> Anybody sending you back your password in clear text is also storing it that way in their database
Incredibly ignorant statement. If it's encrypted in a reversible format then it's not cleartext. If it's being sent in a confirmation email, then it could even be stored as a one-way hash: password extracted from the form, inserted into email, hashed and stored (This is what WordPress, for example, does).
A case can be made against both of those procedures, but that is a separate issue from his statement being ignorant.
If the key is embedded in the app and you don't keep the source on the server, reversing the binary (if the attacker even thinks to steal it) is enough of a hassle to deter most people. And maybe the attack only allowed them to copy the database.
It's not foolproof, but for stupid free websites (that's what we're talking about right?), storing encrypted passwords isn't an automatic gimme for the attacker.
It's a pernicious myth that passwords on "free" websites don't matter, because no money is changing hands. Most people use the same password for random apps as they do for their email account.
I don't even want to get into the rat-trap of "what kinds" of attackers are stopped by reversably encrypted passwords. There's no kind of attacker that can reverse a properly hashed password, and so that's what you should use.
Why, oh why, do any websites need to be able to reverse an encrypted password to the plaintext? 99.99% of the time, simply resetting the password to something different is a much better way to go (in the case the user forgets).
I'm sure there are exceptions to this rule, but we shouldn't encourage a design that has the potential to hurt users (if the database + password encryption key are compromised), when the solution (seeded hashing) takes just about the same amount of work (probably less).
Incredibly educational comment. I stand corrected that it is not necessarily true that they would store it in clear text in the database but if someone is sending me password in clear text in email I would not give them a lot of benefit of doubt to do the right thing.
Besides, what is the utility of sending such an email. If certain software is open source and I can assure they are doing the right thing I will be much more comfortable.
Without education, people won't learn. I'm a fan of thoughtful UX but, frankly.. this is an area where caving sucks. Sorry. I'd have spent the time improving my password recovery service.
The key is to just use a different password on every site by employing a special password structure.
For example, for HN, you can use:
orycPASSWORDy
[2 last letters][2 first letters][master password][1 first letter]
Good idea to mix and match numbers in the master password for added security. So for HN it can be: orycpassword1y
The good thing is that you only need to remember a single password for all your sites, yet they are all different. And if you ever forget a password, you can figure out what it was by simply looking at the url.
at this point there's no real reason not to use a random password generator for _every_ site. There are plenty of apps out there for auto login, and / or most browsers will do this for you. Yes, there's some pain syncing with mobile devices but this will go away at some point (modified oauth to validate devices?).
Password schemes like this are still inherently breakable; as soon as someone gets your key password then the rest is trivial to figure out - so why bother with the complication?
Because if you really are that important your nemesis will go to a lot more trouble than that to crack your security. Camouflage is about using simple means to hide in plain site.
until your computer crashes and you find yourself locked out of every site on the internet. No thank you.
+ what do you do when you aren't using your own computer. Want to check your email at work? Nope sorry, gotta provide the 25 digit randomly generated password.
Nothing is unbreakable, if someone wants your password they'll get it. For the password generator case they can just break into your house and steal your computer. Or organize a group of mercenaries to take hostages at AT&T to gain access to your packets....hey we are talking about a nemesis right?
And here is an added bonus...how do you know that random password generator app isn't sending all your passwords to a master file? Whoa, did I just blow your mind?
Different passwords is all you need for protection. That way if the company loses your username/passwords, the bots that will be using that information to check the passwords on other sites, won't get a hit.
So, you made all kinds of awesome points that I went thru before i switched to random passwords...
a. (on not having access to your passwords). iPhone with them helps. (yes, i have to unlock that db with my hashing password). But in reality, I prefer that I can't get access to my email/facebook/whatever without having my machine. If i'm at work, I should be working... but it's the same machine anyhow ;)
b. true about stealing my machine. But again, my passwords are locked by my one key control password (which i don't easily remember either... yay for muscle memory ;)). Yes, it's a SPoF.
c. I clarified with Little Snitch. I don't really care that much. Because you're right: if one company screws you over and unveils your passwords, then having a scenario where people could then log into your email or bank means end of identity and a life of credit hell.
I just think that having a predictable password scheme is about the same as having the same password. If it's easy to guess, then you may as well have the same. IMHO, the only way to guarantee against any problems if one of your passwords is exposed is to go random. :)
I don't think a boycott is the best way to proceed with this problem. For starters, I don't think you will get enough publicity to bring a boycott to critical mass. Secondly, I think it would be more useful and effective to send an email to the perpetrating website, inquiring or complaining about their password storage techniques. When customers/users complain, a good business will respond and attempt to resolve the problem.
I agree with you. I have written to such website before but it is just more one thing to do and follow up on. I was thinking if I start collecting all of them together I can do some kind of bulk action one day. This blog entry is just the starting point and is no means the last action on this.
Boycott might be too strong of a word. I just want to bring attention to this point that the user community care about security and this is not a good practice.
I think Google Apps does this when you are setting up a new user account for other user. Sending that is different as in they need the password to access their account for the first time.
Although there are better ways to setup an account and may be gogle app should force the user to change their password on their first login but this is not the same as me setting up my own account and getting an email with my own password I just typed twice to register.
Incredibly ignorant statement. If it's encrypted in a reversible format then it's not cleartext. If it's being sent in a confirmation email, then it could even be stored as a one-way hash: password extracted from the form, inserted into email, hashed and stored (This is what WordPress, for example, does).
A case can be made against both of those procedures, but that is a separate issue from his statement being ignorant.