Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet Privacy Technology

Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com) 81

schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.
This discussion has been archived. No new comments can be posted.

Millions of Utility Customers' Passwords Stored In Plain Text

Comments Filter:
  • by Anonymous Coward

    I had a couple of stores hosted on Volusion's hosting service, and a couple of years ago their password recovery system sent me my current password, rather than giving me a link to change my password. So clearly they store (or at least used to store) their user passwords in clear text or some recoverable form.

    I tried to explain the clear security issue with this to one of their support techs, but he assured me that they felt this policy was most helpful to their users. Yeah, until everyone's password gets

  • by whoever57 ( 658626 ) on Monday February 25, 2019 @09:40PM (#58180146) Journal

    The login doesn't ask for the complete password. Instead, it asks for 4 selected characters from the password plus 3 selected characters from my PIN.

    I don't see how they can validate a few characters from a password unless they have it stored in plain text.

    Actually, this applies to two banks. Both UK based.

    • Time to get a new bank.

    • by Anonymous Coward on Monday February 25, 2019 @10:17PM (#58180270)

      JP Morgan Chase, until about 26 months ago, only stored the first 8 characters of your password. Let that sink in for a second. A company that is creating a cryptocoin for internal transaction processing was only storing 8 characters of your online banking password.

      Unfortunately these schmucks are still in business.

    • Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.

      Mine does the same (HSBC).

      • Or it stores the hashes of all combinations (or the subset it'll ever ask)? Only 8*7*6*5/4! = 70 combinations for an 8 char password... there might be other more efficient algos, though.

        But it's worth noting that doing this is also very insecure...

    • I think my bank stores passwords unhashed.

      FTFY. They might store them unencrypted, or they might have an elaborate keyserver setup with a reasonable level of security, you can't know that. Hashing would have been better, but that doesn't mean everything else is garbage.

      • by Bert64 ( 520050 )

        The problem is that you don't know, so you can't make an informed decision as to which companies you do or don't want to do business with.

    • by AmiMoJo ( 196126 )

      With banks the secret phrase they want 3 random characters from is to supplement the full password. In fact it's mostly there to try to defeat key loggers, which is why they make you enter it using drop-down menus on a heavily Javascript laden page that pegs your CPU at 100%.

  • So? (Score:2, Informative)

    by Anonymous Coward

    How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.

  • I have a great idea! Let's make sure we purchase software from the lowest cost bid. Those places keep costs low by hiring low-cost developers. Not bothering with tests and QA. They're also likely to be last on the list of companies to upgrade their process, guidelines, etc. High school students could probably write this in just a few weeks. What could possibly go wrong?

  • by darkain ( 749283 ) on Monday February 25, 2019 @10:31PM (#58180308) Homepage

    I warned my ISP at the time, Rainier Connect, of this very issue back in 2012.... is 7 years plenty of time to consider it reasonable discloser to talk about it publicly? Damn right it is. NAME AND SHAME this horrible and dated practice!! https://www.rainierconnect.com... [rainierconnect.com]

  • by Anonymous Coward

    http://plaintextoffenders.com

  • "To all SEDC Customers: SEDC is aware of all the facts and timelines regarding the subject of this story. We have taken steps to address the situation. In terms of SEDC’s approach in dealing with this issue, SEDC refrained from speaking in detail about confidential elements of SEDC’s database and software with an unknown 3rd party as doing so could have potentially compromised our customers’ systems. There are No Violations The plain text password in question is not a violation of PCI-DSS
  • Doing a Google search for "you may choose to have your password e-mailed to you" (including quotes) gives 160 results, most of which appear to be utility companies.
  • Some interesting research, and while I agree with the premise that if a site can email you your password, it has substandard security, it does not mean those passwords are stored in plaintext. It's very possible that the passwords are stored in some encrypted form and the process for emailing the password has the resources to decrypt the password. Still, that is only marginally better than storing the password in plaintext. The issue is not how the password is stored (encrypted or not); it is the fact that
  • https://www.sedata.com/our-sol... [sedata.com]

    It includes:
    Cyber Awareness Education
    And....
    SEDC MSS (Managed Security Services)

    Just like a certain D (huge (only a minor bearch) consultancy), mebbe they don't need to do the stuff they tell you to do.

Technology is dominated by those who manage what they do not understand.

Working...