Ask HN: I see a popular website not hashing passwords | HN Mirror

Y	Hacker News new \| ask \| show \| jobs

	Ask HN: I see a popular website not hashing passwords
	15 points by 42_huh 4950 days ago
	I see a popular website not hashing passwords. I have notified them of it but they seem slow on the uptake. Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?

7 comments

irahul 4950 days ago

> I see a popular website not hashing passwords.

Some sites do it deliberately. If your customer base is mainly non-technical, directly emailing them the password increases the chance they will log in back than sending them a password reset link. I think I read it in context of PlentyOfFish.

> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise?

If an employee or a cracker has access to the user database, doesn't he already have the user data? The main reason passwords should be hashed is if a rogue employee or a cracker has access to user data(what user data you have is already compromised here), he might be able to gain access to the user's mail, bank or other accounts as most people tend to reuse password.

Toshio 4950 days ago

> "If an employee or a cracker has access to the user database, doesn't he already have the user data?"

You sound like you may not be aware of how attacks happen in real life.

Most of the e-mail addresses that people sign up with are either yahoo or gmail. Most people are lazy and choose for this third-party site the same password from their yahoo or gmail accounts.

If the passwords are in plain text ... well ... then people's yahoo and gmail accounts are at risk.

Recently, yahoo notified me that someone has been trying to brute force my yahoo mail password. Luckily I use a different password on third party sites, but the thought of someone taking over my e-mail account was rather scary.

irahul 4950 days ago

You do realise I said the same thing?

bernatfp 4947 days ago

Do you realise the OP said the same thing?

irahul 4947 days ago

"Hashing password is mandatory because user data can be compromised" is not the same as "Hashing passwords(preferably salted) come into picture only when user data is already compromised"

UnoriginalGuy 4949 days ago

> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?

No. It is not. There is no legal compulsion to hash passwords. I believe Visa and Mastercard do require their vendors to do so however or risk losing their ability to process credit card payments. I also think that there is some US healthcare law that somewhat requires it.

But in general there is no legal requirement to hash passwords. The lack of hashed passwords doesn't mean that there is a "user data compromise" within its own right.

The reason companies hash passwords is so that if they ever get broken into that it means the bad guy has to spend several days or weeks breaking the password database which gives the company time to notify the users and the users time to change their passwords.

Note: A lot of compromises go unnoticed and in those situations hashing offers little additional security (since the bad guy has infinity to crack the passwords).

Note #2: Hashing also makes implementation easier since the length of passwords becomes uniform and you essentially eliminate things like SQL injection (since the raw password is never stored in the database).

rst 4949 days ago

Even the Massachusetts data privacy laws (which are more comprehensive than most that apply in the U.S.'s crazy quilt of overlapping jurisdictions) fall short of requiring password encryption. The closest I can find in the summary of requirements (on page 4) is that anyone who stores information about a resident of the Commonwealth is required to use "a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices"; there's no specific method of hashing or encryption, and no guide about what's "reasonable".

There's also a requirement to encrypt data in transit over insecure networks, or when stored on portable devices, including laptops, but that doesn't seem to apply to main servers wired into racks.

(As to whether these apply to you, well... IANAL; the law claims to apply to anyone who's storing data about Massachusetts residents, but I don't know how well that actually sticks to people who are physically located elsewhere.)

Official summary of the requirements:

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

dherken 4950 days ago

Maybe add this popular website here? http://plaintextoffenders.com/

paulbjensen 4950 days ago

Do they provide any other forms of contact? If not, see if you can find people who work there on the internet, and message them.

You're absolutely right, it's a major security risk, and anyone else who discovers it may not be so discreet, and make the company a major target for anyone interested interested in stealing databases with unencrypted databases.

We had the same thing happen 2 weeks ago, worse thing is that the company in our case does things with money. Yep.

Udo 4950 days ago

A more interesting question in this case: how did you find out? Are they leaking the un-hashed password somewhere or did you break in?

yen223 4950 days ago

Maybe he did a password reset, and they sent him his actual password.

sangupta 4950 days ago

Contact the site and give them a time-frame by when they should comply. Politely ask them to comply telling them otherwise you would disclose the site's identity. Also, try and contact security research organizations to notify them of the vulnerability. This would add a little extra pressure on the site's owner to fix the security hole.

My 2 cents.

nnash 4950 days ago

I don't think an ultimatum would help facilitate the issue being addressed more quickly; I do agree with the latter approach though.

tagada 4950 days ago

No, you're right ...

Not an ultimatum. Just do it.

Notify it to all important media in tech world. They will take care of that.

dsl 4950 days ago

I'm still trying to get anyone to care that vmware.com and a few other sites are doing it.

epaga 4950 days ago

It can get way worse than that: at a big chess site I used to play at, a password reset email gives you a url of the form ".../passwordreset.php?user=yourname&password=yourfreakingpasswordincleartext" I let them know about it years ago. Nothing changed.

larrybolt 4949 days ago

Even more scary if the link isn't over ssl, but even than third party services could make it risky. http://stackoverflow.com/questions/893959/if-you-use-https-w...