Passwords, Password Storage And Password Management

There’s no shortage of news about companies that are being hacked and having usernames and passwords stolen these days. The latest of which is Tuts+ Premium. Now I’m not one for blaming companies that get hacked. That happens. We do our best, and it still happens. You can’t do anything but do your best.

Plain Text Passwords

Hackers happen. Do your best and it still happens. You can’t be blamed for hackers. But I will squarely blame you and any company that is dumb enough to store passwords in plain text.

I’ll take that three steps further, actually, and flat out say.

If you store passwords in plain text or advocate storing them in plain text for any reason, you should be fired, fined HEAVILY, have legal action taken against you by your users, and be given a court order that bans you from building applications and web sites that require authentication. You fail “security 101″ so hard that it cannot in any way ever be forgiven.

There is no excuse for this. Period. End of story, no discussion. I don’t care if it was a third party plugin. It’s still your fault for not properly evaluating the third party plugin, and not understanding that it stored passwords in plain text. The third party should should also have the above actions taken against them, but that doesn’t let you off the hook.

Tuts+ Almost Responded Correctly

After the breach at Tuts+ was discovered, they responded fairly well.

The breach was discovered earlier today, the exploits have been tracked down and removed, and the whole service shut down to ensure the compromise is isolated.

But the problem with this is that they didn’t respond this way until after the breach happened. They knew, by their own admission, that the plugin was storing plain text passwords before this breach happened.

The correct response to that knowledge is not “a plan currently in progress to upgrade away from the current plugin.” The correct response, on finding out that your site is storing passwords in plain text, is to immediately shut down the site. Take all servers offline and fix the plain text password problem. 

The embarrassment and revenue loss of doing this proactively will save you the lost customers, public outrage, and 1000x embarrassment from ending up in the same situation as Tuts+. Your users may even thank you for being proactive and not ending up in this situation, if you correctly word the apology letter and press release that you send to your users, for the self-imposed downtime.

Tuts+ Is Just A Poser-Child

I’m picking on Tuts+ because they are the example today. It has nothing to do with their specific scenario, or them as a company. I like them as people, as a company, and for what they do on the web with education and tutorials in the technology world.  It’s horribly unfortunate that they didn’t take more proactive action, and ended up in this situation. It could have and should have been prevented.

But Tuts+ isn’t the first (anyone remember Sony and LinkedIn?) and won’t be the last that we hear of, with problems like this. And because of that, it falls on us as people who use websites and services that require authentication, to protect ourselves.

Password Management For Users

The corollary to the harsh statements about being fired, fined, etc above is that as people who sign up for various services on the internet, we have a responsibility to guard against the companies that don’t value our security. But we also need to guard against the eventual hack on companies that do value our security – the companies that do store our passwords encrypted, but are hacked still hacked.

I’ll make an equally as strong statement as I did above, regarding passwords: 

You should not know your password for any website or application that you log in to, with the one and only exception of the password management app or service that you use.

No excuses. 

(Note that I am excluding hardware / operating systems. You can’t use a password management app to get your Windows password, when you have to log in to Windows to get to your password management app)

With the number of sites and databases that are being compromised on a regular basis, we hold the key to our own security in our own hands … or… minds… or written on sheets of paper: passwords. If we don’t protect ourselves against the hackers of the world and against the stupidity of companies that store passwords in a way that makes them easy for hackers to get, then we’re just as guilty as the companies being hacked.

The problem is that most people use the same password (or maybe 2 or 3 passwords) for every site, service and app. When a hacker gets your password, then, they can log in to any system that you have signed up with because they know the one password that you are using. By using a different password for every website and service, you don’t have to worry about this. If (WHEN!) a hacker gets your password for a specific site, they will not be able to do anything other than screw up that one site for you. They won’t be able to log in to any other service because they won’t know your password for the other service.

But it’s not possible to remember every password for every site, unless you have a photographic memory. Instead, you should be using a password management system, app or service. These apps and services will securely store your usernames and passwords (and often times other info and items that need digital security) in a way that lets you have a different password for every site, without having to remember the password for each site. You only need to remember the one password for the app / service, and then use that app / service to log in to your other sites.

There are dozens of password management systems around. The three that I’ve used and would recommend looking at are:

There are dozens of others. Just do some google search for password managers. Also, please list your favorite in the comments here on this post.

