Ask HN: How to out a MAJOR online company storing passwords in plaintext?

6 pointsdwelch234410y ago14 comments

I recently became aware of a major online hotel broker that stores passwords as plaintext in their system. The management is aware of the technical risks and liabilities but has pushed off technical fixes for YEARS. Furthermore, the features of the website make it obvious that this could be q very valuable attack vector as the reset feature emails you your current plain text password.

So the question is: what is the ethical way to raise the issue and force their hand in a fix?

(Sorry for brevity and spelling; mobile on holiday)

14 comments

paulhauggis10y ago

How do you know it's actually plain text? There are plenty of 2-way encryption methods out there.

Do you work there? If so, are you willing to lose your job over it?

These sorts of leaks can have devastating effects on the company/customers. You should also think about the employees that work there as well. Are you willing to risk their jobs in the event that the company loses money?

dwelch2344OP10y ago

I've spoken to a number of employees who have confirmed they are stored plain text.

I have considered those factors and am definitely concerned. However, consider the other side of the equation: a systems breach that leaves thousands (maybe even millions, given their size and 15 years of operation) of customers data being leaked, potentially leading to fraud and identity theft.

Who deserves to be protected? The organization that will not respond to the threat, or their innocent customers?

dwelch2344OP10y ago

Also, there is no good reason to use 2 way encryption on passwords anyways. It goes against every security best practice.

sigden10y ago

What legitimate use case is there for implementing a 2-way encryption method over a hash function for passwords?

paulhauggis10y ago

I never said it was the best method to use over a hash function. However, it's much better than plain text and it would be unethical to say the company didn't have any security of the original poster doesn't know for sure.

ryanlol10y ago

Customer support. A human can then verify the user even if they can only remember a part of the password.

1 more reply

dublinben10y ago

Anonymously report to plaintextoffenders.com?

j / k navigate · click thread line to collapse

Ask HN: How to out a MAJOR online company storing passwords in plaintext?

6 pointsdwelch234410y ago14 comments

So the question is: what is the ethical way to raise the issue and force their hand in a fix?

(Sorry for brevity and spelling; mobile on holiday)

14 comments

paulhauggis10y ago

How do you know it's actually plain text? There are plenty of 2-way encryption methods out there.

Do you work there? If so, are you willing to lose your job over it?

dwelch2344OP10y ago

I've spoken to a number of employees who have confirmed they are stored plain text.

Who deserves to be protected? The organization that will not respond to the threat, or their innocent customers?

dwelch2344OP10y ago

Also, there is no good reason to use 2 way encryption on passwords anyways. It goes against every security best practice.

sigden10y ago

What legitimate use case is there for implementing a 2-way encryption method over a hash function for passwords?

paulhauggis10y ago

ryanlol10y ago

Customer support. A human can then verify the user even if they can only remember a part of the password.

1 more reply

dublinben10y ago

Anonymously report to plaintextoffenders.com?

j / k navigate · click thread line to collapse