The big Sony breach is only the tip of the online insecurity iceberg, it turns out.
Call it Passwordgate: Owners of thousands of websites—including big brands like AT&T, The New York Times, and Macy’s—have been openly exposing their users’ passwords over the past few years by placing them undisguised smack dab in the middle of e-mails to those users, my latest investigation for StateoftheNet.Net found.
Security pros consider this a glaring security lapse. “When a company sends a password in plain-text it is essentially inviting a user’s account to be compromised,” says Rick Redman, Senior Security Consultant at KoreLogic Security. “It also means that the company not only KNOWS your password, but stores it in a method that anyone can see…it is an insult to the customer. In my mind, it is the same as saying, ‘we do not care about your security.’” (If a site stores passwords in plain text, it’s even worse than sending them in e-mails, experts say.)
Government officials agree. “Sending a user’s password in plain text increases the risk of unauthorized access,” Mark Eichorn, Assistant Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, told me.
It gets worse
When a website commits such a lapse, it puts more at risk than just the personal information stored in your account at that site. A survey that I reported on in 2012 for Consumer Reports found that nearly one in five consumers used the same password for more than five accounts. So by exposing the passwords their users had entrusted to them, the thousands of sites in question were also increasing the risk of a breach of their users’ accounts at other institutions, such as retail, banking, and social network sites.
And that risk could linger for months, or even years, according to Redman. “Most users don’t change their passwords,” he points out. “So an email with your password in it is sitting somewhere deep in your inbox, long forgotten by you, but it still has valid credentials in it.”
What does all this mean for you? Just this: Even if you follow to the letter my recent advice on how to avoid a big password mistake, whenever you divulge your password to a website that exposes it in plain text, you might just as well have used the word “password” as your password.
We know about this massive security breach thanks to two public-spirited techies, Omer van Kloeten, Chief Technology Officer at New York-based app developer, AppMyDay and Igal Tabachnik, Lead Developer at OzCode. Fed up with having his own passwords repeatedly e-mailed to him in plain text, since 2011 van Kloeten has been posting examples of similar experiences that users send him at the site Plain Text Offenders (PTO), which he and Tabachnik created and he says is “dedicated to publicly shaming this horrible practice.” He typically receives and posts evidence for several offenders per day. For the year 2014 alone, the site’s archive contains more than 950 screen shots of offending e-mails. The full archive bulges with some 2,700 examples dating back to 2011.
Who are the culprits?
Besides the three brands I mentioned above, PTO’s archive also contains examples of culpable e-mails from such brands as Fedex, J. Crew, Laura Ashley, Office Depot, Rhapsody, Seaworld, and Sprint, as well as examples from government sites, such as Indiana.gov and BoulderColorado.gov; local and regional businesses; and sites that appeal mainly to gamers or geeks.
I began this investigation in October by registering with roughly 20 of PTO’s reported sites to see if they were still exposing passwords. E-mails containing passwords are usually sent either when you first register with a site or when you tell the site you have forgotten your password. When I tried this with my small group of sites, quite a few did not include my password in their e-mail responses. But some did: One retailer of electronic lab equipment included both my user name and password in its account confirmation e-mail. And PetSmart, which stores customers’ credit card numbers on its site, sent me a temporary password in plain text when I told the site I had forgotten my old one.
Most troubling to me were the e-mails I received from Princess Cruises, whose exposure of passwords had first been reported by PTO in May, 2014. When I told the Princess site I had forgotten my password, the site—which may store such sensitive personal information as your address, birthdate, passport number, medical conditions, or sexual preference—e-mailed me my password in plain text. I checked back with the site again in mid-December and it sent me this e-mail:
PTO’s van Kloeten also maintains a list, Reformed Offenders, of the good guys that he knows have stopped sending passwords in plain text. As of mid-December, about 25 sites were listed. “I’m very hopeful. It’s still an incredibly low percentage (less than 1%), but it’s growing,” he told me. He acknowledges that he hasn’t had time to follow up regularly on every submission, so even he doesn’t know just how many of the rest of the reported offenders may have reformed.
Earlier this year, software maker Dashlane, which offers a free password manager for consumers, published evidence that confirmed the sorry state of password security on many websites. Studying 100 of the top e-commerce sites in the US, it found that eight had sent passwords in plain text via e-mail. Among Dashlane’s many other troubling findings were that 64 percent of the sites had questionable password practices and 55 percent still accepted some of the worst conceivable passwords, such as “123456.”
What you can do
• If a website e-mails you your password in plain text, notify the owners of the offending site, if possible. Then report it to PTO using that site’s submission form. PTO’s van Kloeten welcomes submissions and offers a helpful FAQ that answers many of your questions. You may also want to report the incident to the FTC, which welcomes consumer complaints about such practices, according to Mark Eichorn. To file such a complaint with the FTC , use the FTC Complaint Assistant.
• Use a different password on each site plus a password manager, such as Lastpass, Keepass, or Dashlane. “Password Managers aren’t perfect,” says KoreLogic’s Rick Redman. “And there is an inherit risk with using them, but the risk is much less than using the same password on every site.”
• If a site you use (such as your bank, Google/Gmail, PayPal) offers two-factor authentication, a feature that provides extra security by requiring more than just a password for account access, take advantage of it.
• Look for telltale signs that a site isn’t properly securing your password. Says PTO’s van Kloeten, “You can be certain of it if the site shows you your password at any time. This can be in an email, on the site itself when viewing your account details, in a text message or even when conversing with a representative on the phone or via chat (“You forgot your password? Oh, it’s kitten123.”). If that’s not the case, you can still be suspicious if, for instance, the site has weird restrictions like not letting you choose a long and/or strong password.”
• To find out if sites you visit have ever been reported by PTO, install either the third-party Chrome Extension or the Firefox Add-on on PTO’s tools page. I can’t vouch for these tools’ accuracy or security, but when I tried them myself they appeared to work and I didn’t experience any noticeable problems. When they issue a warning, it doesn’t guarantee that the site still exposes passwords in plain text, but does mean that it has been reported to have done so at some time since 2011.
Toward more secure websites
“We try to educate, not just shame,” says van Kloeten. “ Offenders who contact us are immediately pointed to our very detailed and lovingly crafted FAQs and I even take as much time as needed to help them understand why what they did was wrong and how to fix it. We also encourage our wonderful community to spread the word. Google has started working towards making the web more secure, like giving higher PageRank to sites that are all-SSL. I hope this trend continues.”
I’ll be reporting more soon on issues like this, which affect consumer online security and privacy, at StateoftheNet.Net.