Full Flavour Behaviour!

Security FAIL
posted Monday August 4th @ 7:39pm

Security FAIL

One of the great decisions when making a database is whether to encrypt the user account passwords. If you decide to do so, you can still test whether a submitted password is correct (by encrypting that also and seeing if it matches) but you can't tell what the password is. If anyone forgets their password you won't be able to remind them but it's simple enough to re-set it to something new, tell them what the new one is and ask them to choose a more memorable one. Alternatively, if you decide to store the passwords as plain text, you are a moron.

Why? Because your data will one day get hacked and when it does, the fallout of having every single user password easily read by the nefarious perpetrator of the hacking doesn't bear contemplating. So you can imagine my shock to discover that Safepay - a payment provider - are not encrypting passwords.

I signed up today with Safepay because Guru.com require it for accepting payments. Which would have been fine, except for the ridiculous terms of service in the tiny scrollable box. It included, incidentally, the charming policy that if you cause just one chargeback you are blacklisted and cannot use their services ever again. Never mind that it might be because (in the case of a customer) of an idiot vendor not providing what was paid for or (in the case of a vendor) because of the customer being an idiot with their password.

Interesting that I mention losing your password because, as it turns out, Safepay can do that for you. At the end of the signup process I was astonished to be presented with a confirmation page with the password I entered in plain text right there on screen for any idiot to read over my shoulder. My suspicions aroused, I logged out and said I'd lost my password. You can see above what happened.

Yes, folks; Safepay are storing my password as plain text. Not only that, they are emailing it out - if you can hack into my email account and spell my Safepay username then you can have my Safepay password, which might well be similar to my other banking passwords - you never know - and good Lord I don't want to think where that is going. They have very cleverly obfuscated the word, "PASSWORD" by using slashes but that seems like locking the car doors when the window is down.

Immediately I reset my password to something else (yeah, I changed it again for this screenshot so don't get too excited) and discovered that in order to do so I had to confirm my old password - in a plain text input box - and enter a PIN number that had been emailed to me and answer my security question. So in actual fact, changing my password to remain secure is more hassle than hacking in, assuming you have access to the email account.

It's sad that people are still not learning about the value of encryption but it blows my mind to learn that a payment provider - a company that provides direct debit and repeat billing solutions - isn't doing this.

Suffice to say, I probably won't be using SafePay.

Comment on this entry

Don't miss..

Other Carl sites

Photo galleries