

Plain-Text Offenders Hits 1000 - omervk
http://plaintextoffenders.com/post/39913712222/1000-posts

======
EvanAnderson
The pedantry in some of the comments have me practically smashing my head into
my desk. The semantic arguments about whether the actual password storage
mechanism is encrypted, encoded, etc, are wholly irrelevant.

If a web site can sent you a "I forgot my password" reminder email which
includes your plaintext password then the site operator is storing the
password in a plaintext-equivalent format. If the password is stored as a
plaintext-equivalent then attackers can steal your plaintext password when
they "own" the site.

To address the encryption pedantry: If a site is using encryption to store the
password but the key to decrypt the password is available in the site's
servers then, arguably, the encryption just amounts to an encoding. Symmetric
encryption requires that the key be kept secret. Keeping the key on the
servers means that it's not secret and means that it's not really encryption.

Edit:

I see that the discussion is heading this way so I'll head it off at the pass:
I would argue that there is no reason that any site operator ever needs the
plaintext of a user's password to be stored persistently for any reason. There
is no valid reason passwords should be stored in a reversible manner.

(Somebody is going to bring up storing credit card numbers with symmetric
encryption, too. That's a broken system and, arguably, needs to be replaced
with something based on asymmetric encryption instead of "secret numbers" that
we have to transmit between quasi-trusted parties.)

~~~
runako
Granted, a lot of this discussion is pedantic.

Devil's advocate: why is it pedantry to ask for security alarms to be precise?
We ask for e.g. the TSA to be precise about what it needs, should not computer
security professionals be held to the same bar? Making bogus claims about a
system's vulnerability (be it shoes at airports or passwords) damages the
credibility of the next security alarm.

Note: I'm not defending the practice of sending passwords in the clear. But I
don't think it's too much to ask for security professionals to make precise
claims, when doing so is a 5-second op.

~~~
EvanAnderson
The pedantry that's irritating me is this argument about there somehow being a
"safe" way to store the plaintext-equivalent version of a password (there
isn't) or even that there is somehow a need to do so (there isn't).

I agree that the Plain-Text Offenders site should state this plainly.

~~~
omervk
We are. <http://plaintextoffenders.com/about>

~~~
marshray
That's a nice little write-up, I think it would be great on the main page.

I didn't look for it under "About" because I'm used to that being for personal
details about the project's people rather than intro or summary info.

------
omervk
Omer here, one of the two guys behind this website. I'd like to thank the
Hacker News community, who are in part the reason for our site's popularity.
Thanks, everyone. Please keep spreading the word! :)

~~~
marshray
Since we have an interesting discussion going on, would you care to share a
bit about the methodology?

How do you determine by external observation that a site's password handling
is sufficiently bad to merit the Plain Text Offender title?

~~~
omervk
It depends on the evidence the submitters send us. If it's a Forgot Password
or Password Reminder (or sometimes being told what your password is by a CS
rep), that's evidence enough. We also allow for Here Are Your Details emails
after registration as evidence, though the probability is small that passwords
are stored in plaintext/reversible encryption (but we still believe it's an
offense since the password is both sent over an insecure medium and is stored
on the email server).

~~~
glomph
Isn't there also the chance that they only send plain text at the time of
storage? Would you still consider that a plain text offender?

~~~
omervk
Yes. We have talked about this in the past and all of the links are in the
about page: <http://plaintextoffenders.com/about>

------
laurent123456
I wonder how they can be sure that a website stores their website in plain
text? Just because a website sends an email confirmation with the password
doesn't mean they _store_ it in plain text. The developer could just send the
email before hashing the password.

Not saying it's a good practice to send the password by email but it seems the
website stretches the truth a bit.

~~~
conroy
The majority of the items on the website are password reminder emails. This is
after the initial sign up, which means the do indeed store it in plain text.

~~~
runako
Either that, or they store it in encrypted format. Encryption typically
implies that _de_ cryption is possible. Encrypted text is not plain text.
These terms do have real meanings.

You mean to say "the sites do not store the text in non-reversible format."

~~~
marshray
Encrypted text is equivalent to plain text to anyone who has the ability to
decrypt it.

What passwords need is a secure password hashing method. It's a very special
purpose sort of thing, different from ordinary hashing, encrypting, and key
derivation. It's unfortunate that it doesn't have a proper name.

Neither "PBKDF2", B-"crypt", nor S-"crypt" are helping much with this
terminology.

~~~
runako
>> "Encrypted text is equivalent to plain text to anyone who has the ability
to decrypt it."

