List of Websites with Bad Password Management

Posted by JD 06/15/2011 at 13:00

Whenever I visit a new website and they ask me to create a new login, I always wonder how that data is stored, especially the password. Some clues to poor password management:

  1. plain text
  2. hashed without a salt
  3. reversible
  4. support knows it
  5. the system can email your password back to you
  6. the system displays your password on a web page.

Theres a website that tracks sites with poor password management called PlainTextOffenders.com . That site estimates that 30% of all websites aren’t handling passwords appropriately. If you know of an offending website, let the plain-text-offenders know and publicize it. Sometimes that spotlight is enough to get the company to change.

It is not always clear when websites aren’t doing password management correctly, but if they send you your password via email, that’s a clear sign for some of the worst offenders.

Best Password Management Techniques

My readers are smart, so you probably already know these, but a few folks could use a reminder about passwords:

  1. Never use the same password on multiple websites – every login needs to be different
  2. Use a Password Manager like KeePassX to store and automatically create long, random, passwords. There are lots of good choices including KeePass, LastPass, 1Password.
  3. Use more special characters and long (30+ character) passwords. Think about 3 long words tied together with special characters and numbers as an easy to use method to get a long, type-able password, but you really want completely random passwords created by the password manager.

Best Password Techniques for Servers

If you are a software developer, you have a responsibility to handle user password storage and management so that your website isn’t an offender. Don’t think passwords, think passphrases instead.

  1. Use SSL encryption for all password related web pages. Definitely the login and reset pages.
  2. Allow passphrases with any characters. Sanitize and properly quote the input.
  3. Enforce strong passphrase rules:
    1. Must include letters, numbers, special, upper AND lower case characters
    2. Cannot begin or end with a number
    3. Must be at least 14 characters. Anything less is a joke according to my professional password cracking friends
  4. Allow passphrases to be any length. 4K is reasonable, IMHO.
  5. Use an accepted hashing technique with a randomly generated salt for each user
  6. Do not store the user’s passphrase, just the encrypted value
  7. Do not email the user their passphrase. If you can, you’ve failed to properly secure their credentials.
  8. Setup a passphrase reset page
  9. Lock accounts for at least 1 hour after 3 failed attempts. Block the offending source IP for a day.
  10. Require the old passphrase to set a new passphrase
  11. Force users to change the passphrases every X period. Perhaps every 6 months for a public website. This will help to flush old accounts.
  12. Design the website to support multiple hashing methods, so when a newer hash becomes required, the site can be easily updated.
  13. Never trust user inputs. Validate everything on the server-side, not just on the client in javascript.
  14. Consider encrypting all other parts of user data in the DB too.
  15. Limit the number of attempts to different accounts from each source IP. Fail2ban rocks.

A few other articles here on password management:

I use KeePass v1.x on Windows and KeePassX on all other platforms to retain DB compatibility. I’m completely addicted to the autotype functions and simply do not know or type any of my passwords. Ok, I know 2 of my passwords. Which ones?

  1. Login to my main laptop/desktop.
  2. Passphrase to KeePassX DB.

That all. No others. I don’t even know the passphrase to my work or home email accounts. Yes, they are different (I assume they are since they are both automatically generated and 50+ characters in length).