The case for storing passwords in unreadable form

Web-hosting administration software maker InterWorx has been breached and hackers have stolen client credentials. What is worse is that they have used these credentials to get into their clients’ servers and modified them to distribute malware.

What led to this situation, apart from the fact that the hackers got in, was that fact their support desk software stored their clients’ credentials (usernames and passwords) in clear text. Once the hackers got in, it was a matter of just poking around and helping themselves to these credentials.

To make a bad situation worse, the support desk software version we use was storing e-mail and password data in plain text. Anyone using the same password elsewhere should change it immediately.

Industry standards strongly encourage developers to store passwords in unreadable form. This would mean either encryption or hashing. Passwords should ideally not be known to anyone except the owner of the password. To meet this requirement, for most uses, hashing would be the most appropriate method.

When hashes are stored in unreadable form, and hackers break in, all they get are hash values of the passwords rather than the actual passwords. They will still be unusable if the passwords were salted properly before hashing. You can refer to a post that I wrote a while ago on storing passwords securely.

When I do vulnerability assessment and PCI assessments, I see so many organizations storing passwords in clear text. As a consumer, I always think twice about creating accounts at websites since I do not know if they are storing it in clear text. There is sort of a way to find out, but it is not accurate.

If you through a website’s “Forgot Password” process and they email you the original password, there are two possibilities. They either store the password in encrypted form (which can be decrypted) or they store in clear text. They are not hashing the passwords since hashing is supposed to be irreversible.

If they do not send you the original password, but send you a link to click on and then ask you to set a new password, they probably are hashing passwords. But that cannot be guaranteed since they could still be stored in clear text and have a process that just involves resetting passwords.

The best way is to go to the website’s FAQ or privacy policy and look at what they say about storing passwords. Even if they state that they are storing passwords in unreadable form, it is not guaranteed that they actually do. In almost any organization, there is always a gap between policy and reality.