storing passwords in plain text

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

storing passwords in plain text

Post by s.dot »

Hey guys,

I am working on a project with another (really good) programmer who wants to store passwords in plain text with the argument that it is more convenient and want the buyers want, and that we must market to the buyers.

I of course, have argued this and tried to persuade him to switch, but I'm not good with words and can't bring up as many points as I need to without sounding all humble-jumbled and not knowing what I'm talking about.

Please, list the downsides and vulnerabilities of storing plain text passwords... without bad-mouthing the other programmer. He is a good guy. Also, please don't stray too far off topic, I'll be showing this to the other programmer.

Hopefully you guys can help me. :)

List
- Admin has access to raw passwords (could be bad admin)
- Many people use the same passwords for lots of other things (including sensitive data)
- If someone were to gain access to the server, they'd have no challenge getting the passwords and using them maliciously

Feel free to add on, or post your thoughts on how bad storing plain text passwords is.

EDIT| I should note that this application is not free, but the source code and database is available to buyers. Empty database every time.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Inkyskin
Forum Contributor
Posts: 282
Joined: Mon Nov 19, 2007 10:15 am
Location: UK

Re: storing passwords in plain text

Post by Inkyskin »

Theres also the reason of why the admins, or anyone else for that fact, would want to see the passwords... The only time you would ever need to see a password is maybe sending it to someone when they have forgotten it, but even in that case its better to reset it to something new (Which the script should do), and then let the user log in and change it to something they can remember.

All it takes is for someone to crack the admin password, and they will have access to EVERY member's password on the site. When you take into account the fact that the majority of the general public use one password for eveything, that would be a major breach of reliability, security and much much more. Think how many of those passwords are used for online banking too. Is it really worth the risk when at the end of the day the flack will fall on whoever programmed the app?
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: storing passwords in plain text

Post by JAB Creations »

I'm with you though I'm not part of the guru crowd here so all I can say is...

AOL

That one should hold some weight I hope! Good luck!
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: storing passwords in plain text

Post by alex.barylski »

I of course, have argued this and tried to persuade him to switch, but I'm not good with words and can't bring up as many points as I need to without sounding all humble-jumbled and not knowing what I'm talking about.
Storing sensitive data in the clear is *always* a bad idea.

It's your professional duty/obligation to inform customers/clients of the slight inconvience required for greater security. Most clients (if not all) should favour security over conveience (I hate spelling that word).

If your selling software which is downloadable and installed on shared servers, especially this is a concern. It's a relatively simple matter under most setups to poek into someone else's account and look at their files, etc.

It's doubly important to have hashed passwords when the files containing that data are accesible from the outside world -- via a browser. If you seel software for shared server environments, this is likely going to be required because don't let you store files outside the docroot.

Heck I don't even use MD5 anymore except for temporary keys or random string generators -- now I use SHA256 -- I recall reading just a while ago about a student who cracked the MD5 with minimal computing power and I don't think it was a rainbow table just a clever algorithm -- basically I believe MD5 has an innate weakness which this student exploited.

The point is, security sucks, it's boring and it's not what makes you money -- features do. I've always seen security as something like the environment -- no one cares until it's to late. Sure your clients will love the plain text password and so will you when it comes to password recovery. Then the day will come where some goof ball will exploit that hole and make everything/everyone look bad.

Bad practice plain and simple. Like I said, security is boring, but without, nothing else matters. ;)

Cheers :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: storing passwords in plain text

Post by John Cartwright »

Inkyskin wrote:Theres also the reason of why the admins, or anyone else for that fact, would want to see the passwords...
And Bingo was his name-o!

I think it's really the only question you have to ask. :wink:
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: storing passwords in plain text

Post by s.dot »

Jcart wrote:
Inkyskin wrote:Theres also the reason of why the admins, or anyone else for that fact, would want to see the passwords...
And Bingo was his name-o!

I think it's really the only question you have to ask. :wink:
The argument is convenience of resetting and retrieving passwords, which I know personally can be easily worked around, but I want other people to say it for me.. to prove I'm not a one man show and this is my preference :P
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: storing passwords in plain text

Post by Chris Corbyn »

Even then there are better ways of storing passwords in a retrievable format. You can encrypt them with a secret key.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Re: storing passwords in plain text

Post by John Cartwright »

scottayy wrote:
Jcart wrote:
Inkyskin wrote:Theres also the reason of why the admins, or anyone else for that fact, would want to see the passwords...
And Bingo was his name-o!

I think it's really the only question you have to ask. :wink:
The argument is convenience of resetting and retrieving passwords, which I know personally can be easily worked around, but I want other people to say it for me.. to prove I'm not a one man show and this is my preference :P
How I do elequantly put it :banghead:

What I was getting is exactly that. If having retrievable passwords is the only counter-argument, then as Chris has already pointed out there are more secure alternatives to plaintext.

Next argument please :)
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: storing passwords in plain text

Post by onion2k »

I store them use MySQL's AES_ENCRYPT() function. It's pretty damn secure, and it's reversible for all that forgotten password malarkey, and it has the added advantage of letting me log in as a specific user if they complain things don't work for them without having to ask the user for their password or muck about swapping out their hashed password for a different one.

The security issue is a tricky one. AES is beyond any reasonable attack. It's more secure than MD5 or SHA256 in so far as it'll stand up better to a dictionary attack. It's less secure in so far as if the attacker gets the AES keyword he'll have access to all the records (if you're not using a different keyword for each record). If you're salting your passwords properly noone can reset someone else's password without access to the code (and consequently your secret salt words) regardless of whether you're hashing or encrypting, so both methods are equal in that respect. The biggest problem with encryption is that if someone manages to steal the database and the code at the same time they'll be able to get everyone's passwords while they won't be able to with hashing. That's a big win for hashing ... except if the attacker has compromised the server to that extend all bets are off anyway because they could do anything to the site from replacing all the passwords with their own to installing a compromised version of MySQL that will always return a positive match on any 32 character string if they compare it to "notrightbutletitmatchanywaykthnx" ... instant backdoor to any MD5 hashing.

Personally I choose to not worry about it and have the convenience of emailing the user their password. It's friendlier.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: storing passwords in plain text

Post by Chris Corbyn »

You also need not worry about character sets used in passwords if you store them as hashes since hashes are only ascii. If you store plain text you'd would have to enforce what character set that password has to be in.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Re: storing passwords in plain text

Post by jmut »

If important site... I will be pretty <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> as a client if forgotten password feature retuns me back my initial password... with or without AES_ENCRYPT() I think it's very bad idea.
You should not forget that customers are used to this (regenerating passwsord)...most of them do understand the problem...and actually expect a brand new password and you having no clue of the password.
For sensitive applications you should even encourage (through the app) the client to change his password every month or so.
Wonder what mordred has to say in respect to AES_ENCRYPT
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: storing passwords in plain text

Post by Chris Corbyn »

One complaint about AES_ENCRYPT or any other MySQL function is that when you call mysql_query(), if your database is down then PHP may error and dump the query it was trying to run (which of course contains a password). Really you'd have display_errors off in production but I still don't really like putting plain text passwords inside a MySQL query rather than hashing them in PHP first. Personal preference of course.
Post Reply