You might be surprised to learn how many companies actually store your password in their database in a plain-text format.
What does that mean for you? Well, a single break in to the database using one method or another, means that your password is now known.
The simplest and surprisingly effective method of protecting your customer’s details is to only store a hash of their password. Hashing turns any length of data (your password) into a set length output (a hash), in which it remains to be very difficult to reverse this process. If a user hashes the correct password again, it will match the one stored in the database allowing for a login to take place.
Plain Text Offenders provides a list of companies who are storing your passwords in a plain text format. There are some really interesting and depressing entries in that list; see: 1and1.co.uk, telltalegames.com (and I really like them), guardian.co.uk and plenty more.
What to look out for?
There are plenty of other website that store your information in a plain text format, so what do you need to look out for?
- First and foremost: Your original password is sent back to you in a email when requested.
- Requesting certain character positions in your password. (Debatable - but generally bad)
Why aren’t they stored more securely?
This is something I can’t work out, the only thing I can think of is that it’s slightly easier not to hash passwords shrug I don’t know, slightly less work?
There is no real excuse for not doing so, perhaps it’s like documentation for programmers, they all know that they should do it but never get around to it.