Why Are Companies Still Storing Passwords In Plain Text?

Share
  • July 31, 2019
Technology

A computer with a login screen and a password box filled in.
mangpor2004/Shutterstock

Several companies have recently admitted to storing passwords in plain-text format. That’s like storing a password in Notepad and saving it as a .txt file. Passwords should be salted and hashed for security, so why isn’t that happening in 2019?

Why Passwords Shouldn’t Be Stored in Plain Text

My Password123456 written on a post-it note and stuck to a computer.
designer491/Shutterstock

When a company stores passwords in plain text, anyone with the password database—or whatever other file the passwords are stored in—can read them. If a hacker gains access to the file, they can see all the passwords.

Storing passwords in plain text is a terrible practice. Companies should be salting and hashing passwords, which is another way of saying “adding extra data to the password and then scrambling in a way that can’t be reversed.” Typically that means even if someone steals the passwords out of a database, they’re unusable. When you log in, the company can check that your password matches the stored scrambled version—but they can’t “work backward” from the database and determine your password.

So why do companies store passwords in plaintext? Unfortunately, sometimes the companies don’t take security seriously. Or they choose to compromise security in the name of convenience. In other cases, the company does everything right when storing your password. But they might add overzealous logging capabilities, which record passwords in plain text.

Several Companies Have Improperly Stored Passwords

You may already be affected by poor practices because Robinhood, Google, Facebook, GitHub, Twitter, and others stored passwords in plain text.

In the case of Google, the company was adequately hashing and salting passwords for most users. But G Suite Enterprise account passwords were stored in plain text. The company said this was left-over practice from when it gave domain administrators tools to recover passwords. Had Google properly stored the passwords, that wouldn’t have been possible. Only a password reset process works for recovery when passwords are correctly stored.

When Facebook also admitted to storing passwords in plain text, it didn’t give the exact cause of the problem. But you can infer the issue from a later update:

…we discovered additional logs of Instagram passwords being stored in a readable format.

Read the remaining 29 paragraphs

Source : Why Are Companies Still Storing Passwords In Plain Text?

You may also like...