Education Is Cheaper Than Fraud / Identity Theft Cleanup

The current billion dollar industry in the insurance and banking world is fraud and identity theft clean up. You see services advertised all the time for this, and for good reason. Identity theft and fraud are rampant and the digital age makes them easier. You owe it to yourself to protect yourself at least a small amount. Invest the time and $50 (if that) to at least create one level of protection against hackers, fraud and identity theft by using a password management system. 

While your at it, share this information with your friends and family that are slightly less tech-savvy. Educate them. Get them to use a password management system that you are comfortable with so that you can support them in their needs. And yes, I am telling you to volunteer your time to do this because putting up with the pain-in-the-* tech questions from your parents for a few hours ever few weeks is cheaper, easier and more pleasant than hiring lawyers, insurance companies, and other fraud / identity theft cleaners.

About Derick Bailey

Derick Bailey is an entrepreneur, problem solver (and creator? :P ), software developer, screecaster, writer, blogger, speaker and technology leader in central Texas (north of Austin). He runs - the amazingly awesome podcast audio hosting service that everyone should be using, and where he throws down the JavaScript gauntlets to get you up to speed. He has been a professional software developer since the late 90's, and has been writing code since the late 80's. Find me on twitter: @derickbailey, @mutedsolutions, @backbonejsclass Find me on the web: SignalLeaf, WatchMeCode, Kendo UI blog, MarionetteJS, My Github profile, On Google+.
This entry was posted in Security, Tools and Vendors. Bookmark the permalink. Follow any comments here with the RSS feed for this post.
  • Anonymous

    As a tuts+ member, I was EXTREMELY dismayed to find out they store plain text passwords. For all the work they do trying to teach people how to make web sites, they go and break security 101 after so many high profile cases with the same issue. There is no excuse anymore.

    Well, thanks to 1Password, I don’t have to worry about it so much, but it was still enough to make me a ‘former’ member of tuts+.

  • John

    I use passwordmaker, one password -> hashed with the url -> strong password.

  • Avi Block

    Problem with linked in wasn’t plaintext passwords, but unsalted passwords…they failed Security 201.
    Also, what do you do if you’re on a different computer, or your hard drive goes, or you just get a new computer. How is 1password, etc. going to help you?

    • 1Password, specifically, has apps available for all platforms and can synchronize through Dropbox. I set up sync this way and have the free password reader app on my Android phone. I’m never without my passwords. :)

  • Anonymous

    I’ve been a big fan of the open source PasswordSafe for years. I synch via dropbox between Windows (free), Linux (free), OSX ($3.99), and iOS ($1.99). Much cheaper than some of the alternatives.

  • Troy

    One indicator how secure a service is: as soon as you sign up, look for a self-service “Delete my account” link. If it doesn’t exist, assume that every other shortcut was also taken. Email the operator asking how to cancel. Get ready for their reply to crush any remaining confidence.

  • Anonymous

    Using a password management system does seem a bit like putting all your eggs in one basket. If it’s wrong for me to use the same password to access email, banking, amazon because once that password is known all sites are compromised then how is having just 1 password to protect all my other passwords any safer?

    If I put 1Password on my PC and create a password per site and store those passwords in my 1Password ‘database’ and I loose my database, the file gets corrupted or stolen then how do I recover from that? If I store a copy of the password database in the cloud then someone just needs to hack my dropbox/foldershare/whatever to find a nice juicy database of passwords and sites they can then attack at will.

    • James Banner

      Well if you keep all your eggs in one basket then you should watch that basket very closely! That’s what I can say :)

  • James Banner

    I love open-source keepass. I don’t think anyone should use a “closed” source system for passwords management. It’s like trusting someone whom you don’t know with all the passwords. If you are that paranoid, you should give up on some “ease of use”.

  • Andras Holik

    +1 for keepass, combined with truecrypt. I store all my sensitive/personal data on a truecrypt hidden volume, and store it on all my computers/pendrives.

  • Pattern-chaser

    Password Safe for me! :-)

  • Tara Johnson

    I use KeePass and really like it, but one of the main issues that I run into is that I can’t install anything like that on my work computer so I have no access to any of my passwords during the work day. That becomes a pain in the butt since I also can’t have my phone at my desk.

  • I use a Passwords.txt file in my dropbox folder with a hotkey to open it. Surprising how easy that is to use, and unsecure. :)

  • jh

    I signed up for a web site and they sent me a temporary password that happens to MATCH EXACTLY an obscure password I use regularly. I this just the twighlight zone or is something fishy going on?