I was just booking tickets to see a show in a few months time at the Southbank Centre and realized that I’d forgotten my login details. Entering my email address in to the password reset page prompted an all too familiar sight:

—cut—
Dear Patron,

Your login credentials are below.

Username: XXXXX

Password: Password1

Thank You.
—cut—

This is the type of forgotten password response that I see all too often. What’s the problem with this? Isn’t it helpful and less hassle from both a development and a user perspective as opposed to clicking links and entering a new password? From a security perspective, there are at least two distinct issues. Firstly, there is no password complexity enforced – it seems that I can enter anything as a password which only encourages weak passwords to be used and therefore the bar is set very low for preventing brute force attacks.

The second issue is that my password is being stored as plain text in the database – i.e. ‘as-is’. There’s no hashing and salting algorithm in use, if there was, they wouldn’t be able to retrieve my password to send it to me, and I would need to enter a fresh one. This means that any employee of the site with administrative or database access can freely gain access to my password, and should the site be compromised, an attacker has full access to the same. Whilst I fortunately don’t use the password ‘Password1’ for any account that I care about, a percentage of other users certainly use the same password across all services such as their email or ISP account.

Lastly, once logged in, the site displays the name and address details entered for previous orders. This is pretty regular and by no means an issue in itself, but storing any kind of personal data on a site user does require that some effort go towards protecting the account that it’s stored under.

Here’s a good post highlighting the issue, so please ask your developers to store passwords in a hashed form, and if they don’t know what this is or why it’s important, hire new ones.