This is a vastly different claim than "these websites store passwords as
plaintext." There are a lot of differences in assumptions and attack vectors,
etc.

It usually pays for security alarms to be precise, and this site almost goes
out of its way to be imprecise (and likely inaccurate). In this case, your
verbiage would work great for the site in question. Why not say these are
sites that don't use "secure password hashing methods" instead of making bogus
unverifiable claims?

~~~
rictic
This is an objection without much substance. The main thing that you're
worried about with a plain text password is that it will be obtained by a
third party.

These are sites which are sending emails with passwords in the clear. They are
also storing your password near the decryption key (if any), so a single
security breach can compromise many passwords. That is to say: even if the
rest of their infrastructure is NSA-level paranoid, whichever server(s) are
sending out these password reminder emails are prime targets.

Please do not defend this behavior.

~~~
runako
Please read my comments: I'm not defending the sending of plaintext passwords.

But please do not defend sloppy claims of security vulnerabilities.

------
martin-adams
I like the idea of this site, but found it very frustrating trying to look at
the list of offending web sites.

~~~
icebraining
With a little help of Python and the Tumblr API, here's a (dirty) list of the
domains: <http://paste.debian.net/222440/>

~~~
omervk
Mind sharing the code? :)

~~~
icebraining
It's ugly because it was hacked on the (ipython) REPL, but here it is:

    
    
      import requests, re, json
      get_captions = lambda content: [post['caption'] for post in content['response']['posts'] if 'caption' in post]
      get_domains = lambda captions: map(lambda caption: re.sub('<.*?>', '', caption.split('</p>')[0]), captions)
    
      def process(url):
        offset = 0
        domains = []
        while True:
          resp = requests.get(url.format(offset))
          if resp.status_code == 404:
            return domains
          domains.extend(get_domains(get_captions(json.loads(resp.content))))
          offset += 20
    
      
      domains = process('http://api.tumblr.com/v2/blog/plaintextoffenders.com/posts?notes_info=true&api_key=<mykey>&offset={0}')
      with open('/tmp/domains', 'w') as dfile:
        dfile.write('\n'.join(domains))

------
shitlord
Apparently, George Mason University is still on the list... two years after I
sent them multiple emails and phone calls complaining about such a big
security issue. It's kind of sad that you can't even depend on educational
institutions to follow the security guidelines they probably teach to hundreds
of students (even if that part of their website was done by a contractor).

------
jayzalowitz
My site would fall under this and I use two layer sha-2 512 keys with unique
salts... just because I send you one email does not mean I know your password
(and for that matter somehow you have to be given an initial password in a lot
of systems)

~~~
marshray
Does that mean that if/when an attacker uses a SQL injection vulnerability to
obtain the contents of your database, will he then have a password equivalent
that allows him to login as the users?

Will it enable him to mount brute-force attacks against the users' plaintext
passwords?

~~~
lazyjones
> Does that mean that if/when an attacker uses a SQL injection vulnerability
> to obtain the contents of your database,

More pedantry: if you have a decent RDBMS like Postgres and connect to the DB
always as some user A (using a Pg function with SECURITY DEFINER defined by a
superuser to compare passwords with a delay, hashed or not) and use column-
level permissions that disallow access to the password (or hash) column to
non-superusers, they can sql inject all they want (any attempt to dump/select
the password column will fail, unless they also manage to reconnect to the
database as superuser).

~~~
EvanAnderson
I like RDBMS security (and I think it needs to be employed more frequently),
but there's still no valid reason to ever store a plaintext (or plaintext-
equivalent) password. Storing something toxic in a "safe" way doesn't make
what's being stored any less toxic. The effort to create and maintain a
"secure" one-off credential storage system seems like a waste given the
availability of well-tested, accepted methods of credential hashing and
storage.

~~~
lazyjones
> The effort to create and maintain a "secure" one-off credential storage
> system seems like a waste given the availability of well-tested, accepted
> methods of credential hashing and storage.

I disagree, because what seems safe today might be unsafe tomorrow or in 10
years. Does anyone still remember Unix versions without a shadow passwd file?
I do ... But why do we use that even today when modern Linux installations use
SHA variants by default?

~~~
marshray
Because 50% of typical users will choose one of the top 10,000 most-common
passwords and no practical amount of work factor will save them if the hashes
become known.

~~~
lazyjones
Consequently, DB column permissions are also worth it because they hide the
hashes, while such people are not protected at all by current hashing schemes.

The Postgres function written to compare passwords/hashes can also limit the
number of checks per time unit to prevent brute-forcing.

