TypeKey stores your passwords in plaintext

Feb 07 2008

TypeKey is a free, open system providing users a central identity for posting comments on weblogs and logging into other websites. It is run by Six Apart, the providers of TypePad and MovableType. It is a service used by thousands of users worldwide.

TypeKey_SixApart

And guess what? They store your passwords in plaintext.

I forgot my password for TypeKey and clicked on the ‘forgot password’ link and provided my email ID. They sent me my username and password.

Typekey_password

Great usability; poor security.

Alarming to see that even big names get security wrong.

13 responses so far

  • Binny V A says:

    This approach has advantages and disadvantage. As long you don’t use the same password in every site, you should be fine.

  • Binny – I don’t see how the rewards outweigh the risks in the case. If you forgot your password, then TypeKey should just generate a new one and send you that.

    Is there some benefit to this strategy that I’m missing?

  • Niyaz PK says:

    Binny,
    Can you explain the advantages of using this scheme?
    I think implementing a hashing algorithm is very easy. Why couldn’t they make use of it?

  • Nirmal says:

    This is not recommended stuff, but still there are lot of important sites which stores in plain text.

  • Niyaz PK says:

    Nirmal,
    I agree. There are many.

  • Jonny says:

    How do you know the passwords are stored in Plain Text? You can speculate that they are, but you don’t know for certain – indeed, they could be using 2 way encryption such as Blowfish or Rijndael, all readily available through the mcrypt library

  • Niyaz PK says:

    Jonny,
    Encryption is a bad idea too.
    Only (hashing+ salting) works for storing passwords securely.

  • xxx says:

    @Jonny:

    if they “encrypt” the passwords, they have to — by necessity! — a) use their key to encrypt it (so it’s as bad as plaintext against the rogue employee attack) and b) the key has to be stored on the server, so that it can work with the passwords. In other words, encrypting passwords is totally useless, incredibly stupid thing to do and amounts to nothing more than some obfuscation of the data.

  • Niyaz PK says:

    xxx,
    Yes. Encryption just adds more processing overhead, and gives no real security in return. Thanks for that comment.

  • Or they could encrypt it using a key derived from the account details. This way, possible leaks require knowledge of how to derive the key.

    No, not as secure as salted hashes, but better than plain-text.

    One would argue that if an attacker can access the database, there are bigger issues to take care of. Even with hashes, a cracked system could leak a lot of plain-text passwords.

    In the end, this isn’t so bad as you’d think it is. Certainly, salted hashes are better, but not enough to whine about.

    Though, what *I* find discomforting is that they send my password to me in plain-text. What if somebody could get to my mailbox, and I use one password for many sites? It’s not uncommon, and I’ve had passwords of mine leaked that way.

    Besides, SMTP is an insecure protocol without SSL or anything like it applied. (Though I’m not very worried about man-in-the-middle attacks, really.)

  • Niyaz PK says:

    Ludvig,
    Many of us are not worried about man-in-the-middle attacks. I don’t know why… :)

  • Storing passwords with encryption is required for certain single sign-on / delegated authentication scenarios. Encrypted passwords are more secure than plain-text – an administrator or hacker accessing the user record cannot use an encrypted password. Salted passwords are much more secure, but you can’t use them in all scenarios. In this case, I can’t think of a reason why they aren’t using salted passwords.

  • [...] all know that it is generally not a good idea to store user passwords in your database in the form of plain text. But in certain cases, you may [...]

Leave a Reply