2

I just registered for a race and the confirmation page gave me the creeps. See below for a screenshot with fake data.

I know nothing about internet security. Other than the obvious fact that if I were signing up in a public place, anyone could look over my shoulder and see my password, what is wrong with displaying a user password in plain text on a confirmation page?

EDIT: Yes, it is an https site.

EDIT: Also, they included the password in a confirmation email. I'm frustrated because the password I used isn't completely unique. I use it on a few other sites as well.

Confirmation Page

sgryzko
  • 121
  • 4
  • 2
    Caches (in the browser or proxies) could be a problem. – CodesInChaos Mar 05 '14 at 14:39
  • 2
    Showing the password online and including it in an e-mail, as part of the registration process, doesn't necessarily say anything about the long-term storage mechanism - though it *definitely* indicates some bad practices. What's the password reset/recovery procedure like? i.e.: If you forgot your password, will they e-mail/show it to you? – Iszi Mar 05 '14 at 15:29
  • @Iszi Agreed. The problems of transmitting a password, in any form, in plain text has the obvious shoulder-surfing/interception issues that may or may not be an issue in the moment, but it indicates the potential for other problems with the development security model. – schroeder Mar 05 '14 at 16:12
  • Hopefully that you won't be another victim like this site: http://arstechnica.com/security/2013/11/hack-of-cupid-media-dating-website-exposes-42-million-plaintext-passwords/ – wcypierre Mar 05 '14 at 16:57
  • Thanks for this question, I now know a great site to hack. A list of passwords and full personal details on a site that has little concept of security. My guess is well over 1% of those passwords will also work for the persons email, giving me direct or indirect (with all the personal info) access to their bank accounts........ – mattnz Mar 06 '14 at 03:08
  • ^Please do, and make an example out of them (of course, leave the users alone). It's the 21st century -- storing passwords in plain text should be a capital offense. Unfortunately, companies big or small STILL do it, which is something I absolutely do not understand. – theGreenCabbage Mar 11 '14 at 19:36
  • Here's where specifically to make an example of them: https://plaintextoffenders.com/. Also, as advice to you/other readers as website users, password reuse is a bad idea for many reasons, this being one, and [this HNQ](https://security.stackexchange.com/q/214784/79319) illustrating another. – WBT Aug 09 '19 at 15:40

3 Answers3

5

The problem here could be as simple as being someone behind you that could read you password directly from the screen but consider also, that if that page is served via "HTTP" and not "HTTPs" your password will be traveling in plain text through internet and anybody could just grab the packet and clearly read it.

But the problem can be even bigger if they just store your password in plain text in their databases since once they get hacked they will probably have a lot of passwords for a lot of people that probably use that very same password with the account provided.

It is clearly a security negligence.

kiBytes
  • 3,450
  • 15
  • 26
  • Sigh. The incompetence and laziness of some web developers can be staggering. We're a small firm of 2-3 developers, and we try our best to secure the data of our users despite not having to store passwords or bank information. I don't understand how some developers can sleep at night with this security risk. – theGreenCabbage Mar 11 '14 at 19:35
  • @theGreenCabbage They usually know little to none about security and they are not willing to pay for a security consultant. – kiBytes Mar 11 '14 at 19:44
2

Given the details added in your edit, I would say chances are that your password is not being stored securely.

Your data over the network is safe, given that it is using https. However, it appears that your password is being stored either as plaintext or encrypted (not much better). We could say that maybe they just do this in the short term, but we can use Occam's Razor here. What is more likely? That a developer took the time to use a temporary storage mechanism just to email you your password in plaintext, and then hash it securely? Or is it just stored as plaintext (or some kind of encryption).

Since you mention using the same password for other sites (your mistake), I'd go ahead and change your password for other sites. It probably would be "ok" but you have posted this to a security-centric site, so someone here might get curious about what else is weak. (They would be jerks - this is for charity, but hey, it happens.)

To sum it up:

What is wrong with a confirmation page displaying my password?

Nothing, inherently, except that onlookers can see your password displayed. It indicates a certain level of thoughtlessness when it comes to security. The fact that you also get it emailed to you in plaintext further indicates that your password is being mis-managed. In cases like this, you give up only information you don't mind being compromised, and choose a unique "throwaway" password.

Gray
  • 728
  • 4
  • 15
  • 2
    The most recent edit to the question indicates the password is also being e-mailed. So, regardless of how it is stored on the EventsOnline servers, it's most definitely being stored/transmitted insecurely at some point in the e-mail process. – Iszi Mar 05 '14 at 15:27
  • @Iszi Thanks for letting me know, that sort of changes things. I have updated my answer accordingly. – Gray Mar 05 '14 at 16:40
1

The password itself should never be stored on the server, only the one-way hash derived by feeding the password through a non-reversible hash function, as soon as it's entered into the sign-up form. In essence, they shouldn't have your password to display it to you. Gray is absolutely correct, this doesn't speak well for how they are handling the rest of your data, and you should most certainly change this password on any other accounts where you used it.

Basically the whole system of authentication with passwords is broken, and we all know it, but no one has come up with a viable alternative. Going forward, you might want to consider using a password manager like LastPass, which allows you to set one robust master password, and will generate unbreakably long and complex passwords for any sites you do business with and store them in a properly encrypted manner. Hey, we all do this, no one can remember unique complex passwords for all the sites we access. A manager is a good start toward sanity... Good Luck, and change those passwords!

Steven Stafford
  • 11
  • 2