Storage of clear-text passwords: NOT!

Paw Prints: Writings of the maddog
I am the first person to admit that I am not an expert on security (o.k., there are probably several dozens of my friends who will gleefully “admit” that I am not an expert on security before I will), but I do know that storing passwords in clear-text is just not the way to go. Yet recent interactions with several web site management teams has shown me that apparently some people have not yet learned this simple principle.
With all the reported incidents of identity theft due to records and data stolen you would hope that companies would treat passwords with more respect, yet I have one “social network” site email me information on my account each month where they include my password in the email in clear-text. The very first time they did this I went onto the site, removed all my information, replaced the information with fictitious data and changed the password to “stupididiots”. Now every month I get the email from them that reminds me of how stupid they are. When I start receiving things based on the fictitious information in the mail, I will know from where and why it is arriving.
Nor is this limited to small sites created by amateurs. Recently I had reason to talk with a major site holding records for millions of people and realized that they and their staff had access to their customers clear-text passwords. “That is not a smart thing to do” I told them. They did not seem to grasp the implications, so in the next few days I will be writing a letter to their president.
You would think that with examples like Unix and Kerberos that have been around for such a long time people and sites would be a bit more careful with how they handle passwords. Simple protection techniques are not rocket science, and can make the stored passwords a lot safer.
For example, sites should convert the clear-text password received by the customer into an encrypted form immediately after receiving it, then throw away a small part (one bit would do) of that encrypted form and store the rest. This would prevent anyone receiving a database of stored passwords and (without any other knowlege) using a brute force technique to decrypt the passwords. When the customer accesses the site again, follow the same procedure, and compare the two encrypted strings. If they match, allow access.
If you are using a deterministic encryption algorithm, one that always creates the same encrypted string from the same set of clear-text, you don't have to know what the clear-text password is, only that the encrypted forms matched.
Granted, this technique also relies on the fact that people choose “good passwords”, but no choice of a “good password” will protect you from idiots who insist on storing your clear-text password in their database in clear-text.
If a customer contacts the site and tells the staff that the customer has forgotten their password, the site will need to authenticate them in some way and then generate a new password for them and allow them to change it to whatever they need. Many web sites have automated this process in a fairly robust way using one-time ULRs and one-time passwords but the methods could be improved. There should never be a clear-text password generated, shipped or stored anywhere.
I recognize that this blog is not a treatice on Internet security, and I apologize to the regular readers of this column who will say “o.k., what else is new”, but as long as we keep hearing of “stolen records” that could easily have been avoided, we need to keep beating the drum.
Comments
comments powered by DisqusSubscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

News
-
Gnome’s Dash to Panel Extension Gets a Massive Update
If you're a fan of the Gnome Dash to Panel extension, you'll be thrilled to hear that a new version has been released with a dock mode.
-
Blender App Makes it to the Big Screen
The animated film "Flow" won the Oscar for Best Animated Feature at the 97th Academy Awards held on March 2, 2025 and Blender was a part of it.
-
Linux Mint Retools the Cinnamon App Launcher
The developers of Linux Mint are working on an improved Cinnamon App Launcher with a better, more accessible UI.
-
New Linux Tool for Security Issues
Seal Security is launching a new solution to automate fixing Linux vulnerabilities.
-
Ubuntu 25.04 Coming Soon
Ubuntu 25.04 (Plucky Puffin) has been given an April release date with many notable updates.
-
Gnome Developers Consider Dropping RPM Support
In a move that might shock a lot of users, the Gnome development team has proposed the idea of going straight up Flatpak.
-
openSUSE Tumbleweed Ditches AppArmor for SELinux
If you're an openSUSE Tumbleweed user, you can expect a major change to the distribution.
-
Plasma 6.3 Now Available
Plasma desktop v6.3 has a couple of pretty nifty tricks up its sleeve.
-
LibreOffice 25.2 Has Arrived
If you've been hoping for a release that offers more UI customizations, you're in for a treat.
-
TuxCare Has a Big AlmaLinux 9 Announcement in Store
TuxCare announced it has successfully completed a Security Technical Implementation Guide for AlmaLinux OS 9.
Call staff access
A far better approach would always be to provide an audited, supervised mechanism for password renewal combined with advice to change the newly generated password immediately.