Why Are Companies Still Storing Passwords In Plain Text?

A computer with a login screen and a password box filled in.mangpor2004 / Shutterstock

Several companies recently admitted to storing passwords in text format. It's like saving a password in Notepad and saving it as a .txt file. Passwords must be salted and chopped for security reasons, so why does not this happen in 2019?

Why passwords should not be stored in plain text

My password123456 is written on a post-it and pasted to a computer.
designer491 / Shutterstock

When a company stores passwords in plain text, anyone with the password database, or any other file in which the passwords are stored, can read them. If a hacker accesses the file, he can see all the passwords.

Storing passwords in plain text is a terrible practice. Companies should salt and chop passwords, which is another way of "adding additional data to the password and then scrambling it irreversibly". This usually means that even if someone steals passwords from one's base are unusable. When you log in, the company can verify that your password matches the encrypted version stored, but can not "go back" in the database and determine your password.

So, why do businesses store their passwords in plain text? Unfortunately, businesses sometimes do not take safety seriously. Or they choose to compromise security in the name of convenience. In other cases, the company makes every effort to store your password. But they could add overzealous logging features, which save passwords in plain text.

Many companies have poorly stored passwords

You can already be affected by bad practices because Robin Hood, Google, Facebook, GitHub, Twitter and others have stored their passwords in clear.

In the case of Google, the company hacked and salted passwords correctly for most users. But G Suite Enterprise Account Passwords were stored in plain text. The company said that this practice remained unchanged when it gave domain administrators tools to recover passwords. If Google had correctly stored the passwords, it would not have been possible. Only a password reset process works for recovery when passwords are properly stored.

When Facebook too allowed to store passwords in short, this does not indicate the exact cause of the problem. But you can deduce the problem from a later update:

… We found additional Instagram password logs stored in a readable format.

Sometimes a company will do everything right when you first store your password. And then add new features that cause problems. Besides Facebook, Robin Hood, Github, and Twitter accidentally written plain text passwords.

Logging is useful for finding problems in applications, hardware, and even system code. But if a company does not test this logging capability thoroughly, it can be more problematic than it solves.

In the case of Facebook and Robinhood, when users provided their user name and password to log in, the logging function could display and log user names and passwords such as that they were seized. He then stored these newspapers elsewhere. Everyone who had access to these newspapers had everything they needed to open an account.

In rare cases, a company like T-Mobile Australia may not consider the importance of safety, sometimes in the name of convenience. In one Twitter exchange deleted since, a T-Mobile representative explained to a user that the company was storing passwords in plain text. By storing passwords in this manner, customer service representatives could see the first four letters of a password for confirmation purposes. When other Twitter users appropriately indicated how bad it would be if someone hacked the company 's servers, the rep responded:

What if it does not happen because our security is incredibly good?

The company removed these tweets and announced later that all the passwords would soon be salted and chopped. But it was not that long before society someone had violated his systems. T-Mobile said the stolen passwords were encrypted, but that was not as good as hashing passwords.

How should companies store their passwords?

Photo of a blurry computer technician activating Data Server. Gorodenkoff / Shutterstock

Companies should never store passwords in plain text. Instead, passwords must be salted, then chopped. It's important to know what's salting and the difference between encryption and hashing.

Salting adds extra text to your password

Salting passwords is a simple concept. The process essentially adds additional text to the password that you provided.

Think of it as adding numbers and letters at the end of your usual password. Instead of using "Password" for your password, you can type "Password123" (please never use any of these passwords). Salting is a similar concept: before the system hashes your password, it adds extra text.

Thus, even if a hacker enters a database and steals user data, it will be much more difficult to determine the real password. The hacker will not know which part is salt and which part is password.

Businesses should not reuse password savory data in password. Otherwise, it can be stolen or broken and thus rendered useless. Proper variation of salty data also avoids collisions (we'll talk about this later).

Encryption is not the appropriate option for passwords

The next step to properly store your password is to chop it. The hash should not be confused with encryption.

When you encrypt data, you transform them slightly according to a key. If someone knows the key, he can edit the data. If you've ever played with a decoder ring that told you "A = C", then you have encrypted data. Knowing that "A = C", you can then discover that this message was only an Ovaltine advertisement.

If a hacker enters a system containing encrypted data and also manages to steal the encryption key, your passwords can also be plain text.

Hash turns your password into gibberish

The password hash basically turns your password into an unintelligible text string. Anyone looking at a hash would see gibberish. If you used "Password123", the hash can change the data to "873kldk # 49lkdfld # 1". A company must hash your password before storing it anywhere, so you never save your actual password.

This hash nature makes it a better method of storing your password than encryption. Although you can decrypt the encrypted data, you can not "decompress" the data. So, if a hacker enters a database, he will not find a key to unlock the hashed data.

Instead, they will have to do what a company does when you submit your password. Salt a password (if the hacker knows which salt to use), chop it, and compare it to the hash of the file for a match. When you send your password to Google or your bank, they follow the same steps. Some companies, like Facebook, can even take extra "guess" to report a typo.

The main disadvantage of hashing is that if two people have the same password, they will end up with the hash. This result is called a collision. This is another reason to add salt that changes password to password. A correctly salted and hashed password does not correspond to anything.

Hackers may end up making their way through hacked data, but it's mostly a test game of all the imaginable passwords and hope of finding a match. The process is still taking time, which gives you time to protect yourself.

What you can do to protect yourself from data breaches

Lastpass login screen with username and password filled in.

You can not prevent companies from incorrectly managing your passwords. And unfortunately, it is more common than it should be. Even when businesses store your password correctly, hackers can violate their systems and steal the hashed data.

Given this reality, you should never reuse passwords. Instead, you should provide a different complicated password to each service you use. Thus, even if an attacker finds your password on a site, he can not use it to connect to your accounts on other sites. The complicated passwords are extremely important because the easier your password is to guess, the sooner a hacker can interrupt the hash process. By making the password more complicated, you save time to minimize the damage.

The use of unique passwords also minimizes this damage. At most, the hacker will have access to an account and you can change a password more easily than dozens. Complicated passwords are hard to remember, so we recommend a password manager. Password managers generate and store passwords for you, and you can adjust them to follow the password rules of almost any site.

Some, like Last passage and 1Passwordeven offer services that check if your current passwords are compromised.

Another good option is to enable two-step authentication. This way, even if a hacker compromises your password, you can still prevent unauthorized access to your accounts.

Even if you can not prevent a company from incorrectly managing your passwords, you can minimize the impact by securely securing your passwords and accounts.

RELATED: Why use a password manager and how to do it

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.