Password security hall of shame

By | September 29, 2009

As I wrote earlier today, I just changed my password on over 300 Web sites. In the process, I encountered a large number of sites which simply don’t know how to do password security properly. Some of these sites are operated by major corporations which are entrusted by their users with confidential and sensitive personal information — names, addresses, telephone numbers, birthdays, credit-card numbers, etc. It is truly frightening that these corporations fail to properly secure their users’ passwords, and therefore fail to properly secure their users’ personal information.

I am posting this article to highlight the weaknesses I discovered, to shame these sites, with the hope that doing so might perhaps push some of them just a little bit closer to doing the right thing. I am also posting this article to let people know of sites they should be careful about using.

If you know of other sites which don’t secure their users’ passwords properly, please post about them in comments here and I’ll add them to the article!

And so, without further ado, I give you…

The password security hall of shame

Site Data sensitivity level Crimes against password security
ssa.gov (Social Security Administration) Business Services Online high password must be exactly 8 character long; only numbers and letters; not case sensitive
fidelity.com high Converts both usernames and passwords into corresponding telephone keypad numbers so that they can be shared between telephone and Web access
vanguard.com high Passwords are case-insensitive and limited to 10 characters, spaces and special character are not allowed
americanexpress.com high Limits passwords to 8 characters, case-insensitive, no spaces or special characters
myspace.com high Stores passwords in plaintext, emails your password to you when you say you forgot it, and limits passwords to 10 characters
aaa.com high Stores passwords in plaintext and emails your password to you when you say you forgot it
hrsaccount.com (for HSBC credit cards) high Limits passwords to 10 characters
discovercard.com high Limits passwords to 10 characters, letters and numbers only; emails passwords
benefitaccess.com (MorganStanley SmithBarney) high Doesn’t allow passwords to contain spaces or non-alphanumeric characters
mycheckfree.com high Limits passwords to 8 characters
communityroom.net high Limits passwords to 8 characters
iemployee.com high Permits only alphanumeric characters; passwords are case-insensitive; limits passwords to 20 characters
wellsfargo.com high Maps alphanumeric passwords to telephone keypad numbers, thus greatly decreasing their complexity and security (update: this is disputed by Edward Reid)
detma.org high “Passwords must be exactly 8 characters in length and may not contain special characters (*, &, #, etc.) Passwords must contain at least one letter and one number and are case-sensitive.”
Kohl’s account management medium Max length 8 characters; no spaces or special characters
rcn.com medium Max length 10 characters; supports only some special characters; stores passwords in cleartext and makes them visible to service reps
factstuition.com medium Doesn’t support changing passwords
thesportsauthority.com medium Stores passwords in plaintext and emails your new password to you when you change it
snaptotes.com medium Stores passwords in plaintext and emails your new password to you when you change it
collegehelpers.com medium Stores passwords in plaintext and emails your password to you when say you forgot it; amusingly, this site says, “Your information is safe with us! We take your privacy seriously.”
elotusland.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
care2.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
mazon.org medium Stores passwords in plaintext and emails your password to you when say you forgot it
lycos.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
peapod.com / stopandshop.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
jetblue.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
hertz.com medium Stores passwords in plaintext and emails your password to you when say you forgot it
myinterfase.com (hosts jobs sites for multiple colleges) medium Stores passwords in plaintext and displays them, unobscured, on user profile page
phoneshark.com medium Doesn’t allow passwords to contain non-alphanumeric characters
cliason.com (outsourced, offshore customer service provider) medium Stores passwords in plaintext, emails your password to you when you say you forgot it, and doesn’t support changing passwords
latimes.com medium Stores passwords in plaintext, emails your password to you when you say you forgot it, and password change functionality doesn’t work
landsend.com medium Limits passwords to 8 characters
createandbarrel.com medium Site claims that passwords are limited to 8 characters, but they actually aren’t
officedepot.com medium Password change functionality doesn’t work for accounts that haven’t been used to place orders in a while
amtrakguestrewards.com medium Limits passwords to 10 characters
Virgin Atlantic medium Stores passwords in plaintext
followthatpage.com low Stores passwords in plaintext and emails your new password to you when you change it
swingstateproject.com low Stores passwords in plaintext and emails your password to you when you say you forgot it
politico.com low Stores passwords in plaintext and emails your password to you when say you forgot it
netgear.com low Stores passwords in plaintext and emails your password to you when say you forgot it
britannica.com low Stores passwords in plaintext and emails your password to you when say you forgot it
custhelp.com (provides product support for Motorola and other companies) low Stores passwords in plaintext, emails your password to you when say you forgot it, and doesn’t support changing passwords
cnn.com low Limits passwords to 10 characters
scholastic.com low emails passwords
americangreetings.com low emails passwords

