At least one major domain company is NOT SECURE

Submitted by Kevin Ohashi on Thu, 04/21/2011 - 04:12

Posted in

This is a warning to at least one major domain company. I will be naming names Monday (April 25th) unless it gets fixed. This type of behavior puts customer information at risk and has been hacked before.

YOUR PASSWORDS AREN'T SECURELY STORED

They store passwords in plaintext or a system where they can get back to plaintext (which for all intents and purposes are the same).

What does that mean? It means instead of data being stored in the following format:

accountName | 5f4dcc3b5aa765d61d8327deb882cf99

It gets stored like this:

accountName | password

How do I know if my password is securely stored (as a customer)?

There is no way to tell for sure it isn't stored as plaintext. However, the most common giveaway is trying the password recovery system. If they email you your original password, they are storing it in plaintext. If they force you to generate a new password, they most likely are storing it in a hashed form and have to generate a new hash on your new password because neither of you knows your old password.

Why does this matter?

If they were ever broken into, your passwords are exposed and the attacker can simply read them. If they are encrypted, the attacker would have to decrypt them first, which takes an incredible amount of time (assuming they use Salt). Thus making it exceptionally difficult if not practically impossible to do anything with a hashed password.

Huh? what? I am lost...
Ok, here is a simple explanation of how logins work:

User visits website.

User types in account and password.

In a PLAINTEXT system, the computer matches user entered account:password combo with an account:password combo in a user database.

In an encrypted (secure) system, the computer hashes the password using an algorithm (such as MD5) to produce a hash ('password' after md5 encrypt becomes '5f4dcc3b5aa765d61d8327deb882cf99'). The computer then matches the hash to a stored hash in the database, if the hashes match, it is the correct password. Only your password will generate the same hash, but nobody with access to the database will ever know what your password is because it's stored as a hash.

UPDATE: I am not going to recommend MD5 after further reading, there are apparently stronger algorithms such as bcrypt and SHA-2 which will keep passwords more secure than MD5.

If you have any questions - as a company or as a customer - feel free to contact me and ask.

Let's Connect!

Hey there! My name is Kevin Ohashi. I am the founder of Review Signal which currently does web hosting reviews.

I like to blog about startups, business, economics, marketing, programming and domain names. My current passion is analyzing data and finding patterns and insights hidden in data that nobody else realizes is there!

I am also working on a Gift Discovery/Gift Inspiration website called Gift Lizard that let's you find gift suggestions by describing the person you're trying to buy for.

I also use my blog to keep track of my own life, so you can see my reading list and personal posts on occasion.