Universal Music websites suffered a breach that exposed the usernames and passwords of fans of bands who had signed up for updates on their favourite musicians. Infamous hacktivist group Anonymous claimed responsibility for the hack as part of its AntiSec campaign, which aims to expose the weak spots in the internet security of …
I guess they must have missed all the headlines about other online services storing plain text passwords and therefore didn’t consider the embarrassment any attack could cause.
Otherwise they would have sorted their own security out, right?
Plain text? That's not the issue...
It's not the plain text aspect of storing the passwords that bothers me - that's not the real problem here. The real problem is storing the passwords AT ALL!!
C'mon guys - salted hash?
"The real problem is storing the passwords AT ALL!!"
How would you like users to be authenticated then?
Storing a salted hash IS storing the password - just in a very very difficult to reverse format.
The plain text aspect IS the problem (and should bother you) - if, as you said, the passwords were stored as salted hashes this wouldn't be half as bad.
storing the password or storing the encrypted password would be storing the password. Anyone with access to the data (or data + key for encryption) knows your password.
storing a hash (salted or otherwise) would be storing a string of crap that can't (reliably|easily) be converted back into a password. You could find a string of text that results in the given string, but you can't be certain that's the actual original password.
nitpicking, maybe, but I agree with the original comment.
OK - Security 101...
A hash cannot be easily converted back to a string that would generate it. You might, if you're exceptionallty lucky, get a "candidate" string, but you can't be sure it's the right one, and if you try and brute force it, you will get multiple false positives to contend with.
Now, not being able to get back to the original plain text is important, because many users have the annoying habit of re-using passwords. So, if you can get the password they used for their pop group fan site, you might just also have their Facebook, online banking, Twitter password etc... This bleed over from a compromised site is a common attack vector.
The reason I wouldn't store the password on a site I wrote, even in encrypted form, is simple - I don't need to take that risk. Using hashes will let me authenticate, but it scuppers a lot of things that might be done with my user database should some script kiddie ever get their mits on it - which they won't - but that's another story...
Salting the hash gives a huge improvement in security, because I'm no longer using a standard algorithm to go from the user's supplied password to the hashed value - which means brute forcing is out of the window, so long as you don't know my algorithm. My algorithm would also be include references to random bits of information that the user never knew was associated to their account as well - random data generated when they registered for example...
So, where are we now? If you want to get at the passwords for my users, you are going to need enormous computing resource (ok, you might be the NSA...), knowledge as to the algorithm I have used to salt my hash (ok, I might have a rogue developer turn bad or something...) and access to my Database - which is in turn protected by it's own security system.
And here's the thing - I'm NOT a web developer by trade. So if I know how to implement half decent security, how comes the fat consultants paid by the lads at Universal don't?
Ps. Of course I don't like the password stored as plain text - any numpty can see that is the case from my comment. The point is, I don't like the password stored AT ALL!
Me thinks that not being a web developer by trade
actually enhances one's chances of being able to implement decent security.
News International next please
How about News International as a possible next target?
Initially taking down the News of the World would be great, but further on from that if the lulz can be repeatedly & comprehensively extracted from murdoch's fat behind then that would be amazing - ty :D
Who the hell stores passwords as plain text these days?! It's enough to set off one of my, not necessarily appropriate, tirades about Java programmers and the uselessness that streams from universities these days. I'll try to keep a lid on it.
DB breaches where passwords are stored in the clear seem to almost be the norm these days - do we really need to continue stating
"I CAN'T BELIEVE THEY WERE STORING PASSWORDS AS PLAIN TEXT!!"
Are you really surprised any more?
Unfortunately, I think that systems where the passwords are stored properly are actually the minority by a long way. That's certainly been the case with my own experience (inheriting existing projects).
Remember that developers who inherit stuff rarely decide their own priorities and customers only care about the issues that are impacting them NOW so "nice to haves" like having a semblance of proper security practice never get done.
Change your password so that..
We <Universal> can store it in plain text again and the next time we get broken into the attackers will get your new password as well.
I'm one of the people who got hacked
I've hurriedly changed all my passwords and learnt my lesson about using the same one everywhere! Storing passwords in plain text is ridiculous, and I'm also really frustrated that they didn't manage to keep it secure. I only signed up to get email updates on when a band was going on tour, thinking back it seems absurd you can't just give them an email address and leave it at that!
Re: I'm one of the people who got hacked
"I've hurriedly changed all my passwords and learnt my lesson about using the same one everywhere!"
I haven't seen anything that I consider to be better. It has a password generator, can copy passwords to the clipboard, clears them when minimised or its security time out (which can be altered) cuts in, minimises to tray, requires password on resume after security cut out, sites can be grouped into categories named and chosen by user, entries can have a clickable URL in plaintext, unlimited data base size, uses 448 blowfish encoding, much, much more... ...and it is free. My passwords are very complex. It can generate passwords comprised of upper case, lower case, symbols, digits, user defined characters of up to 56 characters in length. If you use Gibson's password generator for your WPA2 key you can paste it into the field and save it.
I used to use Oubliette [ http://www.tranglos.com/ ] which has since apparently recovered its poise, but the mechanics of change bore me. Also some people use 'cloud' password systems, integrated into their browser. This is of no use when the system is not working and you need to open a file on your HD. In the same vein, I would never trust anyone with my passwords, just as I would never trust them with the data I keep on several TB of HDs. There are some uses for the cloud, but limiting it and keeping it in its place is the act of a wise user.
Those unbelievable fools
I can't believe how many of these big firms are storing passwords in plain text. The first thing I did with the first online project I got involved with back in the 90s was encrypt all the password fields that had been plain text. I was fresh out of high school at the time. Explain to me how it is that a programmer with basically zero experience knows better than to use plain text passwords but all these big corporations can't seem to figure it out.
Re: Those unbelievable fools
"I can't believe how many of these big firms are storing passwords in plain text. The first thing I did with the first online project I got involved with back in the 90s was encrypt all the password fields that had been plain text. I was fresh out of high school at the time. Explain to me how it is that a programmer with basically zero experience knows better than to use plain text passwords but all these big corporations can't seem to figure it out."
Meheh. Some people say the rot set in with OOP, which encourages programmers to be lazy with resources and slack with security. On its own perhaps not, but the original Windows share and enjoy philosophy seems to have interacted quite nicely with it.
"Yes! We have the lulz! We are the MAJOR 1337 success, we haxored another web-edge server and got some customer passwords! We SO good!"
<Yawn> Yeah, that really saved the whale or whatever.
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Mounties get their man: Heartbleed hacker suspect, 19, CUFFED
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Did a date calculation bug just cost hard-up Co-op Bank £110m?
- Feast your PUNY eyes on highest resolution phone display EVER