قالب وردپرس درنا توس
Home / Tips and Tricks / Why do companies still store passwords in plain text format?

Why do companies still store passwords in plain text format?



  A computer with a login screen and a completed password field.
mangpor2004 / Shutterstock

Several companies have recently approved the storage of passwords in plain text format. This is equivalent to saving a password in Notepad and saving as a .txt file. Passwords should be salted and hashed for security. Why does not that happen in 201

9?

Why should passwords not be saved in plain text?

  My password123456 was written on a sticky note and stuck to a computer.
designer491 / Shutterstock

When a company stores passwords in plain text format, anyone can read them with the password database or any other file where the passwords are stored. If a hacker gets access to the file, he can see all the passwords.

Saving passwords in plain language is a terrible practice. Businesses should salt and haggle passwords. This is another way of saying, "Add additional data to the password and then encrypt it in a way that can not be undone." Typically, this means that someone stealing the passwords from a database is useless. When you log in, the company can verify that your password matches the stored encrypted version. However, you can not work in the database "backwards" and determine your password.

Why do companies store passwords in plain text? Unfortunately, companies sometimes do not take security seriously. Or they choose to compromise safety in the name of convenience. In other cases, the company does it all right when it saves your password. However, they may add overzealous logging capabilities that record passwords in plain text format.

Several companies have incorrectly stored passwords.

You may already be affected by bad practices as Robinhood, Google, Facebook, GitHub, Twitter and other passwords have been stored in plain text.

In the case of Google, the company has adequately hashed and salted passwords for most users. However, the passwords for the G Suite Enterprise account were saved in plain text. The company said it was still commonplace when it provided domain administrators with password-recovery tools. If Google had saved the passwords properly, this would not have been possible. Restoring the password works only if the passwords have been saved correctly.

When Facebook also admitted storing passwords in plain text, the exact cause of the problem was not specified. However, you can derive the problem from a later update:

… we've noticed that additional logs of Instagram passwords are stored in a readable format.

Sometimes a company will do everything right the first time you save your password. Then add new features that cause problems. In addition to Facebook, Robinhood, Github and Twitter have accidentally logged plaintext passwords.

Logging is useful for finding problems in apps, hardware, and even system code. However, if a company does not thoroughly test this logging feature, it can lead to other issues that it resolves.

On Facebook and Robinhood, the logging feature could be viewed and recorded when users entered their username and password for logging in the usernames and passwords as they were typed. These logs were then stored elsewhere. Anyone who had access to these logs had everything he needed to take an account.

In rare cases, a company like T-Mobile Australia may ignore the importance of security, sometimes in the name of convenience. In an already deleted Twitter exchange, a T-Mobile representative told a user that the company was saving passwords in plain text. By storing passwords this way, customer service representatives were able to see the first four letters of a password for approval. When other Twitter users adequately pointed out how bad it would be for someone to hack the corporate servers, the staff responded:

What happens if this does not happen because our security is surprisingly good?

The company has deleted these tweets and later announced that all passwords would soon be salted and hashed. But it was not long before the company breached its systems. According to T-Mobile, the stolen passwords were encrypted, but that's not as good as storing passwords.

This is how companies should store passwords.

  Photo of a fuzzy IT technician turning on the data server.
Gorodenkoff / Shutterstock

Businesses should never store plaintext passwords. Instead, passwords should be salted and then hashed. It is important to know what salting is and what to distinguish between encryption and hashing.

Salting adds extra text to your password.

Salting passwords are a simple concept. The process will essentially add additional text to the password you specify.

Imagine adding numbers and letters to the end of your regular password. Instead of using "password" for your password, you can enter "password123" (do not use any of these passwords). Salting is a similar concept: before the system snatches your password, it adds extra text.

Even if a hacker invades a database and steals user data, it's even more difficult to determine the actual password. The hacker does not know which part is salt and which part is password.

Businesses should not reuse salted data from password to password. Otherwise it can be stolen or broken and thus become unusable. A suitable variation of the salted data also prevents collisions (more on that later).

Encryption is not the appropriate option for passwords.

The next step in properly saving your password is hashing. Hashing should not be confused with encryption.

When you encrypt data, you can easily transform it based on a key. If someone knows the key, they can change the data back. If you've ever played with a decoder ring that says "A = C," you've encrypted data. If you know "A = C," you'll find that this message is just an Ovaltine ad.

If a hacker breaks into a system with encrypted data and manages to steal the encryption key as well, your passwords may be as follows Well, is plain text.

Hashing converts your password into Gibberish.

Password hashing basically turns your password into a string of incomprehensible text. Anyone who looks at a hash would see gibberish. If you have used "Password123", the data may be hashed to "873kldk # 49lkdfld # 1". A business should hash your password before it is stored somewhere. This will never record your current password.

This type of hashing makes it a better way to store your password than encryption. While you can decrypt encrypted data, you can not "decrypt" data. When a hacker enters a database, he can not find a key to unlock the hashed data.

Instead, they must do what a company does when they send their password. Guess a password (if the hacker knows which salt to use), hack it and compare it to the hash stored in the file for a match. If you send your password to Google or your bank, follow the same procedure. Some companies, like Facebook, may even consider additional "guesses" to account for a typo.

Hackers may break the path through hashed data, but it's usually a game of testing every possible password and hoping for a match. The process will take some time, so you have time to protect yourself.

Data breach protection measures

 Last pass logon screen with user name and password filled in.

What You Can Do Do not prevent companies from improperly handling their passwords. And unfortunately it is more common than it should be. Even if companies save their password properly, hackers can violate the company's systems and steal the hacked data.

Given this reality, you should never reuse passwords. Instead, you should specify a different, complicated password for each service you use. Even if an attacker finds your password on a website, he can not use it to sign in to your accounts on other websites. Complex passwords are incredibly important because the easier your password is to guess, the sooner a hacker can break the hashing process. If you make the password more complicated, you will gain time to minimize the damage.

Using unique passwords also minimizes this damage. The hacker gets at most access to an account, and you can change a single password more easily than dozens. Complex passwords are hard to remember, so we recommend a password manager. Password managers generate and store passwords for you and you can customize them to match the password rules of virtually any site.

Some, like LastPass and 1Password, even offer services to check if your current passwords are compromised.

A good option is to enable two-tier authentication. In this way, you may be able to prevent unauthorized access to your accounts even if a hacker compromises your password.

While you can not prevent a company from misusing your passwords, you can minimize downtime by properly backing up your passwords and accounts.

RELATED: Why You Should Use a Password Manager and How to Start


Source link