A modest proposal: Password storage disclosure for websites

Okay, so we have yet another breach of security at a company, they got their entire database stolen, and once again it was discovered that they stored their passwords in clear text. This time it’s RockYou!, but it has happened multiple times in the past already, with Reddit being one of the famous offenders. I puke every time I sign up to some phpBB Forum and get an e-Mail with my password in clear text. Really, that doesn’t only happen to some crappy one-man companies, it also happens to some reputable companies (Telltale Games still does it, while Telerik at least changed it after I complained)

I’m starting to get fed up with this. Storing Passwords in Clear Text is an absolute no-no policy, with no excuse whatsoever. If this policy were a car, it would be an Edsel. If this policy were a computer game, it would be Big Rigs or Rapelay. If this policy were a crime, it would be bioterrorism. It’s not some “small oversight” or a “configuration mistake”. It’s a sign of complete and utter incompetence to run a web site. In my opinion, someone who stores passwords in clear text should be prohibited from using the Internet.

As said, this happens to reputable companies as well, so it’s not a small issue that eventually may go away. Therefore, I would love to see the privacy laws of most country changed to force websites to disclose how they store their passwords. We do already have privacy laws in the EU and US that force companies to disclose how they use any information collected. Can’t we expand it to force companies to disclose how they store this information as well?

It’s bad enough that Third-Party Websites ask for your data, but sadly again this is done by reputable websites. Okay, it can be questioned how reputable a website like LinkedIn is if they ask you for your E-Mail account, but the reality is that a) it happens and b) millions and millions of users use it. I don’t think we can get that genie back in the bottle, and I don’t think we’ll get comprehensive coverage of technologies like OAuth to prevent abuse like that.

In an ideal world, I could go to a website, check its privacy policy and see something like

All passwords are salted and hashed with SHA-512. Passwords are not persisted in clear text.

I would even go so far to ask for clear-text storage declared illegal and punished as a federal offense, unless a) it’s required for implementation and b) that implementation is clearly stated.

All Facebook Passwords are persisted in clear text, as we couldn’t figure out how to use the Facebook API and instead rely on HTML scraping.

I know that such a disclosure means nothing to the average John Doe, but it allows tech-savvy people to avoid such incompetent companies and whistleblowers to warn other people about these scams.

Remember: Reputation means nothing when it comes to data storage. Companies and Governments lose your private data every day and while you can’t really avoid it without missing out on a large part of what makes the Web so great, you should still think twice before giving any website the login details of any other website.

Leave a Reply

Your email address will not be published. Required fields are marked *