Servers Storing Passwords in Plain Text

by Miguel de Icaza

Turns out that one of my favorite sites (Reddit) stored plain text passwords on a database. The reddit database recently was stolen, and now whoever stole it has all the passwords to reddit. The rationale for this was:

Personally, I prefer the convenience of being having my passwords emailed to me when I forget, which happens from time to time since I use difference passwords everywhere.

Not hashing was a design decision we made in the beginning, and it didn't stem from irresponsibility-- it stemmed from a decision to provide functionality that I liked.

It bit us in the ass this time, and we are truly sorry for it. The irresponsibility (and there is some) was allowing our data to get nabbed.

So the convenience of emailing a password when you forget it is what caused the developers to keep the passwords in the open.

Now, I do not particularly care if my reddit password is stolen. I have a policy of using a different password for every site that wants me to create an account with them. I use wildly different passwords for each site that I register with, so I manage to limit my exposure by limiting the damage to that particular site.

But many of my friends use combinations of "the same password everywhere" (specially the non-technical), "the password with the site name" (slightly more technical), "three tiers of passwords: weak, normal and high-security".

Everyone in those groups is vulnerable to have their password cracked open on other sites. Not good.

But the second realization that I had is that this practice is incredibly common. In the last month I have probably requested to "recover my password" from six or seven sites and at least two of them sent me back my original password. I remember thinkin "Oh, that is handy, am glad I did not have to go through a reset password process". Only now I realize that these sites are basically exposing my password to the world. This is not a phenomenon limited to reddit, it is incredibly common.

Here is a tutorial on how to implement this correctly on your web site: Don't let password recovery keep you from protecting your users. If you are using ASP.NET, the Membership infrastructure will take care of this for you.

Server folks also need to use stronger encryption mechanisms. As Jeff points out on his Rainbow Hash Cracking

You should use a differnet password for each site that you visit. Even if you knew the site you visit will not store the password in plain text (and there is no way of finding out) these days tools to crack passwords take advantage of available memory and disk space to crack stuff rapidly. See Jeff Artwood's Rainbow Hash Cracking post where he installs Ophcrack (open source software, available for most platforms) and cracks most "strong" passwords in a matter of minutes.

For dealing with one-password-per-site I keep a GPG encrypted file and use a script that Gonzalo wrote. Maybe its too simple, but it works (source is here).

Windows has a couple of tools that can keep your passwords encrypted. It would be nice if someone wrote a nice UI for this for Unix. The gnome-keyring is a step in the right direction, but the UI (gnome-keyring-manager) is not really designed for end users to use. It is more of a front-end to the password backend for the desktop.

We need to make this kind of tool pervasive on all of the desktop systems (and Mozilla remembering passwords is not enough to be practical).

Update: Jensen Somers in the comments points us to Revelation a tool for the Gnome desktop that does this.

Posted on 09 Sep 2007