As I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of sites which simply don’t know how to do password security properly. Some of these sites are operated by major corporations which are entrusted by their users with confidential and sensitive personal information — names, addresses, telephone numbers, birthdays, credit-card numbers, etc. It is truly frightening that these corporations fail to properly secure their users’ passwords, and therefore fail to properly secure their users’ personal information.
I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.
If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!
And so, without further ado, I give you…
The password security hall of shame
| Site | Data sensitivity level | Crimes against password security |
|---|---|---|
| ssa.gov (Social Security Administration) Business Services Online | high | password must be exactly 8 character long; only numbers and letters; not case sensitive |
| fidelity.com | high | Converts both usernames and passwords into corresponding telephone keypad numbers so that they can be shared between telephone and Web access |
| vanguard.com | high | Passwords are case-insensitive and limited to 10 characters, spaces and special character are not allowed |
| americanexpress.com | high | Limits passwords to 8 characters, case-insensitive, no spaces or special characters |
| myspace.com | high | Stores passwords in plaintext, emails your password to you when you say you forgot it, and limits passwords to 10 characters |
| aaa.com | high | Stores passwords in plaintext and emails your password to you when you say you forgot it |
| hrsaccount.com (for HSBC credit cards) | high | Limits passwords to 10 characters |
| discovercard.com | high | Limits passwords to 10 characters, letters and numbers only; emails passwords |
| benefitaccess.com (MorganStanley SmithBarney) | high | Doesn’t allow passwords to contain spaces or non-alphanumeric characters |
| mycheckfree.com | high | Limits passwords to 8 characters |
| communityroom.net | high | Limits passwords to 8 characters |
| iemployee.com | high | Permits only alphanumeric characters; passwords are case-insensitive; limits passwords to 20 characters |
| wellsfargo.com | high | Maps alphanumeric passwords to telephone keypad numbers, thus greatly decreasing their complexity and security (update: this is disputed by Edward Reid) |
| detma.org | high | “Passwords must be exactly 8 characters in length and may not contain special characters (*, &, #, etc.) Passwords must contain at least one letter and one number and are case-sensitive.” |
| Kohl’s account management | medium | Max length 8 characters; no spaces or special characters |
| rcn.com | medium | Max length 10 characters; supports only some special characters; stores passwords in cleartext and makes them visible to service reps |
| factstuition.com | medium | Doesn’t support changing passwords |
| thesportsauthority.com | medium | Stores passwords in plaintext and emails your new password to you when you change it |
| snaptotes.com | medium | Stores passwords in plaintext and emails your new password to you when you change it |
| collegehelpers.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it; amusingly, this site says, “Your information is safe with us! We take your privacy seriously.” |
| elotusland.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| care2.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| mazon.org | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| lycos.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| peapod.com / stopandshop.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| jetblue.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| hertz.com | medium | Stores passwords in plaintext and emails your password to you when say you forgot it |
| myinterfase.com (hosts jobs sites for multiple colleges) | medium | Stores passwords in plaintext and displays them, unobscured, on user profile page |
| phoneshark.com | medium | Doesn’t allow passwords to contain non-alphanumeric characters |
| cliason.com (outsourced, offshore customer service provider) | medium | Stores passwords in plaintext, emails your password to you when you say you forgot it, and doesn’t support changing passwords |
| latimes.com | medium | Stores passwords in plaintext, emails your password to you when you say you forgot it, and password change functionality doesn’t work |
| landsend.com | medium | Limits passwords to 8 characters |
| createandbarrel.com | medium | Site claims that passwords are limited to 8 characters, but they actually aren’t |
| officedepot.com | medium | Password change functionality doesn’t work for accounts that haven’t been used to place orders in a while |
| amtrakguestrewards.com | medium | Limits passwords to 10 characters |
| Virgin Atlantic | medium | Stores passwords in plaintext |
| followthatpage.com | low | Stores passwords in plaintext and emails your new password to you when you change it |
| swingstateproject.com | low | Stores passwords in plaintext and emails your password to you when you say you forgot it |
| politico.com | low | Stores passwords in plaintext and emails your password to you when say you forgot it |
| netgear.com | low | Stores passwords in plaintext and emails your password to you when say you forgot it |
| britannica.com | low | Stores passwords in plaintext and emails your password to you when say you forgot it |
| custhelp.com (provides product support for Motorola and other companies) | low | Stores passwords in plaintext, emails your password to you when say you forgot it, and doesn’t support changing passwords |
| cnn.com | low | Limits passwords to 10 characters |
| scholastic.com | low | emails passwords |
| americangreetings.com | low | emails passwords |
NOTES:
- When I write that a Web site stores passwords in plaintext, it is possible that in fact passwords are encrypted using symmetric encryption in the site’s database. However, I consider this little better than not encrypting them at all, because (a) such passwords are still vulnerable to being stolen easily by an employee or contractor with legitimate access to the database, and (b) if an attacker is able to steal the database, he will probably also be able to steal or crack the key used to encrypt the passwords. For these reasons, and because it is impossible to distinguish as a user of the site whether the passwords are stored with encryption or in plaintext, I make no such distinctions above.
- The problems described above for any particular site are not necessarily a complete list of that site’s problems; they represent only the problems I know about.
I’d like to nominate Florida’s prepaid toll program, Sunpass, to the list. Their password policy only allows 4-digit PINs to protect your address, vehicle tag numbers, and payment details, not to mention transponder IDs that could potentially lead to a targeted tracking attack.
Hello, may I nominate GitHub.com for requiring passwords to at least contain a number?
I think requiring particular character classes is iffy, but not nearly as bad as the other sites listed here, so I don’t really feel it belongs on the list with them.
I had my Discover number stolen, disputed the fraudulent charges, etc. They took care of it. Great. Mailed me a new card. Activated the new card. Re-activated my online account and DISCOVER E-MAILS ME MY PASSWORD IN PLAIN TEXT.
what the hell?
They won’t let you use “q” and “z” because they want you to be able to use the same password on the Web and on the phone, and some phones don’t have “q” or “z” on them. I hate to say it, but given that they want the password you pick to be useable on the phone, the restrictions they put on it are actually somewhat reasonable.
Then there are also those sites that enforce really ridiculous rules for passwords, presumably thinking they make them safer.
My case in point is https://www.virtuallythere.com/ the system run by Sabre to check and manage any reservation done via Sabre. The default access mechanism is just to enter your Sabre reservation code and passenger name. But you can also sign-up for a permanent login which I assume gives you access to more functions.
When you try to sign up, you are asked to invent a password, but make sure you follow the following rules:
“Should contain a minimum of 7 characters and maximum of 12 characters.
Should contain at least one numeric character.
The same character cannot appear more than twice in the password.
The same character should not repeat more than twice in a row.
There should be no spaces in the password.
The password cannot contain the characters Q,q,Z,z. ”
What’s wrong with letters Q and Z ? Why would they not be allowed ?
Albert
I think the point of the images is not to protect against sites that are doing a true man-in-the-middle attack, but rather against sites that are just putting up a look-alike dummy site and collecting usernames and passwords. The easiest technique is: prompt the user for his username and password; reject it so that the user thinks he typed his password wrong; and redirect the user to the legitimate site for his second login attempt, so s/he won’t realize anything is wrong. The username and password were captured on the dummy site during the first login attempt and can be used by the attacker to log in as the user on the legitimate site.
Having to reach out to the legitimate site to grab the security image and display it on the dummy site in the middle of the login process makes the problem quite a bit harder.
For those (in)security questions I generate an answer by prepending the key word in the question (“Where was the last place you went on vacation?” -> “vacation”) to a 10+ digit random number I’ve memorized.
Naive question — what good are the images at all? If the evil site is doing a MITM attack it will be able to show you the images, can’t it?
Your social security number is not, in fact, “public information.” Yes, you end up giving them out a lot, and yes, they get compromised a lot by identity thieves, and yes, they’re a bad security token, but the fact of the matter is that most people’s social security numbers have not been compromised, and therefore if the bank must choose a temporary password to use, the last four digits of the SSN are as good a choice as any.
In the spirit of full disclosure, I will mention that when Peoples Federal Savings Bank did exactly the same thing to me in 2001, I went ballistic. See the full story here, and the first message I sent them about it here. However, there was a big difference. At that time, Massachusetts was using social security numbers as driver’s license numbers by default, and as a result, most people’s SSNs were as close as their wallets. If a thief stole someone’s wallet, he’d be likely to get both their ATM card and their SSN, thus giving the thief full access to their account.
I disagree with your assertion that the answers to the security questions are “public knowledge.” I think the number of people who would be able to determine who your third grade teacher was is rather small, and how could anyone but you know your “favorite vacation spot”? Besides, if this kind of thing concerns you, then you can make up your own question, or you can just decide what answer you are going to give whenever you have to answer a security question at any site, even if the answer has nothing to do with the question.
I’m a bit conflicted about the security images. On the one hand, since I don’t fall for phishes or allow the computers I use to get infected with trojans or viruses that would redirect my attempts to contact my bank, those images are never going to provide me with any extra security. On the other hand, perhaps they do enhance security for people who are stupid enough to fall for phishing messages; of course, they would do that only if said people are smart enough to actually notice if the security image is missing or wrong, and I highly doubt that most people are. So I suppose you’re right that overall they’re useless. I wonder if any of the sites that use them have done any real-world research to find out whether they have any benefit.
The thing about reputable companies sending emails with links to third-party Web sites is a huge issue that is reported on over and over again in such forums as the RISK Digest. Some of those reports have been from me :-). So I’m totally with you on that. I simply can’t imagine why there are still companies that are stupid enough to send out emails with links that don’t point back at their domain.
The problem with their temporary passwords (and with most suggested security questions) is that the answers are public information. If it were just something to answer on the spur of the moment, it would be stronger. But they did it in a way that gave attackers potentially weeks to look up the answers. Of course we all feel most strongly about the cases which hit us personally … I didn’t suffer any harm, but I was “hit” by the fact that two of my accounts were for six weeks protected only by totally public information.
I haven’t seen any publications on how secure these types of measures are. Computer scientists tend to lean toward studying things which have theoretical answers (hey, I understand, I was a math major). Things like the practical ability to connect zip codes, SSNs, and family information are harder to study without actually practicing cracking.
And then there’s the “security image” thing which has become popular recently, which in its current versions (no ability to upload my own image, nor for all practical purpose to choose my image) is probably useful for people with only one online account but nearly useless for those of us with many. To me, those images have already become just more noise on the site. I realize that they have to use something non-textual because otherwise most users would confuse their password and the bank’s password. But for goodness sake, let me tell the bank what pass-image I want them to use.
It’s a slightly different issue, but I just got email from PGP Corp … with lots of links pointing to manticoretechnology.com, including some which claim to point to PGP.com. I don’t claim there’s anything dangerous about the actual links (Manticore is totally legitimate as far as I can tell), but the “fake link” bit is such a huge issue in phishing that I have to consider it just outright wrong for a company which claims to support security measures to send out fake links.
OK, I’m running off at the fingers and it’s your blog.
Edward
New nomination: Apple Bank (www.applebank.com). While their normal procedures are no worse than anyone else’s, they made serious errors in transition — see text below or go to their home page and click on “online login”. Yes, I changed my password before posting this … but my account sat with this “temporary password” for a month and a half.
============================================
Welcome to Apple Bank’s new, enhanced online banking system
If you have not logged in since September 30th, please pay careful attention to the following instructions before you do so:
User ID Requirements: Your User ID must be 8 to 20 characters in length and must include only letters and numbers. Do not use spaces or special characters. If your User ID already meets these requirements, there is no need to change it. If your User ID does not meet these requirements, please call CustomerLine at the number below to have it changed.
Temporary Password: For security reasons, you will need to use a NEW TEMPORARY PASSWORD to login. Your Temporary Password is the last four digits of your social security number followed by the five-digit zip code on your account. After you login, follow the instructions on choosing a permanent password.
=============================================
Their new password requirement is
You have entered a temporary password. For security purposes, please enter a new password that is between 8 and 32 characters. The password must contain at least one letter, one number and a special character from the following list:
~`@#$%^&*()_-+={[}]|\:l”‘.?/ and space.
===========================================
And then they want an open-ended “security” question — you make up the question as well as the answer, as if most users had any idea of what a secure question would be, and the examples are the standard fare of basically public information:
===========================================
Before you can access your account information, you must set up a Personal Authentication Question and Answer. This question/answer helps validate your identity so you can immediately create a new password in the event you forget yours.
The question should be easily answered by you but difficult for others to guess. The answer must be 5 to 32 characters and can be a combination of letters, numbers and symbols. Examples of questions and answers:
Question: Who was your third grade teacher? / Answer: Mrs. Simmons
Question: What is my favorite vacation spot? / Answer: Montserrat
Your Personal Authentication Question and Answer should be treated like any other confidential information.
Actually, I’ve got to say that all that looks pretty reasonable to me. I suppose the temporary password thing is a bit weak, and it would have been better if they had mailed random, secure temporary passwords to all of their customers via the U.S. Mail, but it’s not awful. I think the password and security question policies they posted are actually pretty good as these things go.
Add vanguard.com (high). Passwords are case-insensitive and also overly restricted:
Enter a new password of 6 to 10 characters, including 2 letters and 2 numbers. Do not enter your user name, image name, answers to your security questions, spaces, or special characters, such as /’-.”.
With Fidelity already on the shame list, it seems that security is not a well-defined concern in investments.
My tests conflict with the claim that Wells Fargo maps alphanumeric to keypad. I tried changing one letter to another letter on the same key, changing one letter to the digit on the key, and changing all letters to the corresponding digits. I also tested changing the case of one letter. All tests resulted in login failure.
WF has a separate mobile interface, which I did not attempt to test, since I’m not interested in using it and in any case it does not apply to the standard web interface, since you have to explicitly enable it. Obviously it is possible that different password management might apply there.
On the + in e-mail addresses things, I gave up on that years ago too. I configured my mail server to accept +, ., and / as the same delimiter for sorting into IMAP delivery boxes.
Now there are a bunch of sites that did allow me to use + but I can’t change the address to use . since they somehow botch the URL-encoding of +. sigh.
Oh yeah — I forgot about that. fidelity.com “numberizes” both usernames and passwords (I imagine so that they can use the same authentication back end for both web logins and telephone trading/account inquiries).
[The /etc/aliases “fix” only works if you control your own server.]
I think I’ve mentioned in in comp.risks before, but my bank (Wells Fargo) clearly stores passwords as numbers in the backend. The bank by phone service has you enter passwords from the telephone keypad, checked against one entered via the website. I’ve tried making deliberate typos in the website password that map to the same telephone number and the site has let me in. Example: “justkidding” maps to 58785433464, so “kustjidding” which maps to the same number would be accepted.
I’ve been annoyed at discovercard.com for several years. My newegg.com account *requires* a stronger password than discover *allows* me use. Seriously, wtf?
Comment though: discover needs an additional note. They also do not allow anything besides letters and numbers. From their “Creating a good password” tip:
“Your Discover Card password must be 5–10 characters and can be any combination of letters and numbers. Passwords cannot contain any “special” characters and spaces.”
@Arthur: Thanks, I’ve updated my information about AmEx. As for SoCalGas, perhaps I’m reading it wrong, but I don’t think that article is talking about a Web site password. I think it’s talking about a password you have to give when calling in to make changes to your account over the phone.
I’ve spent 15 years trying to convince most of these same sites that a “+” is a legitimate character in an email address.
I gave up on that war long ago. Now I just add an alias to /etc/aliases on my server with “-” instead of “+”, for the sites that won’t let me use the latter. That sucks, but you can only bang your head against a brick wall for so long before realizing that it hurts you more than the wall.
I don’t have first-hand information for you, but consumerist.com has a number of posts
that might give you some more entries. For instance, a user complains that AMEX,
in addition to limiting you to 8 characters, also requires only numbers and case-insensitive
letters. See:
http://consumerist.com/5366403/american-express-wants-you-to-use-lame-passwords
Another, worse, password story which is too complex for me to summarize is at:
http://consumerist.com/5365771/socalgas-password-policy-makes-passwords-pointless
Your statement “requires only numbers and case-insensitive” doesn’t make sense. How do you type a capital number?
I enjoyed this post, jik. But I feel that you have your blog comments backwards. 🙁
That site requires passwords to consist of only numbers and case-insensitive letters.
Hah. I’ve spent 15 years trying to convince most of these same sites that a “+” is a legitimate character in an email address. I have no expectation that they’ll do security any better until or unless an ENORMOUS HAMMER gets applied. Which I also don’t expect because this is a country by the corporations for the corporations.
Same as JetBlue. Select “Forgot my password”, type in your email address, and get your actual password emailed to you in cleartext. Which obviously implies that that it’s being stored as cleartext or with symmetric crypto.
(One note about symmetric crypto — you express your concerns about password storage. But you haven’t said anything about credit card number storage. CC info obviously (to naive me, anyway) has to be stored using symmetric crypto since the info has to be decrypted so it can be sent to the credit card processing system.)
And add hertz.com
Yeesh.
And add hertz.com
Details?
Add jetblue.com to the list. When you forget your password they ask for your email address and if they find it, email your current password to you in the clear. Which obviously implies storing it in the clear or with symmetric crypto.
Most of the credit card sites I’ve logged into actually won’t allow anything other than numbers and letters in their passwords. How crazy is that? Way to force me to use a less secure password. The other thing I hate is bank sites that make me use my pin number as my password. a 4 number password? So there’s what, 10,000 combinations? I could crack that on my watch in half an hour. The only reason it’s acceptable for ATMs is because you have to physically punch the numbers.
What is the world coming to? Isn’t it almost the second decade of the new millenium? Certainly banking sites should be on the forefront of security, it’s not like this is new, unexplored territory.