PRWeb Stores Passwords In Clear Text

It is 2012 and with the growing web threats you would expect to see increased measures to protect user credentials. We hope that in the wake of events with LinkedIn and eHarmony others realize the importance of an increased security posture.

Consider the recent LinkedIn, e-Harmony or similar breaches in the past to see how important this topic has become.

Back to the topic at hand…

For some crazy reason I was looking at PRweb today and forgot to
save the password I had chosen. As we all do, I clicked on the forgot password link and
got this pretty email from them:

Dear XX,

Here is your login information for PRWeb.

UserName: my@email.com
Password: MYPASSWORD
Log In URL: https://app.prweb.com/Login.aspx?LanguageID=1033&SkinID=-1

Sincerely,

PRWeb, a Vocus, Inc. Company

Oh no…they didn’t… Yes, they do!!! Do you see the problem?

They are storing your password in clear text and sending it in the clear as well, via email. At no point did I have the requirement to change, I could go on about my day using the same credentials as if nothing.

Now, go back to the recent breaches. At least the password were hashed making it much harder to identify and break all the accounts (specially the ones with good passwords). On PRWeb, there would be no work for anyone to do, other than gaining access.

It also means that anyone with access to their database can easily see the password for all the users. This is an example of what you should not do if you’re storing credentials for your users.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • Guest12554

    How do you know that they are storing it in clear text on their own servers?

    This is just an email you received with your password in it.

    • Benjamin Mueller

      Passwords that are stored correctly are encrypted and the website never knows what the actual password is. So by them sending an unencrypted password through email it shows they are storing the password in clear text which is a bad thing. Most websites send the user an email with a link to change the password to something new which is the correct way of doing things.

      • http://softkube.com/about/mario-awad Mario Awad

        Passwords that are stored correctly are “hashed” and not “encrypted”.

        When you hash (using the proper algorithms of course), the website never knows what the actual password is. When you encrypt, the website can get the password back.

        By them sending an unencrypted password it means they’re either in clear text or encrypted; but most probably in clear text since they didn’t care about sending the password via email (which is totally insecure).

        Sometimes you have to encrypt passwords because you need to fetch them back for something else (like storing SMTP credentials to send emails from the website). But for user passwords, you should always hash.

        • http://www.facebook.com/reschneller Eric Schneller

           AMEN ^^ and agreed.

    • http://www.facebook.com/reschneller Eric Schneller

       A hacker could easily hack mail logs and accounts, tail logs etc.

  • Dave Cundiff

    I would hope the password your using on PRweb is a disposable anyways.

    Many sites store passwords with 2 way encryption. This at least requires access to the database and access to the encryption key(which better not be in the database). For things like forums, or anything that the information is not critical I see no problem with this. Allows a much easier process for users to regain access to their account.
    How do you think your credit card numbers are stored on many sites that remember them? Using the same 2-way encryption that is storing the password most likely.

    Of course there’s the debate about e-mailing passwords in the clear as well…….

    • Benjamin Mueller

      I personally see no reason as to why a website would need to know my password or have an encryption key to access it at a later date. If I forget my password its just as easy to reset it to something new.

    • Soap Hope

      Credit card numbers are not stored at the site. The e-commerce site sends the encrypted CC information to the payment processor the first time you enter it, and the processor sends back a token. The token, and the last four digits of the card number, is stored by the e-commerce company. On future purchases the e-commerce company sends the token to charge the associated card. If there is a security breach, the tokens are deactivated and become useless to the attacker.

  • http://www.swordandthescript.com/ Frank Strong

    Interesting conversation here in the comments — I can see some don’t think it’s as important.  For what it’s worth, David, I shared your post with the Vocus/PRWeb product management team and they’ve decided to implement changes immediately. So well, done and thanks for the advice.  

    • http://www.facebook.com/reschneller Eric Schneller

       Rookies

  • http://www.vocus.com/ Mark Heys

    We store our passwords encrypted in the database so your headline is incorrect.  That being said,  I agree sending passwords in emails is not good practice and hashing is much more secure.   On Monday we changed PRWeb to send reset password links that can be used one time and expire in 24 hours.   Also, prior to this blog post, we were working on switching to hashing and salting the passwords.   This will be released in the next couple weeks.

    Mark Heys
    CTO, Vocus Inc.

    • http://www.facebook.com/reschneller Eric Schneller

       Yall’s face hurting from face palming yet?

  • http://www.facebook.com/reschneller Eric Schneller

    Seriously its called encryption MD5 or something the email should read XXXXXXXXX for password, are these folks novices or what?  I am available for hire.

  • http://sucuri.net Tony Perez

    This one is a bit hard to respond because its basics of securing passwords. If the credentials were being stored securely, using hashes and salts, they would not have a way to return it in the clear the way have.

    Thanks for your comment.

  • http://sucuri.net Tony Perez

    Dave,

    Without knowing more of their internals its definitely hard to speculate. That being said, the sad fact is that the average user is not using disposable credentials, most are using the same across multiple platforms – to include financial institutions and social networks. The problem with this comes in breeches such as the one we saw yesterday with LinkedIn and eHarmony. Its one thing to perform the breech and retrieve the data, its another one entirely to actually make use of the data once downloaded. Storing them internally in the clear is very bad secure practice, and you can make that assumption based on knowledge of how database and security hashes / salts work.

    And you’re right, there is the other challenge of passing the info in the clear via insecure emails..

    Thanks for stopping by.

  • http://sucuri.net Tony Perez

    You hit the nail on the head. This is just bad security practice.

  • http://sucuri.net Tony Perez

    Frank

    That’s great news!

    Tony

Share This