Earlier today, I wrote about the many ways in which the DMA’s MPS Web site is broken and about the fact that the people who run the site don’t really seem to care all that much.
I forwarded a link to my article to the DMA’s consumer affairs email address. To their credit, they responded the same day. Unfortunately, there response did nothing to reassure me that they have a clue about how to run a proper Web site; exactly the opposite, in fact. Here’s why:
It turns out that you did not have to create new accounts for those names yesterday after all.
I did a little research on your behalf and found that you had already created two accounts last year for the same seven family members back on 08/14/2008 for Jonathan Kamens, [four other names elided] which does not expire until 09/14/2011. The old username for the 2008 account is: [elided] and the old password is: [elided].
The second account for the other two names [names elided] was created on 08/14/2009 and expires on 09/14/2011. The old username name was: [elided] and password [elided].
Yes, that’s right, they emailed me my passwords.
Here’s how I responded:
It simply astounds me that you were able to email my password to me. In this day and age, when there are new stories in the media every day about major Web sites being hacked and user databases being stolen, it is incredibly irresponsible for the DMA or any other Web site to store passwords in plain-text. People tend to reuse the same password on many sites, so if anyone were to break into your site and steal your user database, they would be able to use the passwords you store there to impersonate your users on other sites on which they are registered. In other words, by storing passwords in plain-text, you are endangering not merely the security of your own site, but also the security of every other site your users use.
As documented at http://docforge.com/wiki/Web_application/Security#Encryption, http://www.owasp.org/images/1/14/OWASP_Top_10_090708.ppt (slide 37), http://www.fishnetsecurity.com/sites/com.fishnetsecurity/downloads/Forgot_Password_Best_Practices_v2.0.pdf, http://blog.codahale.com/2007/02/28/bcrypt-ruby-secure-password-hashing/, http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf, and by many other experts in many other places all over the Internet, passwords on Web sites should always be stored as the output of a one-way hash algorithm, so that even if someone steals the user database from the site, they won’t be able to get any plain-text passwords out of it.
Independent of the fact that you choose to store your passwords in an insecure manner, you should never, ever send passwords through email. How you do know there isn’t somebody eavesdropping on my email account? How do you know I’m the only one who uses it?
The fact that you store passwords in plain-text and you were willing to email me my password shows that the DMA has given no real thought at all to the security of your application and the private user data stored within it. That’s scary.
Aside from all that, you haven’t addressed the root cause of my complaint with your Web site. While it’s nice that you were able to fix my account to give me access to your site, that doesn’t change the fact that the site didn’t work properly for me, and apparently doesn’t work properly for other people too, and it doesn’t appear that anyone at the DMA actually cares a bit about this or intends to do anything about it.
In short, while I do appreciate the fact that you’ve made it possible for me to use the site, that doesn’t change the fact that the people who implemented and support it all appear to be a bunch of amateurs, and you don’t really care all that much whether it works properly and is secure.