Why submit a website to plaintext offenders?

Question

I've read this question and to quote from the accepted answer

Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case.

But, isn't submitting a website to plaintext offenders putting yourself at more risk?
Someone with malicious intent could see the website you submitted to plaintext offenders and then go try to exploit the vulnerability, putting yourself (and anyone else using that site) at more of a risk.

Or am I just missing something?

Answer 1

To quote their FAQ:

Aren’t you worried hackers will use your site to find targets?

Yes, but less worried than having this information remain secret and relying on Security Through Obscurity.

To be more verbose: There are two possible outcomes from submitting a site there:

1. They fix it - This is more likely to happen when they get publicly shamed. The attack probability increases, too.

   Also, hiding security problems away (leaving it secure only as long as it is kept secret) rather than fixing them is generally considered a security antipattern, as the NIST "Guide to General Server Security" states:

   "System security should not depend on the secrecy of the implementation or its components."

2. They do not fix it - Then it is at least documented publicly and externally.

   To be more specific, thanks to Chris Cirefice who pointed out it the comments more explicitly what I had in mind:

   "documented publicly and externally" - with timestamps. So if a student loan company is hacked and the students' bank details are released due to lack of compliance with (U.S.) government policies, e.g. the Gramm-Leach-Bliley Act 1 2, the students could sue the company, and the timestamps of public release of failure to comply would be great evidence in court for recompense.

Answer 2

The question seems to make the assumption that plaintext offenders is the only site which maintains such a list, rather than just being the one with the highest white-hat public profile.

There are, however, plenty of other, less salubrious sites, which maintain such lists; any domain listed on Plaintext Offenders is likely to have been on these other sites for some time.

So you are most likely not telling the bad guys anything they don't know, but you may be telling the site owners something they don't know, and shining a light of publicity to encourage them to act upon it.

Answer 3

One thing that's important to understand is that there a practical difference between "password exposure" and "more risk."

You can say with certainty that submitting a site to plaintext offenders results in additional password exposure. This fact is not in question.

Whether it results in additional risk, however, is more nuanced. If the site does nothing about it, and you, and other users continue to use the site as if the flaw was not known, then the additional password exposure does indeed result in additional risk. If, however it leads to changes in behavior, e.g., some users decide not to re-use passwords they would have otherwise re-used on this site, (more likely) or the negative publicity leads the site to improve the security of the system, (less likely, but possible and a huge reduction in risk if achieved) then the equation changes to somewhere between not so clear, to a definition and significant reduction in risk.

So it isn't as cut-and-dry as one option is right, and the other is wrong. Risk, by its very nature includes a component of the unknown, which is the likelihood of eventual exploitation, so ultimately it comes down to a judgement call.

Answer 4

I will start with quoting their FAQ as well:

Aren’t you worried hackers will use your site to find targets?

Yes, but less worried than having this information remain secret and relying on Security Through Obscurity.

Which is an invalid statement for the very simple reason that those sites aren't relying in any way on security through obscurity. Their security isn't stronger as long as this secret stays secret. It's a popular fallacy to bring up Security through Obscurity in every second security debate, but the only thing that counts is doing a risk assessment. And yes, added obscurity will often help, as long as you're not relying on it.

But back on topic:

• What advantages are there to submitting it to plaintext offenders?

  Websites are more likely to fix their setups and a negligible number of users might not reuse their password. Additionally some have claimed that a timestamped record of their usage would be important in court, but a timestamped record needs not be publicly readable (a mail on central - not privately managed - servers will do the trick as well).

• What disadvantages are there to submitting it to plaintext offenders?

  Websites that store passwords in plaintext become more popular targets. Not only because they store passwords in plaintext, but even more importantly because it's an indication of old insecure systems.

So to answer your question: You are totally not missing anything and you're totally right that this is an important call to make. Personally I would advise anybody to NOT follow plaintextoffenders.com submission guidelines and at all times first contact the website in question yourself. Only if nothing changes or their replies are lackluster contact them again with the message that you have submitted their website to plaintext offenders.