NOTES:

  1. When I write that a Web site stores passwords in plaintext, it is possible that in fact passwords are encrypted using symmetric encryption in the site’s database. However, I consider this little better than not encrypting them at all, because (a) such passwords are still vulnerable to being stolen easily by an employee or contractor with legitimate access to the database, and (b) if an attacker is able to steal the database, he will probably also be able to steal or crack the key used to encrypt the passwords. For these reasons, and because it is impossible to distinguish as a user of the site whether the passwords are stored with encryption or in plaintext, I make no such distinctions above.
  2. The problems described above for any particular site are not necessarily a complete list of that site’s problems; they represent only the problems I know about.

Print Friendly, PDF & Email
Share

29 thoughts on “Password security hall of shame

  1. Bob

    I’d like to nominate Florida’s prepaid toll program, Sunpass, to the list. Their password policy only allows 4-digit PINs to protect your address, vehicle tag numbers, and payment details, not to mention transponder IDs that could potentially lead to a targeted tracking attack.

    Reply
  2. Jason

    Hello, may I nominate GitHub.com for requiring passwords to at least contain a number?

    Reply
    1. jik Post author

      I think requiring particular character classes is iffy, but not nearly as bad as the other sites listed here, so I don’t really feel it belongs on the list with them.

      Reply
  3. Garrett

    I had my Discover number stolen, disputed the fraudulent charges, etc. They took care of it. Great. Mailed me a new card. Activated the new card. Re-activated my online account and DISCOVER E-MAILS ME MY PASSWORD IN PLAIN TEXT.

    what the hell?

    Reply
  4. jik Post author

    They won’t let you use “q” and “z” because they want you to be able to use the same password on the Web and on the phone, and some phones don’t have “q” or “z” on them. I hate to say it, but given that they want the password you pick to be useable on the phone, the restrictions they put on it are actually somewhat reasonable.

    Reply
  5. agodfrin

    Then there are also those sites that enforce really ridiculous rules for passwords, presumably thinking they make them safer.

    My case in point is https://www.virtuallythere.com/ the system run by Sabre to check and manage any reservation done via Sabre. The default access mechanism is just to enter your Sabre reservation code and passenger name. But you can also sign-up for a permanent login which I assume gives you access to more functions.

    When you try to sign up, you are asked to invent a password, but make sure you follow the following rules:

    “Should contain a minimum of 7 characters and maximum of 12 characters.
    Should contain at least one numeric character.
    The same character cannot appear more than twice in the password.
    The same character should not repeat more than twice in a row.
    There should be no spaces in the password.
    The password cannot contain the characters Q,q,Z,z. ”

    What’s wrong with letters Q and Z ? Why would they not be allowed ?

    Albert

    Reply
  6. jik Post author

    I think the point of the images is not to protect against sites that are doing a true man-in-the-middle attack, but rather against sites that are just putting up a look-alike dummy site and collecting usernames and passwords. The easiest technique is: prompt the user for his username and password; reject it so that the user thinks he typed his password wrong; and redirect the user to the legitimate site for his second login attempt, so s/he won’t realize anything is wrong. The username and password were captured on the dummy site during the first login attempt and can be used by the attacker to log in as the user on the legitimate site.

    Having to reach out to the legitimate site to grab the security image and display it on the dummy site in the middle of the login process makes the problem quite a bit harder.

    Reply
  7. RichC

    For those (in)security questions I generate an answer by prepending the key word in the question (“Where was the last place you went on vacation?” -> “vacation”) to a 10+ digit random number I’ve memorized.

    Naive question — what good are the images at all? If the evil site is doing a MITM attack it will be able to show you the images, can’t it?

    Reply
  8. jik Post author

    Your social security number is not, in fact, “public information.” Yes, you end up giving them out a lot, and yes, they get compromised a lot by identity thieves, and yes, they’re a bad security token, but the fact of the matter is that most people’s social security numbers have not been compromised, and therefore if the bank must choose a temporary password to use, the last four digits of the SSN are as good a choice as any.

    In the spirit of full disclosure, I will mention that when Peoples Federal Savings Bank did exactly the same thing to me in 2001, I went ballistic. See the full story here, and the first message I sent them about it here. However, there was a big difference. At that time, Massachusetts was using social security numbers as driver’s license numbers by default, and as a result, most people’s SSNs were as close as their wallets. If a thief stole someone’s wallet, he’d be likely to get both their ATM card and their SSN, thus giving the thief full access to their account.

    I disagree with your assertion that the answers to the security questions are “public knowledge.” I think the number of people who would be able to determine who your third grade teacher was is rather small, and how could anyone but you know your “favorite vacation spot”? Besides, if this kind of thing concerns you, then you can make up your own question, or you can just decide what answer you are going to give whenever you have to answer a security question at any site, even if the answer has nothing to do with the question.

    I’m a bit conflicted about the security images. On the one hand, since I don’t fall for phishes or allow the computers I use to get infected with trojans or viruses that would redirect my attempts to contact my bank, those images are never going to provide me with any extra security. On the other hand, perhaps they do enhance security for people who are stupid enough to fall for phishing messages; of course, they would do that only if said people are smart enough to actually notice if the security image is missing or wrong, and I highly doubt that most people are. So I suppose you’re right that overall they’re useless. I wonder if any of the sites that use them have done any real-world research to find out whether they have any benefit.

    The thing about reputable companies sending emails with links to third-party Web sites is a huge issue that is reported on over and over again in such forums as the RISK Digest. Some of those reports have been from me :-). So I’m totally with you on that. I simply can’t imagine why there are still companies that are stupid enough to send out emails with links that don’t point back at their domain.

    Reply
  9. Edward Reid

    The problem with their temporary passwords (and with most suggested security questions) is that the answers are public information. If it were just something to answer on the spur of the moment, it would be stronger. But they did it in a way that gave attackers potentially weeks to look up the answers. Of course we all feel most strongly about the cases which hit us personally … I didn’t suffer any harm, but I was “hit” by the fact that two of my accounts were for six weeks protected only by totally public information.

    I haven’t seen any publications on how secure these types of measures are. Computer scientists tend to lean toward studying things which have theoretical answers (hey, I understand, I was a math major). Things like the practical ability to connect zip codes, SSNs, and family information are harder to study without actually practicing cracking.

    And then there’s the “security image” thing which has become popular recently, which in its current versions (no ability to upload my own image, nor for all practical purpose to choose my image) is probably useful for people with only one online account but nearly useless for those of us with many. To me, those images have already become just more noise on the site. I realize that they have to use something non-textual because otherwise most users would confuse their password and the bank’s password. But for goodness sake, let me tell the bank what pass-image I want them to use.

    It’s a slightly different issue, but I just got email from PGP Corp … with lots of links pointing to manticoretechnology.com, including some which claim to point to PGP.com. I don’t claim there’s anything dangerous about the actual links (Manticore is totally legitimate as far as I can tell), but the “fake link” bit is such a huge issue in phishing that I have to consider it just outright wrong for a company which claims to support security measures to send out fake links.

