8
When a site emails your old password, as opposed to requiring you to reset it on the site, I'm wondering what that implies about their security measures.
Does this mean that they store the password in plain text for their own convenience or could they still use encryption on the password?
S. Michaels
Posted 2009-09-25T16:16:18.400
Reputation: 185
25
They might be using encryption when the password is stored in the DB but they shouldn't be storing it in a retrievable format at all, encrypted or otherwise.
They should be taking a one-way hash of the password (plus a salt). This means they can check the password you enter now matches the one you gave before but they (or some cracker with access to their DB) cannot find out what it is. Encrypting the password means a cracker would have to find the DB and the encryption key, but since the key must be on the server serving the website this is hardly inconceivable.
So if they can send you your password this means they are not following well known security best practices.
Bad practice like this is a good reason for using a different password for every website you register at.
Dave Webb
Posted 2009-09-25T16:16:18.400
Reputation: 10 126
9BTW, thanks for calling them crackers instead of hackers ! – NVRAM – 2009-09-25T16:44:10.467
As an aside, two-way hashes are considered by major banks to be secure enough for storing credit card information. – runako – 2009-09-25T19:41:42.527
1@runako: What's a two-way hash? A hash function usually yields a value of a certain size, which means that the original can't be found again unless the original is no larger than the hash value. – David Thornley – 2009-09-25T19:44:02.583
1Sorry, mis-post. That should have been "two-way function". – runako – 2009-09-25T20:20:32.323
19
Even if it is encrypted and secure, that e-mail was in no way secure.
One thing you do know, by using e-mail, your password is now almost
certainly stored in plain text at many other locations:
Robert Cartaino
Posted 2009-09-25T16:16:18.400
Reputation: 6 444
1
As Dave said, they could and hopefully are using encryption, but I have seen sites that store passwords in plain text. They could also generate a new temporary password when you hit the I forgot my password button, that you have to change the first time you login with it. The bottom line is you don't know how they store your password and unless the site is hosted by the same company that you get support from, and they only have a few people it is unlikely that you would be able to ask anyone that would know how it is stored, and even if they did know it is unlikely they would tell you.
Beaner
Posted 2009-09-25T16:16:18.400
Reputation: 3 193
0
The answer is NO - this isn't a proof of anything.
In any case, you have no way of knowing how the passwords are stored internally. Most likely they are using a database like mysql, and it might be that they are not encrypted inside the database. However, it's still possible they are consciously storing the entire database in some encrypted media such as TrueCrypt. All you can do is hope that they have taken enough measures to protect your privacy.
harrymc
Posted 2009-09-25T16:16:18.400
Reputation: 306 093
6It is proof that they aren't stored encrypted with a one-way hash, and hence the plain text password can be retrieved. – NVRAM – 2009-09-25T16:45:02.167
1Retrieved is not the same as plain text. Retrieved can also mean decrypted. Plain text means stored as simple text that one can display without much effort. – harrymc – 2009-09-25T16:58:34.043
1If it can be decrypted then it's not secure. Take over the authenticating box and you have the keys to decrypt everyone's passwords. – Jeremy L – 2009-09-25T18:39:12.310
1Yah, take over the site server and you can log passwords even before they are one-way hashed. Come on guys, you are being silly. – harrymc – 2009-09-26T07:24:35.297
I abandoned a site because they insisted on e-mailing me my username and password once a month, whether I asked for it or not. I e-mailed them several times to tell them that this was not good practice, then gave up. – TRiG – 2011-06-20T11:40:01.673
Related to this question - http://superuser.com/questions/46810/should-i-be-concerned-if-my-git-hosting-provider-projectlocker-stores-passwords
– ChrisF – 2009-09-25T16:21:51.6373Encryption is a two-way process where you somehow can decrypt the information given the correct key. Passwords should normally use hashing instead which in theory is a one-way coding where the password results in a specific hash value - which is hard or impossible to reverse. When you then login, your entered password is coded in the same way and compared to the stored coded value and lets you in if they match. In practice you can sometimes reverse the process through various brute-force processes like using rainbow tables... – Oskar Duveborn – 2009-09-25T17:35:20.833
2Whether or not they had it had it encrypted, they sent it in a plan-text email! That website is not serious or clued-in about security in any way. Hopefully you didn't give them a password that you use anywhere else. Right? – DanO – 2009-10-30T22:24:34.877