4

For a research paper about passwords, I am looking for a source that gives an actual estimation on how many websites save their user's passwords as plain text on their servers.

Is there any study that has dealt with the problem of how websites secure their user's passwords?

Paddre
  • 141
  • 3
  • Great question! Since there are sites that do store passwords in plain text (a horrible thing to do), it is important for us to vary our passwords by website. This way, if you have an account on such a site, a hacker or the web admin won't be able to use that same password to get into your other site accounts (bank account for example!). I hope someone is able to point you to some good statistics, I would like to know this too! – Jonathan Feb 10 '15 at 13:22
  • 1
    @Jonathan - even if a site stores hashed passwords, there is nothing to stop a malicious admin capturing your password as you login. It is important to vary passwords either way. – paj28 Feb 10 '15 at 15:16

1 Answers1

6

I do not know about any studies on this but there is a site called "Plain Text Offenders".
This site lists other sites which show signs of plain text password saving (for example, they are able to send your password back if you ask for a new one).

rbialon
  • 277
  • 2
  • 9
  • Yeah I found this website too, but either I can't handle it or there is no way to find out whether a particular site is on the list or how many sites are currently operating in this manner. – Paddre Feb 10 '15 at 12:31
  • 2
    Have a look at its 3rd Party Tools list, there you can find a "databased" version of its list: https://8ack.de/plato/info/ There is an API with description which might be able to do what you want: https://8ack.de/plato/api/list/?method=app But I am sure that's only the tip of the iceberg. – rbialon Feb 10 '15 at 12:35
  • Yeah thanks. Don't know why I haven't considered checking the [3rd party section](http://plaintextoffenders.com/tools) before :O. There are also browser extensions which warn you if you are on a site that is listed there. However, I still hope that there is some research that has been done on this subject – Paddre Feb 10 '15 at 14:43
  • 2
    I'm a member of a used-to-be plaintext offender that I discovered when I reset my password. I alerted the PR department privately about why every site, no matter how insignificant the data-sensitivity, can play a role in compromising sensitive information about their users. Within a month, they were no longer offenders. :) – Andrew Hoffman Feb 10 '15 at 14:48