Ask HN: I see a popular website not hashing passwords
I see a popular website not hashing passwords. I have notified them of it but they seem slow on the uptake.
Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise? What should be done in this case?
19 comments
[ 3.1 ms ] story [ 46.3 ms ] threadMy 2 cents.
Not an ultimatum. Just do it.
Notify it to all important media in tech world. They will take care of that.
Some sites do it deliberately. If your customer base is mainly non-technical, directly emailing them the password increases the chance they will log in back than sending them a password reset link. I think I read it in context of PlentyOfFish.
> Isn't it compulsory to hash user passwords, as otherwise it would be a severe user data compromise?
If an employee or a cracker has access to the user database, doesn't he already have the user data? The main reason passwords should be hashed is if a rogue employee or a cracker has access to user data(what user data you have is already compromised here), he might be able to gain access to the user's mail, bank or other accounts as most people tend to reuse password.
your comment doesn't really add anything, really ...
this guy is right, that's it.
You sound like you may not be aware of how attacks happen in real life.
Most of the e-mail addresses that people sign up with are either yahoo or gmail. Most people are lazy and choose for this third-party site the same password from their yahoo or gmail accounts.
If the passwords are in plain text ... well ... then people's yahoo and gmail accounts are at risk.
Recently, yahoo notified me that someone has been trying to brute force my yahoo mail password. Luckily I use a different password on third party sites, but the thought of someone taking over my e-mail account was rather scary.
You're absolutely right, it's a major security risk, and anyone else who discovers it may not be so discreet, and make the company a major target for anyone interested interested in stealing databases with unencrypted databases.
We had the same thing happen 2 weeks ago, worse thing is that the company in our case does things with money. Yep.
No. It is not. There is no legal compulsion to hash passwords. I believe Visa and Mastercard do require their vendors to do so however or risk losing their ability to process credit card payments. I also think that there is some US healthcare law that somewhat requires it.
But in general there is no legal requirement to hash passwords. The lack of hashed passwords doesn't mean that there is a "user data compromise" within its own right.
The reason companies hash passwords is so that if they ever get broken into that it means the bad guy has to spend several days or weeks breaking the password database which gives the company time to notify the users and the users time to change their passwords.
Note: A lot of compromises go unnoticed and in those situations hashing offers little additional security (since the bad guy has infinity to crack the passwords).
Note #2: Hashing also makes implementation easier since the length of passwords becomes uniform and you essentially eliminate things like SQL injection (since the raw password is never stored in the database).
There's also a requirement to encrypt data in transit over insecure networks, or when stored on portable devices, including laptops, but that doesn't seem to apply to main servers wired into racks.
(As to whether these apply to you, well... IANAL; the law claims to apply to anyone who's storing data about Massachusetts residents, but I don't know how well that actually sticks to people who are physically located elsewhere.)
Official summary of the requirements:
http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf