PRWeb Stores Passwords In Clear Text

It is 2012 and with the growing web threats you would expect to see increased measures to protect user credentials. We hope that in the wake of events with LinkedIn and eHarmony others realize the importance of an increased security posture.

Consider the recent LinkedIn, e-Harmony or similar breaches in the past to see how important this topic has become.

Back to the topic at hand…

For some crazy reason I was looking at PRweb today and forgot to
save the password I had chosen. As we all do, I clicked on the forgot password link and
got this pretty email from them:

Dear XX,

Here is your login information for PRWeb.

UserName: my@email.com
Password: MYPASSWORD
Log In URL: https://app.prweb.com/Login.aspx?LanguageID=1033&SkinID=-1

Sincerely,

PRWeb, a Vocus, Inc. Company

Oh no…they didn’t… Yes, they do!!! Do you see the problem?

They are storing your password in clear text and sending it in the clear as well, via email. At no point did I have the requirement to change, I could go on about my day using the same credentials as if nothing.

Now, go back to the recent breaches. At least the password were hashed making it much harder to identify and break all the accounts (specially the ones with good passwords). On PRWeb, there would be no work for anyone to do, other than gaining access.

It also means that anyone with access to their database can easily see the password for all the users. This is an example of what you should not do if you’re storing credentials for your users.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.

  • http://sucuri.net Tony Perez

    This one is a bit hard to respond because its basics of securing passwords. If the credentials were being stored securely, using hashes and salts, they would not have a way to return it in the clear the way have.

    Thanks for your comment.

  • http://sucuri.net Tony Perez

    Dave,

    Without knowing more of their internals its definitely hard to speculate. That being said, the sad fact is that the average user is not using disposable credentials, most are using the same across multiple platforms – to include financial institutions and social networks. The problem with this comes in breeches such as the one we saw yesterday with LinkedIn and eHarmony. Its one thing to perform the breech and retrieve the data, its another one entirely to actually make use of the data once downloaded. Storing them internally in the clear is very bad secure practice, and you can make that assumption based on knowledge of how database and security hashes / salts work.

    And you’re right, there is the other challenge of passing the info in the clear via insecure emails..

    Thanks for stopping by.

  • http://sucuri.net Tony Perez

    You hit the nail on the head. This is just bad security practice.

  • http://sucuri.net Tony Perez

    Frank

    That’s great news!

    Tony