Search
Blogging from Sydney | Australia
Some past thoughts
« Adding G+ to a SquareSpace Site | Main | Teething issues? »
Thursday
Jul142011

Final take on hover.com storing passwords as plaintext - and why I don't plan to switch

TLDR: The community demanded a fix, and hover.com have fixed the issue, and without to the best of our knowledge disclosing any personal information or customer passwords to any third parties*.

* Yes your email provider will know, and possibly some routers your traffic passed through (such as your ISPs). Change your password now and it's minor problem solved.

--

Security is an easy thing to make a mistake on, and a notoriously difficult thing to get right even when everyone is trying really hard.

A security mistake can and does happen to the best in the technology industry. When I boot into Ubuntu Linux and Mac OS X, I've seen both needing patches every other week. Skype (pre-Microsoft acquisition) allowed users to be rootkitted on the Mac. I see Microsoft shipping updates to fix bugs in their operating system every month like clockwork. Even Google got hacked by China. RSA had their SecurID tokens compromised.

Tucows has been around since 1994, and is the parent of hover.com, created in 2008 through the merger of their 3 domain registrars - NetIdentity, It's Your Domain (IYD), and Domain Direct. That's a lot of legacy, things like as they said, needing telephone support. Even the best developer needs some time to test their code, and changing an authentication system which could adversely affect millions of users needs thorough testing.

Today it is very hard to defend the practice of storing a customer password, and I don't and won't. Neither does Ross Rader, Hover's GM. Strong cryptographic hashing is a requirement for any modern website, and hover.com is clearly working hard on that transition.

Ultimately, it needs to be placed in perspective. The threat to me is similar to that of all Django sites using SHA-1 by default, which is considered "weak" as the best known attack has a theoretical complexity of 2^51 hash function calls. It is a possible and unnecessary risk, and in general to be avoided, but far from a proven breach of security.

I first alerted Hover to this issue when I first used them - on July 2, 2011 (Sydney, Australia), as part of my first real attempt at having a presence I control online (shout out to Leo Laporte - go TWiT). I was catching up on Security Now! Episode 306, when I heard something a monkey could likely be trained to do (and thus also likely a malicious crawler/script roaming the net):

"Marc Beaupre in Montreal, Quebec said one way to know whether the site stores your password in cleartext is whether they send the password itself when you perform account recovery".

Trying and finding hover.com vulnerable, I gave them 2 months which I deemed a reasonable time to communicate and have them understand the threat and update their systems (though I'd be interested in what is a reasonable time, especially from people who have implemented an update like this).

Dear Hover staff,

Please forward this ASAP to your security and/or web site administrators.

Hover.com's password recovery service (see anonymized forwarded email below) is sending me back my password in plain text. This strongly suggests that Hover is storing my password as plaintext. If Hover's password file/database ever fell into the wrong hands (e.g. ex-employee, hacker), these passwords would then be known to the attacker.

The password recovery at https://www.hover.com/send_password (+1 for HTTPS) should, upon verifying a user owns the registered email address, allow the user to change their password to something of their choosing. It would be recommended by Security Now netcast listeners that BCrypt, SHA256 or SHA512 be used many times with one or more random salts; to store the password hashes (and thus never the plaintext passwords) more securely.

NOTE: In the interests of security, I will only be sending this on to Steve Gibson of GRC through the form available at http://www.grc.com/feedback.htm 

I will not be publicly disclosing this unless it has not been fixed 2 (two) months from the send date of this email. I'm sure Steve will also behave responsibly and I and the other 100,000 or so Security Now listeners would be interested in the outcome of this.

Thanks to Marc Beaupre for the core idea.
From Security Now! Ep. 306, transcript http://www.grc.com/sn/sn-306.htm
"Marc Beaupre in Montreal, Quebec said one way to know whether the site stores your password in cleartext is whether they send the password itself when you perform account recovery".

Best regards,

Peter Schmidt
****

---------- Forwarded message ----------
From: Hover System <passwordrecover@hover.com>
Date: Sat, Jul 2, 2011 at 10:19 PM
Subject: Your Hover.com Password
To: ****

Hello,

Your Hover.com username is **** and your password is ****
https://www.hover.com/login

Please note: This e-mail message was sent from a notification-only address that
cannot accept incoming e-mail. Please do not reply to this message.
Thank you for using Hover.

Sincerely,

Team Hover

 

(Personal details omitted)

I honestly didn't know of the HackerNews post on July 5 until today (and have been quite sick and more interested in my honours thesis the past couple of weeks), and I think others likely have pointed out the issue as well. Since they claim to have been working on it since last Spring and implemented their final fix in 48 hours, it is good that the community effectively jolted them into action sooner.

Since I use a password manager, I don't really care that a >20 character monster once-used random password may have possibly gotten loose, and again the issue has been fixed. For those who have been using Hover for a little longer or may have reused their Hover password elsewhere, it's always a good idea to change your password once in a while.

Hover, to their credit and to the best of our knowledge abide by their privacy policy. Unlike other domain registrars who shall remain nameless, they claim and so far have proven they won't upsell for necessary features like WHOIS "privacy protection", or sell my personal information to third parties so they can target ads at me.

Hover, with Tucows legacy is also a very-well established provider with clear policies and procedures, which is important. I'd frankly like my domain registrar to be predictable rather than capricious or sexy - it's infrastructure which should be boring and dependable.

For the above reasons, I'm not planning on switching unless someone suggests an alternative that is clearly better, and so far I haven't seen one. That doesn't mean I'm not open to the idea, and to the community at large - please feel free to suggest better alternatives if they exist and provide evidence of their past track record with regard to security, privacy and usability.

 

Remember, we're all still human, and there are always slower fish, "mom & pop" sites, and so forth out there - for example http://itestate.com.au/ doesn't even use HTTPS for customer logins (which is why I've only ever paid on pickup if I needed some cheap PC stuff from there). Not everyone should need to be a security expert just to have a site on the net, but sadly that's the trend if you don't outsource the hassle to someone else like SquareSpace.

Like most things in security, it's far too easy to let little things be blown way out of proportion. While I've cut my share of Java, Python and C# code, I haven't personally implemented Django BCrypt or something similar so I don't know how hard it really is and what the pitfalls could be, let alone migrated millions of user accounts, or had to consider issues like malicious users with motives attempting account fraud. Full credit to Ross Rader for handling the issue amicably.

And if you've read all that, my sincere thanks because this is really just a post for selfish old me - so I can be clear in my head what really went down.

Cheers,

Peter

References (21)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: Free Cams
    I read this article completely about the difference of newest and previous technologies, it's awesome article.
  • Response
    Response: BpZCgZPK
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: agree with this
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: miami beach hotel
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: SW15 remove mice
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: youtube.com
    Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch
  • Response
    Response: write my thesis
    I liked reading the article. At the final period on hover.com you have done really a great job of storing the passwords as a plain text. I was worried about the information I have provided in hover.com and the password. But, you with your talent have done an effective job this ...
  • Response
    [...]Peter Schmidt - Blog - Final take on hover.com storing passwords as plaintext - and why I don't plan to switch[...]
  • Response
    вконтакте
  • Response
  • Response

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>