Never Store Your Passwords in Clear Text

Thick-Type-Brass-PadlockIn 2008, I blogged about how to work with passwords with any web app you may build. It’s been one of the more popular posts on this site, and the lessons learned in that have never been more relevant during the course of the last few days.

Let’s flash back and get a bit of a primer on passwords and password storage:

“…when storing passwords for your app, you have a many options. You could skip all security and store your users’ passwords in plain text in MySQL. Bad idea.”

This site is hosted at MediaTemple, and for the last few months since I migrated from Dreamhost to MT, I’ve had no problems or issues. Then, last Wednesday night they sent me an email saying I should change my account manager password as my account had seen some strange activity. Never an email you want to get. It said:

Dear Valued Customer,

This is an automated notice informing you that our system has reset your Server Administrator FTP/SSH password due to suspicious activity observed on your (gs) Grid-Service. Our systems have taken measures to protect your service from any possible future exploits.

Even though I was on my way to bed at the time, I logged back on and set off to figure it out.

My fist step was to FTP into my machine and check all the WordPress blogs I run from my (gs) service. It looked ok, and I eventually did find an injection in a static site (not WordPress.) Kind of odd, but not out of the ordinary.

Here’s where things get interesting.

I checked Twitter’s search and I quickly found I wasn’t the only one getting security notices from MediaTemple. Many people were and were understandably upset.

As the day wore on yesterday, news came out that MediaTemple was storing user passwords in plain, clear text in their databases. Seriously. Their database was compromised, which in turn compromised many, many customer accounts, including mine. MediaTemple had this to say:

“Clear Text” is a method of storing passwords in a database so that they are human readable. This preference was made to provide customers a convenient way of managing access to their services, e.g. connecting a PHP app to MySQL. The “clear text” method can be less-secure than methods involving “encryption”, where passwords are not human-readable. This is less convenient for customers, but adds a layer of security. Properly secured databases can store passwords using either method, with the information kept private. However, if a database gets compromised, the encryption method is the only way to keep the information secure. (mt) Media Temple has now changed to the encryption method for customers, which now breaks some AccountCenter functionality; however, it is more secure and ultimately what our customers now want.

The interesting phrase there is “what our customers now want.” Of course they want this after they’ve all been hacked. Securely storing passwords should have been happening from day number one. Always. No exceptions.

So, MT is doing damage control and to their credit have been on Twitter since this all started, but the damage is done and the customer relationships have been strained.

There are lessons here to be learned, not just by web developers but by anyone that uses a website that stores a username and password, which is pretty much all of them.

1. Don’t store passwords in clear text. Ever. There are a myriad of ways to encrypt and store passwords. Go and read this blog post for specific methods.

2. When a password needs reset, use email and a unique token to reset the password. Email the user and make them click on a link to verify its them.

3. If you are a user, and you are using a site that will show you your password in a “my account” area or in their administrative control panel means they are not storing your password securely. If you have credit card information stored there, good luck.

4. Use strong passwords. password is not a strong password. This is a strong password:

B;8(,4$n#

That was generated by this online strong password generator. I use it when creating any type of accounts, especially for my campus users. This could be antyhing ranging from MySQL to WordPress user accounts.

Want to get even crazier? Use an ultra secure password. Check out this one I randomly generated:

|[<;0Rw|t>Ir[Qh|?E|M]K#JPjz?`wIY_H1K=?fs}Cb@(5$PeP4h"F)%4P9I?3i

Passwords like that I prefer for servers and other very sensitive information. Want to generate one like that? Use this site. I now have a 63 character login for my MediaTemple account, just to be safe.

5. If you are a MediaTemple (gs) customer, and you haven’t yet checked out your sites, I’d highly recommend you do so now.

Additional Reading about the MediaTemple events:

2 thoughts on “Never Store Your Passwords in Clear Text”

  1. I agree with having extremely strong passwords for sensitive data, like databases, FTP connections, whatever.

    It’s funny. I work for a company in Saegertown and they recently decided to have me manage their website rather than having it outsourced. Our “IT” manager gave me the FTP password. It was the street address and the middle name of someone in the company! Pretty outrageous.

    I immediately changed it to something like you suggested above. Thanks for the article and the heads up about MT.

Comments are closed.