Online insecurity: 'Sloppy practice' with passwords

If you click "I forgot my password" and get emailed back your old password, you should be worried.

Hundreds of thousands of New Zealanders’ personal details could be at risk from companies not storing website passwords safely according to a security consultant.

While websites usually encrypt passwords, businesses such as Vodafone and Ticketek have been keeping users’ passwords in unencrypted plain text, leaving them vulnerable to anyone with access to the site, from developers to hackers.

“It is sloppy practice,” says Insomnia Security consultant Adam Boileau, “and it’s generally indicative of bad practice in other areas of security”.

He says the easiest way to tell if a company is keeping your password in plain text is by using the “I forgot my password” feature of a website. “If they email you your old password, you know they're doing it wrong.”

When a company can send you your original password, it’s likely they have it stored in their system and anyone who has access, or gets access, can also read it.

“The main thing we worry about is the fact that people often use the same password on other websites,” Boileau said.

“If someone gets access to one of your passwords, it could mean access to other places like Gmail or Facebook. It’s this process of taking one password and escalating it to access to lots of others.”

Vodafone, a company with 2.3 million customers in New Zealand, keeping plain text passwords is particularly concerning, Boileau said.  

“There's a lot more potential things you could do with a password database that large.

“Given the two million user passwords for a country of 4.6 million people, you can learn a lot about what are the common passwords, and use that to guess passwords in other New Zealand organisations.”

He also says Ticketek, a company that relies heavily on online ticket sales, “should know better”.

“They’re a pretty big e-commerce site and it’s surprising that they still do that. Generally what we see is that systems that are still using clear text storage are either really rubbish, or too-important-to-fix.”

The New Zealand Internet Task Force (NZITF), an organisation aiming to improve cyber security, agree that keeping passwords in plaintext leaves customers’ personal details vulnerable to leaks and attacks.

Vodafone is one of NZITF’s corporate members, but chairman Barry Bailey says he wasn’t aware the telecommunications giant was keeping passwords and admits “it’s not good practice at all”.

“If the database is compromised, and you have to assume the worst case scenario, then the follow-on damage is made worse because of all the passwords in plain text,” he says.

When contacted by The Wireless Vodafone says it takes security for its customers “very seriously” and is going to review password security across the company.

Ticketek refused to comment, saying discussing their security practices would put their customers’ security at risk.

Boileau said the correct way to store passwords is to not store the password itself, but rather a “hash” or representation of it. “Usually you create a one-way encryption. Think the mathematical equivalent of putting a pig in a sausage grinder; you can’t crank the handle backwards and get a pig.”

The most useful thing people can do to protect their online accounts, he said, is to have different passwords for different sites.

Apps like 1Password  and LastPass can help store passwords so customers don’t need to remember them all.

“Even if you just stick your password in a file on your computer, it’s still better than using the same password for everything.”

[Update: Vodafone says "almost all" of its customers’ passwords are one-way encrypted but "a subset of broadband customers, with older modems, have a different password reset process." The company says it's in the process of developing a new single identity management system for those customers' accounts.]