Retailer Office either stored passwords in clear plain text, or were easily decryptable.
According to developer Sherwin Rice, who revealed on Twitter that a password reset showed him a one-time password in clear text. In conversation with IT Security Guru, Rice said that he had only received the help page from Office, which states that passwords were reset and when a user next visits the website, “they will need to create a new password”.
Rice told IT Security Guru that upon visiting the website he got a change prompt; but this could be bypassed as “you get redirected to this page upon login, but [it] is possible to skip it” he said. “You can then logout and log back in with same password, so no one-time being enforced,” he said.
Office recommended users change their passwords on other websites if the same password is used for other logins. “Until a customer requests a password reset through the ‘forgot your password’ link on our website, no password reset link will be sent,” it said.
Office did not respond to a comment request from IT Security Guru. Asked why companies are still storing passwords in plain text in 2014, and whether it is laziness, lack of knowledge or just plain bad security, security analyst Troy Hunt told IT Security Guru that it can be all of those things.
He said: “Actually I think you’ve nailed it with those three points and I’ll add ‘lack of perceived value’ as well. Even in the wake of all these breaches, every day I see discussions that consciously compromise on security as they perceive the risk as being less likely than what it ultimately is.”
Asked if it is a problem that websites hold these details and only place a value on financial data, Hunt said: “Of course it’s all a question of degrees, but I would argue that many security measures that offer a good return on investment on effort versus benefit are not applied to all sorts of data classes, including financial.”
Ian Pratt, co-founder of Bromium, doubted that this was true, but said that if they were storing the passwords in plain text, then he called it “just plain reckless and indicates that no thought has been given to security when building the website”.
He said: “Storing passwords in plain text rather than hashed means that even users that picked strong passwords will have had them compromised by the breach. There’s no possible justification for storing passwords in plain text. It’s such a basic mistake that you’d be very concerned about the security of the whole site — SQL injection vulnerabilities etc.
Toyin Adelakun, VP at Sestus, said that it is a well and long-established best-practice to not store passwords in plaintext, and indeed most operating systems make it the default to not store passwords in plaintext.
“If the email was indeed genuine, it would reflect poor practice by Office. The approach to take when asking customers to reset passwords is not to present within the email a link on which to click, but instead to clearly invite them to visit the website directly. As it happens, the latter approach is the one taken by eBay,” he said.
Nicki Wallace, marketing director at Alert Logic, said: “With all of the high profile security breaches, it is concerning that companies are still getting caught out with basic security flaws such as storing passwords in plain text, however it doesn’t necessarily equate to companies not caring ab
out their customer data.
“IT, networking and security teams are being pulled in so many different directions and cannot be experts at the evolving security threat landscape across their entire infrastructure – on premise through to their public cloud investments or compliance. They are often in reactive mode rather than proactive about security.”
Lamar Bailey, director of security research and development at Tripwire, said that there is no excuse for this and it cannot be tolerated. “I expect many of these accounts will have credit cards tied to them so anyone with a login and password could place orders,” he said.
“This highlights why customers should never allow sites to save credit card numbers and if that is not an option use single use card numbers (most credit card companies will generate these for you). Always use unique passwords on sites to insure when it is leaked from one site it will not affect your others.”
Asked why businesses are still doing bad security like this, TK Keanini, CTO of Lancope, said often it is because the consequences are unknown at the time of the decision making, and in some cases the consequences do not tie back the decision maker.
“Programmers are paid and rewarded when things work or they don’t work, there is little to no consideration when software is being built about it being able to survive the threat landscape and this is the problem we face over and over again,” he said.
“Until we accept the fact that adversaries are just as smart as we are and that they are trying to subvert our business systems we will not make it a business priority to do threat modelling early in the design and development lifecycle.”
Asked if it was a case of convenience over security, Keanini said: “While I think this is a constant struggle – convenience over inconvenience – I honestly think this comes down to inexperience or the wrong designer/developers on this particular project. You don’t even need to be an expert in security to know that sensitive data needs protection and for it to be at rest anywhere in the clear is unacceptable.”