If you have been following technology news, you may have heard that the popular social application site RockYou was recently hacked, with all user passwords stored in plaintext stolen (over 32 million accounts). This is a terrible security lapse, not just because it compromises every RockYou account, but because many users use the same password across multiple sites, so a file containing emails and plaintext passwords means that the attacker can compromise a great many of these accounts for all those people across the web. Repeat: the popularity of RockYou means that anyone with a RockYou account is likely to have their other accounts on other sites compromised.
Like many people conscious of web security, my initial reaction to the incident was to shake my head and tsk-tsk at RockYou's foolishness at storing their passwords in plaintext, and then I realized that the real problem wasn't that plenty of sites do this, but rather that, yes, plenty of sites out there have done this, but even with this report, they likely have no idea how to fix that problem. Think about it: if you weren't sophisticated enough to encrypt your passwords in the first place, you likely aren't up to the task of migrating your plaintext passwords into an encrypted format, which is a tricky migration involving lots of moving parts and little details.
This blog post is therefore a step-by-step description of how to migrate your site from using plaintext passwords to encrypted passwords. If you run a small (or large) but growing website, you probably want to fix this immediately. If you do not understand all the steps, to find a technical friend (or a reliable contractor) who does, and ask them to implement it for you. I am also available for consulting gigs at a very high hourly rate.
Saturday, March 10, 2012
Encrypting Your Plaintext Passwords
Yishan Wong provides some advice for websites … Encrypting Your Plaintext Passwords. Although the post is old – end of 2009 – the advice is still relevant. I wonder how many sites still store plaintext passwords.