    OK, I’m running off at the fingers and it’s your blog.

    Edward

    Reply
  10. Edward Reid

    New nomination: Apple Bank (www.applebank.com). While their normal procedures are no worse than anyone else’s, they made serious errors in transition — see text below or go to their home page and click on “online login”. Yes, I changed my password before posting this … but my account sat with this “temporary password” for a month and a half.

    ============================================

    Welcome to Apple Bank’s new, enhanced online banking system

    If you have not logged in since September 30th, please pay careful attention to the following instructions before you do so:

    User ID Requirements: Your User ID must be 8 to 20 characters in length and must include only letters and numbers. Do not use spaces or special characters. If your User ID already meets these requirements, there is no need to change it. If your User ID does not meet these requirements, please call CustomerLine at the number below to have it changed.

    Temporary Password: For security reasons, you will need to use a NEW TEMPORARY PASSWORD to login. Your Temporary Password is the last four digits of your social security number followed by the five-digit zip code on your account. After you login, follow the instructions on choosing a permanent password.

    =============================================

    Their new password requirement is

    You have entered a temporary password. For security purposes, please enter a new password that is between 8 and 32 characters. The password must contain at least one letter, one number and a special character from the following list:
    ~`@#$%^&*()_-+={[}]|\:l”‘.?/ and space.

    ===========================================

    And then they want an open-ended “security” question — you make up the question as well as the answer, as if most users had any idea of what a secure question would be, and the examples are the standard fare of basically public information:

    ===========================================

    Before you can access your account information, you must set up a Personal Authentication Question and Answer. This question/answer helps validate your identity so you can immediately create a new password in the event you forget yours.

    The question should be easily answered by you but difficult for others to guess. The answer must be 5 to 32 characters and can be a combination of letters, numbers and symbols. Examples of questions and answers:
    Question: Who was your third grade teacher? / Answer: Mrs. Simmons
    Question: What is my favorite vacation spot? / Answer: Montserrat

    Your Personal Authentication Question and Answer should be treated like any other confidential information.

    Reply
    1. jik Post author

      Actually, I’ve got to say that all that looks pretty reasonable to me. I suppose the temporary password thing is a bit weak, and it would have been better if they had mailed random, secure temporary passwords to all of their customers via the U.S. Mail, but it’s not awful. I think the password and security question policies they posted are actually pretty good as these things go.

      Reply
  11. Edward Reid

    Add vanguard.com (high). Passwords are case-insensitive and also overly restricted:

    Enter a new password of 6 to 10 characters, including 2 letters and 2 numbers. Do not enter your user name, image name, answers to your security questions, spaces, or special characters, such as /’-.”.

    With Fidelity already on the shame list, it seems that security is not a well-defined concern in investments.

    Reply
  12. Edward Reid

    My tests conflict with the claim that Wells Fargo maps alphanumeric to keypad. I tried changing one letter to another letter on the same key, changing one letter to the digit on the key, and changing all letters to the corresponding digits. I also tested changing the case of one letter. All tests resulted in login failure.

    WF has a separate mobile interface, which I did not attempt to test, since I’m not interested in using it and in any case it does not apply to the standard web interface, since you have to explicitly enable it. Obviously it is possible that different password management might apply there.

    Reply
  13. John K

    On the + in e-mail addresses things, I gave up on that years ago too. I configured my mail server to accept +, ., and / as the same delimiter for sorting into IMAP delivery boxes.

    Now there are a bunch of sites that did allow me to use + but I can’t change the address to use . since they somehow botch the URL-encoding of +. sigh.

    Reply
  14. RichC

    Oh yeah — I forgot about that. fidelity.com “numberizes” both usernames and passwords (I imagine so that they can use the same authentication back end for both web logins and telephone trading/account inquiries).

    Reply
  15. Eli the Bearded

    [The /etc/aliases “fix” only works if you control your own server.]

    I think I’ve mentioned in in comp.risks before, but my bank (Wells Fargo) clearly stores passwords as numbers in the backend. The bank by phone service has you enter passwords from the telephone keypad, checked against one entered via the website. I’ve tried making deliberate typos in the website password that map to the same telephone number and the site has let me in. Example: “justkidding” maps to 58785433464, so “kustjidding” which maps to the same number would be accepted.

    Reply
  16. ToeBee

    I’ve been annoyed at discovercard.com for several years. My newegg.com account *requires* a stronger password than discover *allows* me use. Seriously, wtf?

    Comment though: discover needs an additional note. They also do not allow anything besides letters and numbers. From their “Creating a good password” tip:

    “Your Discover Card password must be 5–10 characters and can be any combination of letters and numbers. Passwords cannot contain any “special” characters and spaces.”

    Reply
  17. jik Post author

    @Arthur: Thanks, I’ve updated my information about AmEx. As for SoCalGas, perhaps I’m reading it wrong, but I don’t think that article is talking about a Web site password. I think it’s talking about a password you have to give when calling in to make changes to your account over the phone.

    Reply
  18. jik Post author

    I’ve spent 15 years trying to convince most of these same sites that a “+” is a legitimate character in an email address.

    I gave up on that war long ago. Now I just add an alias to /etc/aliases on my server with “-” instead of “+”, for the sites that won’t let me use the latter. That sucks, but you can only bang your head against a brick wall for so long before realizing that it hurts you more than the wall.

    Reply
  19. Arthur

    I don’t have first-hand information for you, but consumerist.com has a number of posts
    that might give you some more entries. For instance, a user complains that AMEX,
    in addition to limiting you to 8 characters, also requires only numbers and case-insensitive
    letters. See:
    http://consumerist.com/5366403/american-express-wants-you-to-use-lame-passwords

    Another, worse, password story which is too complex for me to summarize is at:
    http://consumerist.com/5365771/socalgas-password-policy-makes-passwords-pointless

    Reply
    1. A

      Your statement “requires only numbers and case-insensitive” doesn’t make sense. How do you type a capital number?

      I enjoyed this post, jik. But I feel that you have your blog comments backwards. 🙁

      Reply
      1. jik Post author

        That site requires passwords to consist of only numbers and case-insensitive letters.

        Reply
  20. Reto L.

    Hah. I’ve spent 15 years trying to convince most of these same sites that a “+” is a legitimate character in an email address. I have no expectation that they’ll do security any better until or unless an ENORMOUS HAMMER gets applied. Which I also don’t expect because this is a country by the corporations for the corporations.

    Reply
  21. RichC

    Same as JetBlue. Select “Forgot my password”, type in your email address, and get your actual password emailed to you in cleartext. Which obviously implies that that it’s being stored as cleartext or with symmetric crypto.

    (One note about symmetric crypto — you express your concerns about password storage. But you haven’t said anything about credit card number storage. CC info obviously (to naive me, anyway) has to be stored using symmetric crypto since the info has to be decrypted so it can be sent to the credit card processing system.)

    Reply
  22. RichC

    Add jetblue.com to the list. When you forget your password they ask for your email address and if they find it, email your current password to you in the clear. Which obviously implies storing it in the clear or with symmetric crypto.

    Reply
  23. Nate

    Most of the credit card sites I’ve logged into actually won’t allow anything other than numbers and letters in their passwords. How crazy is that? Way to force me to use a less secure password. The other thing I hate is bank sites that make me use my pin number as my password. a 4 number password? So there’s what, 10,000 combinations? I could crack that on my watch in half an hour. The only reason it’s acceptable for ATMs is because you have to physically punch the numbers.

    What is the world coming to? Isn’t it almost the second decade of the new millenium? Certainly banking sites should be on the forefront of security, it’s not like this is new, unexplored territory.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *