Two years ago I used Netflorist to buy some flowers, but first I needed to login. I had forgotten my password, so I used the "Forgot Password" option.
In the email I got was my actual password - which shows a MASSIVE problem in the design of the system that Netflorist uses. The password is either:
Why am I talking about it now? Because after two years, Netflorist has not fixed it! They have had the time to fix it, so let’s talk about it & if this info helps some horrible person hack them (& am not suggesting people do that) then tough for them.
This is plain text - it is just the text. Why is this a problem for passwords? The reason is that if someone gets access to the database (physically, remotely, via hack, restoring a backup etc...) they can see ALL the passwords.
This has low risk for Netflorist since credit card details are not stored but this has a MASSIVE risk for Netflorist customers.
The sad truth is that most people are lazy & reuse the same password across multiple websites, which means the details on Netflorist can be used to commit fraud & theft elsewhere.
Netflorist, being a good company, keeps 5 year’s worth of backups off site. Someone at the offsite company accesses those files, restores the DB and gets all the email addresses & passwords for everyone. They then go to TakeALot and log in with those details. Since TakeALot's credit card provider stores credit card numbers the criminal then purchases tons of stuff!
Just imagine the damage that could be done if someone uses the same password for their email & their second factor bank authentication goes to email – all your money is stolen… thanks to Netflorist not doing it right. If that happens and since the bank wasn’t at fault you wouldn’t be able to get the money back from the bank!
So we going to get a little technical now, there is actually many types of encryption (2 way, public/private key) but the core here is that in all cases there is encrypted data & a salt (or key or password - they are all synonyms) is used to decrypt the data.
So if we store the password encrypted in the database, we also need to put the key somewhere so it can be decrypted when the mail is sent out. The issue here is if someone can get access to the database, there is a high chance to get access to the salt too. Once someone has the data & salt - it is plain text.
Yes, this is tougher to do than plain text - but tougher is not the same as impossible.
This is not simple, because we are working with security & doing it correctly isn’t easy. Thankfully OWASP has created some guide to help with this:
In short they should do three things. Note this is the SUPER simplified version. If you are doing this, read the above documents for all the details.
First, communicate with Netflorist (Twitter, email) about this risk and hopefully they fix it. Second, you can lower your personal risk by never share passwords across websites. This can easily be done by tools like LastPass (which manages the passwords for you & ensures strong & unique passwords are used) or find a trick that enables you to easily remember a unique password for each website. For example use a pass phrase like:
It is easy to remember the unique password plus it is a pretty strong password. This is just an example, so come up with your own & be sneaky!