Something better to do » Web security http://blog.kamens.us Musings of an indignant mind Mon, 06 Feb 2012 22:35:18 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Password security hall of shame http://blog.kamens.us/2009/09/29/password-security-hall-of-shame/ http://blog.kamens.us/2009/09/29/password-security-hall-of-shame/#comments Tue, 29 Sep 2009 20:38:30 +0000 jik http://blog.kamens.brookline.ma.us/~jik/wordpress/?p=931 As I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of sites which simply don’t know how to do password security properly. Some of these sites are operated by major corporations which are entrusted by their users with confidential and sensitive personal information — names, addresses, telephone numbers, birthdays, credit-card numbers, etc. It is truly frightening that these corporations fail to properly secure their users’ passwords, and therefore fail to properly secure their users’ personal information.

I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.

If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!

And so, without further ado, I give you…

The password security hall of shame

Site Data sensitivity level Crimes against password security
ssa.gov (Social Security Administration) Business Services Online high password must be exactly 8 character long; only numbers and letters; not case sensitive
fidelity.com high Converts both usernames and passwords into corresponding telephone keypad numbers so that they can be shared between telephone and Web access
vanguard.com high Passwords are case-insensitive and limited to 10 characters, spaces and special character are not allowed
americanexpress.com high Limits passwords to 8 characters, case-insensitive, no spaces or special characters
myspace.com high Stores passwords in plaintext, emails your password to you when you say you forgot it, and limits passwords to 10 characters
aaa.com high Stores passwords in plaintext and emails your password to you when you say you forgot it
hrsaccount.com (for HSBC credit cards) high Limits passwords to 10 characters
discovercard.com high Limits passwords to 10 characters, letters and numbers only; emails passwords
benefitaccess.com (MorganStanley SmithBarney) high Doesn’t allow passwords to contain spaces or non-alphanumeric characters
mycheckfree.com high Limits passwords to 8 characters
communityroom.net high Limits passwords to 8 characters
iemployee.com high Permits only alphanumeric characters; passwords are case-insensitive; limits passwords to 20 characters
wellsfargo.com high Maps alphanumeric passwords to telephone keypad numbers, thus greatly decreasing their complexity and security (update: this is disputed by Edward Reid)
detma.org high “Passwords must be exactly 8 characters in length and may not contain special characters (*, &, #, etc.) Passwords must contain at least one letter and one number and are case-sensitive.”
Kohl’s account management medium Max length 8 characters; no spaces or special characters
rcn.com medium Max length 10 characters; supports only some special characters; stores passwords in cleartext and makes them visible to service reps
factstuition.com medium Doesn’t support changing passwords
thesportsauthority.com medium Stores passwords in plaintext and emails your new password to you when you change it
snaptotes.com medium Stores passwords in plaintext and emails your new password to you when you change it
collegehelpers.com medium Stores passwords in plaintext and emails your password to you when say you forgot it; amusingly, this site says, “Your information is safe with us! We take your privacy seriously.”
elotusland.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
care2.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
mazon.org medium Stores passwords in plaintext and emails your password to you when say you forgot it
lycos.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
peapod.com / stopandshop.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
jetblue.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
hertz.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
myinterfase.com (hosts jobs sites for multiple colleges) medium Stores passwords in plaintext and displays them, unobscured, on user profile page
phoneshark.com medium Doesn’t allow passwords to contain non-alphanumeric characters
cliason.com (outsourced, offshore customer service provider) medium Stores passwords in plaintext, emails your password to you when you say you forgot it, and doesn’t support changing passwords
latimes.com medium Stores passwords in plaintext, emails your password to you when you say you forgot it, and password change functionality doesn’t work
landsend.com medium Limits passwords to 8 characters
createandbarrel.com medium Site claims that passwords are limited to 8 characters, but they actually aren’t
officedepot.com medium Password change functionality doesn’t work for accounts that haven’t been used to place orders in a while
amtrakguestrewards.com medium Limits passwords to 10 characters
followthatpage.com low Stores passwords in plaintext and emails your new password to you when you change it
swingstateproject.com low Stores passwords in plaintext and emails your password to you when you say you forgot it
politico.com low Stores passwords in plaintext and emails your password to you when say you forgot it
netgear.com low Stores passwords in plaintext and emails your password to you when say you forgot it
britannica.com low Stores passwords in plaintext and emails your password to you when say you forgot it
custhelp.com (provides product support for Motorola and other companies) low Stores passwords in plaintext, emails your password to you when say you forgot it, and doesn’t support changing passwords
cnn.com low Limits passwords to 10 characters

NOTES:

  1. When I write that a Web site stores passwords in plaintext, it is possible that in fact passwords are encrypted using symmetric encryption in the site’s database. However, I consider this little better than not encrypting them at all, because (a) such passwords are still vulnerable to being stolen easily by an employee or contractor with legitimate access to the database, and (b) if an attacker is able to steal the database, he will probably also be able to steal or crack the key used to encrypt the passwords. For these reasons, and because it is impossible to distinguish as a user of the site whether the passwords are stored with encryption or in plaintext, I make no such distinctions above.
  2. The problems described above for any particular site are not necessarily a complete list of that site’s problems; they represent only the problems I know about.
]]> http://blog.kamens.us/2009/09/29/password-security-hall-of-shame/feed/ 26