21

We had an incident where some of our managers were given passwords for the people they supervise using a particular company website. Ostensibly it was done so the managers could check in on the users and see that they're doing what they've been directed to do with this third party website.

When I found out that a list of the passwords were printed out and given to the managers, I immediately thought that the passwords on the commercial website weren't being stored in a secure fashion and warned users that they should immediately change any passwords that nearly matched their "throwaway" accounts; I'm also afraid that, being typical humans, there are a number of people that used the same password on that site that they use with our internal password system so they didn't need to remember more than one password. I was also shocked that the users weren't warned that their passwords would be distributed to other people/supervisors.

I went to the website in question and clicked on their privacy policy link; it returned a 404 error.

  1. Was I being paranoid?

  2. What are the chances that the commercial website is storing their passwords in the clear if a manager is able to retrieve a plaintext list of passwords?

  • I would be more concerned that the company thinks it is okay to give managers their employees passwords! Even more concerned that they printed them out! The list could be lost, or a rogue manager could impersonate an employee. Or if a disgruntled employee got the list since it is printed out. No competent IT professional would do this. – Moby Disk Mar 06 '19 at 03:12

4 Answers4

22

No, you're not paranoid. The chances are pretty high that passwords are stored as plaintext in the database (it's the most obvious explanation). Some estimations say that 30% of websites store (or have stored) their users' passwords in plaintext. Examples include Reddit.com or RockYou.com. It's typically only after a serious breach occurs that the password storage procedures are put to the test.

Often sites that store passwords in plaintext will offer you a possibility to resend you the old password once you forgot it. That pretty much proves this insecure practice.

There is a possibility that the passwords are stored encrypted and were decrypted for the report, but it's a rare practice. Even if the passwords are encrypted there will always be a problem of key storage as the application most likely would need access to the decryption key for authenticating its users.

Of course the proper thing to do for the application is to salt and hash the passwords.

Krzysztof Kotowicz
  • 4,068
  • 20
  • 30
  • *"most likely would need access"*? How would it send the password if it didn't have access? – BlueRaja - Danny Pflughoeft Sep 28 '11 at 19:24
  • @BlueRaja-DannyPflughoeft For example authentication (and remember password feature) could be delegated to yet another application without access to the database, so that simple SQL injection vulnerability would only reveal encrypted data and attacker would have to compromise other components to decrypt passwords. But I agree - getting this done correctly is very unlikely. – Krzysztof Kotowicz Sep 28 '11 at 19:49
  • 3
    You don't necessarily need access to the decryption key for *authentication* purposes even if passwords are stored reversibly encrypted. (Think public key cryptography; you encrypt the given password and compare the result, same as with a HMAC, but keep the decryption key separate.) However, it's probably a pretty safe bet that reversible encryption of passwords at best is implemented using symmetric crypto, or what may as well be, so in the general case the reasoning likely holds. – user Sep 29 '11 at 08:45
9

The problem isn't storing passwords in the clear, it's storing passwords in any easily recoverable format. Clear passwords are just the easiest example of that.

Any password that can be sent to a manager is, by definition, recoverable, and who knows who else they will helpfully send your password to?

Kevin
  • 191
  • 2
8
  1. No
  2. 100%

This sounds like one of those throwbacks to the worst design possible. Managers should have permissions to view employee's work, but that requires the site to support a proper permissions model. Managers should be able to see a log of activity, but that requires the site to support useful levels of logging and have a decent presentation interface. Since those things require work, they've just handed out passwords instead. That's really bush league.

At least the web site is honest in one sense; their privacy policy is 'not found.'

gowenfawr
  • 72,355
  • 17
  • 162
  • 199
3

it is possible that they use asymmetric encryption to store the passwords and kept the private key very secure (a usb drive in the safe of the manager) and used the public key as part of the one way "hash" to store it in the DB and verify it

but really who would think to do that; it's easier to just use a real hash or a symmetric encryption (nearly as bad as plaintext) in that case

ratchet freak
  • 325
  • 1
  • 8
  • Yup. I'm trying to imagine a place where they know how to do asymmetric encryption in the password database, but don't know about how much easier and safer and cheaper hashing is. Nothing springs to mind. :-/ – Jason Jul 04 '17 at 03:23