Plain Text Password Storage – Why it’s bad!

By | February 16, 2010 at 8:05 pm | No comments | General | Tags: ,

As part of the latest Google Grope they have chosen plain text password storage as their keyphrase of choice. I was surprised by this, but I am also passionate about it from a development point-of-view.  Having worked with databases such as SQL in the past I know that password storage is high on the security requirements and under no circumstances should passwords be stored in plain text format.

The SQL standard for password storage (when I was coding) was MD5.  This may have changed as I am a little rusty with the ole PHP & SQL, but once again this was a security requirement to avoid compromising passwords & hacking attempts.  This was of course if the password was being stored in a database at all.

Using Plain Text File’s For Storage

When coding with PHP the easiest way, if you had no database availability, was to store everything in a text file.  Whilst this was great for non-sensitive information it was certainly a risk if someone managed to find the location of the text file and access it through a browser – particularly if it stored passwords and user information required to login.  There were several ways to combat this when I was developing such as CHMOD FTP settings, Apache file access writes and good ole PHP masking but none of those options were 100% secure when it came to plain text password storage – you just need to ask RockYou.com

RockYou.com’s Plain Text Data Hack

On December 14th 2009 a hacker gained access to over 32 million usernames & passwords through an SQL Injection attack.  How 32 million  – the data was stored in plain text format.  Exposing your users to that kind of attack through incorrect data storage methods is, to be blunt, ignorant and dangerous.  Whilst the attack was not malicious and was only to prove a point, plain text password storage nearly gave 32 million users an endless heartache – after all, how many of those users would have used the same password for RockYou that they would have used for their registered email address – it’s a personal identity thiefs wet dream.  All because of irresponsible plain text password storage.

About the Author

Kev Strong

Kev Strong is an online marketing consultant at Newcastle Upon Tyne based digital marketing agency, Mediaworks. A lover of all things search and an ex-web developer, Kev Strong (a.k.a Goosh) is a specialist in advanced search engine optimisation.

Comments