Earlier today, I wrote about the many ways in which the DMA’s MPS Web site is broken and about the fact that the people who run the site don’t really seem to care all that much.
I forwarded a link to my article to the DMA’s consumer affairs email address. To their credit, they responded the same day. Unfortunately, there response did nothing to reassure me that they have a clue about how to run a proper Web site; exactly the opposite, in fact. Here’s why:
It turns out that you did not have to create new accounts for those names yesterday after all.
I did a little research on your behalf and found that you had already created two accounts last year for the same seven family members back on 08/14/2008 for Jonathan Kamens, [four other names elided] which does not expire until 09/14/2011. The old username for the 2008 account is: [elided] and the old password is: [elided].
The second account for the other two names [names elided] was created on 08/14/2009 and expires on 09/14/2011. The old username name was: [elided] and password [elided].
Yes, that’s right, they emailed me my passwords.
Here’s how I responded:
It simply astounds me that you were able to email my password to me. In this day and age, when there are new stories in the media every day about major Web sites being hacked and user databases being stolen, it is incredibly irresponsible for the DMA or any other Web site to store passwords in plain-text. People tend to reuse the same password on many sites, so if anyone were to break into your site and steal your user database, they would be able to use the passwords you store there to impersonate your users on other sites on which they are registered. In other words, by storing passwords in plain-text, you are endangering not merely the security of your own site, but also the security of every other site your users use.
As documented at http://docforge.com/wiki/Web_application/Security#Encryption, http://www.owasp.org/images/1/14/OWASP_Top_10_090708.ppt (slide 37), http://www.fishnetsecurity.com/sites/com.fishnetsecurity/downloads/Forgot_Password_Best_Practices_v2.0.pdf, http://blog.codahale.com/2007/02/28/bcrypt-ruby-secure-password-hashing/, http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf, and by many other experts in many other places all over the Internet, passwords on Web sites should always be stored as the output of a one-way hash algorithm, so that even if someone steals the user database from the site, they won’t be able to get any plain-text passwords out of it.
Independent of the fact that you choose to store your passwords in an insecure manner, you should never, ever send passwords through email. How you do know there isn’t somebody eavesdropping on my email account? How do you know I’m the only one who uses it?
The fact that you store passwords in plain-text and you were willing to email me my password shows that the DMA has given no real thought at all to the security of your application and the private user data stored within it. That’s scary.
Aside from all that, you haven’t addressed the root cause of my complaint with your Web site. While it’s nice that you were able to fix my account to give me access to your site, that doesn’t change the fact that the site didn’t work properly for me, and apparently doesn’t work properly for other people too, and it doesn’t appear that anyone at the DMA actually cares a bit about this or intends to do anything about it.
In short, while I do appreciate the fact that you’ve made it possible for me to use the site, that doesn’t change the fact that the people who implemented and support it all appear to be a bunch of amateurs, and you don’t really care all that much whether it works properly and is secure.
Pingback: WordPress inadvertent disclosure bug « Something better to do
Pingback: More on the DMAchoice.org debacle « Something better to do
To be fair, that they emailed you your passwords doesn’t necessarily imply they were stored in plaintext. They could be encrypted using symmetric crypto with a key held by the DMA.
Symmetric encryption of passwords in the database is only barely better than storing them in plain-text If a hacker manages to break into the site and steal the database, they will probably be able to steal the decryption key as well. If not, they can do a brute-force attack on the database offline to find the decryption key, unless the people who wrote the site were smart about using variable encryption keys.
In the past, symmetric encryption with a decryption key barely hidden somewhere may have been good enough, because hackers were amateurish and wouldn’t bother to try to break the encryption — they’d just move on to a different site. Now, however, the hacking is well-organized and well-finances, and the hackers are very professional and very serious about their work. Symmetric encryption just doesn’t cit it anymore.
And all of this is aside from the fact that the threat of an insider stealing the passwords is just as onerous as the threat from hackers, if not more so.
I’ve had a few places email me my password like that. It always scares the crap out of me. Who knows how many websites out there still store plaintext passwords? Probably a lot. But certainly, you’d think that a place whose sole purpose is to store thousands of peoples’ personal information would at least have some clue about keeping that info safe.
I guess that’s what we get for letting the wolf guard the sheep.
To be fair, that they emailed you your passwords doesn’t necessarily imply they were stored in plaintext. They could be encrypted using symmetric crypto with a key held by the DMA. I’m not saying this is desirable.
Emailing them is inexcuseable, though. It’s also sad to see how many businesses will (robo-)email you passwords when you go through the “forgot password” process rather than (much better) emailing you a one-time password or reset password URL. (Which is still vulnerable against a network sniffer of course, but at least doesn’t expose a password).
It’s not quite that bad. I successfully registered one account at their site and provided them with enough PII in email to prove who I was. They still shouldn’t have emailed the usernames or passwords to me, for the reasons described above, but it was reasonable for them to be confident that they were sending them to the right email account.
Wait a minute — are you saying that because you posted a blog article claiming to be Jonathan Kamens and sent them a link, they looked up Jonathan Kamens’s account information and emailed it to you?
And all you’re worried about is that they store the passwords en clair and email them at all?