Quantcast
Connect with us

Passwordgate: Thousands of websites have been openly exposing user passwords

Published

on

The big Sony breach is only the tip of the online insecurity iceberg, it turns out.

Call it Passwordgate: Owners of thousands of websites—including big brands like AT&T, The New York Times, and Macy’s—have been openly exposing their users’ passwords over the past few years by placing them undisguised smack dab in the middle of e-mails to those users, my latest investigation for StateoftheNet.Net found.

ADVERTISEMENT

Security pros consider this a glaring security lapse. “When a company sends a password in plain-text it is essentially inviting a user’s account to be compromised,” says Rick Redman, Senior Security Consultant at KoreLogic Security. “It also means that the company not only KNOWS your password, but stores it in a method that anyone can see…it is an insult to the customer. In my mind, it is the same as saying, ‘we do not care about your security.’” (If a site stores passwords in plain text, it’s even worse than sending them in e-mails, experts say.)

Government officials agree. “Sending a user’s password in plain text increases the risk of unauthorized access,” Mark Eichorn, Assistant Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, told me.

It gets worse

When a website commits such a lapse, it puts more at risk than just the personal information stored in your account at that site. A survey that I reported on in 2012 for Consumer Reports found that nearly one in five consumers used the same password for more than five accounts. So by exposing the passwords their users had entrusted to them, the thousands of sites in question were also increasing the risk of a breach of their users’ accounts at other institutions, such as retail, banking, and social network sites.

And that risk could linger for months, or even years, according to Redman. “Most users don’t change their passwords,” he points out. “So an email with your password in it is sitting somewhere deep in your inbox, long forgotten by you, but it still has valid credentials in it.”

What does all this mean for you? Just this: Even if you follow to the letter my recent advice on how to avoid a big password mistake, whenever you divulge your password to a website that exposes it in plain text, you might just as well have used the word “password” as your password.

ADVERTISEMENT

We know about this massive security breach thanks to two public-spirited techies, Omer van Kloeten, Chief Technology Officer at New York-based app developer, AppMyDay and Igal Tabachnik, Lead Developer at OzCode. Fed up with having his own passwords repeatedly e-mailed to him in plain text, since 2011 van Kloeten has been posting examples of similar experiences that users send him at the site Plain Text Offenders (PTO), which he and Tabachnik created and he says is “dedicated to publicly shaming this horrible practice.” He typically receives and posts evidence for several offenders per day. For the year 2014 alone, the site’s archive contains more than 950 screen shots of offending e-mails. The full archive bulges with some 2,700 examples dating back to 2011.

Who are the culprits?

Besides the three brands I mentioned above, PTO’s archive also contains examples of culpable e-mails from such brands as Fedex, J. Crew, Laura Ashley, Office Depot, Rhapsody, Seaworld, and Sprint, as well as examples from government sites, such as Indiana.gov and BoulderColorado.gov; local and regional businesses; and sites that appeal mainly to gamers or geeks.

I began this investigation in October by registering with roughly 20 of PTO’s reported sites to see if they were still exposing passwords. E-mails containing passwords are usually sent either when you first register with a site or when you tell the site you have forgotten your password. When I tried this with my small group of sites, quite a few did not include my password in their e-mail responses. But some did: One retailer of electronic lab equipment included both my user name and password in its account confirmation e-mail. And PetSmart, which stores customers’ credit card numbers on its site,  sent me a temporary password in plain text when I told the site I had forgotten my old one.

ADVERTISEMENT

Most troubling to me were the e-mails I received from Princess Cruises, whose exposure of passwords had first been reported by PTO in May, 2014. When I told the Princess site I had forgotten my password, the site—which may store such sensitive personal information as your address, birthdate, passport number, medical conditions, or sexual preference—e-mailed me my password in plain text. I checked back with the site again in mid-December and it sent me this e-mail:

princess 570

ADVERTISEMENT

 

 

 

ADVERTISEMENT

 

 

 

 

ADVERTISEMENT

 

The site’s privacy policy says, “we take steps to protect your personal information and keep it secure.” But, as noted above, security experts and government officials don’t agree that e-mailing a password in plain text does keep personal information secure.

PTO’s van Kloeten also maintains a list, Reformed Offenders, of the good guys that he knows have stopped sending passwords in plain text. As of mid-December, about 25 sites were listed. “I’m very hopeful. It’s still an incredibly low percentage (less than 1%), but it’s growing,” he told me. He acknowledges that he hasn’t had time to follow up regularly on every submission, so even he doesn’t know just how many of the rest of the reported offenders may have reformed.

Earlier this year, software maker Dashlane, which offers a free password manager for consumers, published evidence that confirmed the sorry state of password security on many websites. Studying 100 of the top e-commerce sites in the US, it found that eight had sent passwords in plain text via e-mail. Among Dashlane’s many other troubling findings were that 64 percent of the sites had questionable password practices and 55 percent still accepted some of the worst conceivable passwords, such as “123456.”

ADVERTISEMENT

What you can do

• If a website e-mails you your password in plain text, notify the owners of the offending site, if possible. Then report it to PTO using that site’s submission form. PTO’s van Kloeten welcomes submissions and offers a helpful FAQ that answers many of your questions. You may also want to report the incident to the FTC, which welcomes consumer complaints about such practices, according to Mark Eichorn. To file such a complaint with the FTC , use the FTC Complaint Assistant.

• Use a different password on each site plus a password manager, such as Lastpass, Keepass, or Dashlane. “Password Managers aren’t perfect,” says KoreLogic’s Rick Redman. “And there is an inherit risk with using them, but the risk is much less than using the same password on every site.”

• If a site you use (such as your bank, Google/Gmail, PayPal) offers two-factor authentication, a feature that provides extra security by requiring more than just a password for account access, take advantage of it.

Look for telltale signs that a site isn’t properly securing your password. Says PTO’s van Kloeten, “You can be certain of it if the site shows you your password at any time. This can be in an email, on the site itself when viewing your account details, in a text message or even when conversing with a representative on the phone or via chat (“You forgot your password? Oh, it’s kitten123.”). If that’s not the case, you can still be suspicious if, for instance, the site has weird restrictions like not letting you choose a long and/or strong password.”

• To find out if sites you visit have ever been reported by PTO, install either the third-party Chrome Extension or the Firefox Add-on on PTO’s tools page. I can’t vouch for these tools’ accuracy or security, but when I tried them myself they appeared to work and I didn’t experience any noticeable problems. When they issue a warning, it doesn’t guarantee that the site still exposes passwords in plain text, but does mean that it has been reported to have done so at some time since 2011.

ADVERTISEMENT

Toward more secure websites

“We try to educate, not just shame,” says van Kloeten. “ Offenders who contact us are immediately pointed to our very detailed and lovingly crafted FAQs and I even take as much time as needed to help them understand why what they did was wrong and how to fix it. We also encourage our wonderful community to spread the word. Google has started working towards making the web more secure, like giving higher PageRank to sites that are all-SSL. I hope this trend continues.”

I’ll be reporting more soon on issues like this, which affect consumer online security and privacy, at StateoftheNet.Net.


Report typos and corrections to: [email protected].
READ COMMENTS - JOIN THE DISCUSSION
Continue Reading

Breaking Banner

‘Dirty’ Jared Kushner should be targeted if GOP makes impeachment trial about Bidens: strategist

Published

on

President Donald Trump has signaled that he wants Senate Republicans to turn his impeachment trial around on Democrats by actually making it a trial of the Biden family.

The president on Thursday signaled that he wants former Vice President Joe Biden and his son, Hunter Biden, to testify at his impeachment trial in an effort to make the trial less about his own misconduct and more about purported misconduct by the Democrats.

However, Democratic strategist Simon Rosenberg on Thursday proposed a plan to counter this kind of misdirection: Going after Trump son-in-law Jared Kushner, whose shady dealings with world leaders have so far escaped significant scrutiny.

Continue Reading

Breaking Banner

Democrats crippled their own impeachment effort with a rushed timeline: columnist

Published

on

House Democrats made a conscious decision to keep impeachment proceedings against President Donald Trump as short and efficient as possible. On one hand, they had sensible reasons for wanting to do so — they were concerned that a protracted impeachment battle that drags into the 2020 election would lose engagement with the American people and draw criticism for attempting to interfere with the election.

But Thursday, NBC News analyst Kurt Bardella argued that Democrats may also have caused problems for themselves by making the impeachment process too short and setting arbitrary deadlines.

Continue Reading
 

Breaking Banner

GOP now stands for ‘Gang of Putin’: Conservative slams Republican ‘affinity’ for Russian president

Published

on

For aging Gen-Xers and Baby Boomers who are old enough to remember the Cold War, the admiration that the alt-right has for Russian President Vladimir Putin — a former KGB agent — is quite ironic. And that irony isn’t lost on conservative Washington Post columnist Max Boot, who is highly critical of President Donald Trump’s pro-Putin outlook in his December 4 column.

Boot, now 50, was born in Moscow on September 12, 1969 — back when Moscow was still part of the Soviet Union. But he was still a kid when his parents fled the Soviet Union and moved to Los Angeles, where he grew up. The Soviet Union ceased to exist in the early 1990s, and Putin is a right-wing authoritarian — not a communist. Boot, however, emphasizes in his column that Russia is still no friend of the United States.

Continue Reading