :p I was hoping/suspecting that someone would say "they know what they're doing... here's why its secure". But I guess the answer is "no-one knows but them why they do it like that". Thanks! :) – Thomas Clayson Aug 20 '12 at 15:50
  • @ThomasClayson: What is most important is that there be no mechanism by which anyone can examine passwords without creating an audit log that indelibly identifies who retrieved the password. The only way to achieve this *with conventional hardware* is to store passwords using a one-way hash, but systems which use custom hardware can meet that requirement other ways. – supercat Aug 04 '14 at 19:16

1 Answers1

3

There's a lot of issues here.

First, a lot of companies just don't really see this as a vulnerability. They think encryption is enough and they think that they're not really a target anyway. They won't realize that they're wrong until after someone breaks into their database and steals all of the passwords they stored.

Next, there's some knowledge issues. How do you securely store passwords? Salting and hashing with MD5/SHA like you mentioned is actually not secure. You should use adaptive hashing algorithms like bcrypt. Many developers just don't know the correct way to do things like this, especially since the most-secure method changes fairly often.

There's also the issue of usability. If you hash the password, you cannot offer your users the ability to retrieve their password. Most users don't realize that this is a vulnerability and want this as a feature. The companies probably value usability over security. This goes back to the companies thinking that they're not a target, so they don't need to bother with adding all these security features. Also designing a proper password reset is non-trivial to get right.

Oleksi
  • 4,839
  • 2
  • 20
  • 26
  • 1
    Good answer. I used salt+md5/sha as an example. I have heard that the latest versions of SHA512 are pretty secure, and although md5 has been cracked etc, its still a reasonable first step in my opinion. Your standard SQL-injection script kiddie isn't going to be able to crack it. I was implying that the first thing I do is to AT LEAST salt and one-way encrypt it, I would never think about storing it in plain text or a two way encryption (e.g. base64 style). – Thomas Clayson Aug 20 '12 at 15:37
  • You say that password reset is "non-trivial" but I would have thought that companies like Tesco are large enough and have enough resource and money to implement something like that. That said there are also plenty of open source implementations of password reset forms, and its something that I use in my own applications frequently. If I can do it, and if the open source community can do it then Tescos and other similar companies can do it surely? – Thomas Clayson Aug 20 '12 at 15:39
  • @ThomasClayson Yes, they probably can do it if they wanted to. I think they also don't want to implement this for the reasons I mentioned in my answer. Also, take a look at [this question](http://security.stackexchange.com/questions/1918/can-anyone-provide-references-for-implementing-web-application-self-password-res) about the intricacies of a secure password reset. – Oleksi Aug 20 '12 at 15:43