

Ask HN: I see a popular website not hashing passwords - 42_huh

I see a popular website not hashing passwords. I have notified them of it but they seem slow on the uptake.<p>Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?
======
irahul
> I see a popular website not hashing passwords.

Some sites do it deliberately. If your customer base is mainly non-technical,
directly emailing them the password increases the chance they will log in back
than sending them a password reset link. I think I read it in context of
PlentyOfFish.

> Isn't it compulsory to hash user passwords, as otherwise it would be a
> severe user data compromise?

If an employee or a cracker has access to the user database, doesn't he
already have the user data? The main reason passwords should be hashed is if a
rogue employee or a cracker has access to user data(what user data you have is
already compromised here), he might be able to gain access to the user's mail,
bank or other accounts as most people tend to reuse password.

~~~
Toshio
> "If an employee or a cracker has access to the user database, doesn't he
> already have the user data?"

You sound like you may not be aware of how attacks happen in real life.

Most of the e-mail addresses that people sign up with are either yahoo or
gmail. Most people are lazy and choose for this third-party site the same
password from their yahoo or gmail accounts.

If the passwords are in plain text ... well ... then people's yahoo and gmail
accounts are at risk.

Recently, yahoo notified me that someone has been trying to brute force my
yahoo mail password. Luckily I use a different password on third party sites,
but the thought of someone taking over my e-mail account was rather scary.

~~~
irahul
You do realise I said the same thing?

~~~
bernatfp
Do you realise the OP said the same thing?

~~~
irahul
"Hashing password is mandatory because user data can be compromised" is not
the same as "Hashing passwords(preferably salted) come into picture only when
user data is already compromised"

------
UnoriginalGuy
> Isn't it compulsory to hash user passwords, as otherwise it would be a
> severe user data compromise? What should be done in this case?

No. It is not. There is no legal compulsion to hash passwords. I believe Visa
and Mastercard do require their vendors to do so however or risk losing their
ability to process credit card payments. I also think that there is some US
healthcare law that somewhat requires it.

But in general there is no legal requirement to hash passwords. The lack of
hashed passwords doesn't mean that there is a "user data compromise" within
its own right.

The reason companies hash passwords is so that if they ever get broken into
that it means the bad guy has to spend several days or weeks breaking the
password database which gives the company time to notify the users and the
users time to change their passwords.

Note: A lot of compromises go unnoticed and in those situations hashing offers
little additional security (since the bad guy has infinity to crack the
passwords).

Note #2: Hashing also makes implementation easier since the length of
passwords becomes uniform and you essentially eliminate things like SQL
injection (since the raw password is never stored in the database).

~~~
rst
Even the Massachusetts data privacy laws (which are more comprehensive than
most that apply in the U.S.'s crazy quilt of overlapping jurisdictions) fall
short of requiring password encryption. The closest I can find in the summary
of requirements (on page 4) is that anyone who stores information about a
resident of the Commonwealth is required to use "a reasonably secure method of
assigning and selecting passwords, or use of unique identifier technologies,
such as biometrics or token devices"; there's no specific method of hashing or
encryption, and no guide about what's "reasonable".

There's also a requirement to encrypt data in transit over insecure networks,
or when stored on portable devices, including laptops, but that doesn't seem
to apply to main servers wired into racks.

(As to whether these apply to you, well... IANAL; the law _claims_ to apply to
_anyone_ who's storing data about Massachusetts residents, but I don't know
how well that actually sticks to people who are physically located elsewhere.)

Official summary of the requirements:

<http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf>

------
dherken
Maybe add this popular website here? <http://plaintextoffenders.com/>

------
paulbjensen
Do they provide any other forms of contact? If not, see if you can find people
who work there on the internet, and message them.

You're absolutely right, it's a major security risk, and anyone else who
discovers it may not be so discreet, and make the company a major target for
anyone interested interested in stealing databases with unencrypted databases.

We had the same thing happen 2 weeks ago, worse thing is that the company in
our case does things with money. Yep.

------
Udo
A more interesting question in this case: how did you find out? Are they
leaking the un-hashed password somewhere or did you break in?

~~~
yen223
Maybe he did a password reset, and they sent him his actual password.

------
sangupta
Contact the site and give them a time-frame by when they should comply.
Politely ask them to comply telling them otherwise you would disclose the
site's identity. Also, try and contact security research organizations to
notify them of the vulnerability. This would add a little extra pressure on
the site's owner to fix the security hole.

My 2 cents.

~~~
nnash
I don't think an ultimatum would help facilitate the issue being addressed
more quickly; I do agree with the latter approach though.

~~~
tagada
No, you're right ...

Not an ultimatum. Just do it.

Notify it to all important media in tech world. They will take care of that.

~~~
dsl
I'm still trying to get anyone to care that vmware.com and a few other sites
are doing it.

------
epaga
It can get way worse than that: at a big chess site I used to play at, a
password reset email gives you a url of the form
".../passwordreset.php?user=yourname&password=yourfreakingpasswordincleartext"
I let them know about it years ago. Nothing changed.

~~~
larrybolt
Even more scary if the link isn't over ssl, but even than third party services
could make it risky. [http://stackoverflow.com/questions/893959/if-you-use-
https-w...](http://stackoverflow.com/questions/893959/if-you-use-https-will-
your-url-params-will-be-safe-from-sniffing)

