PRWeb Stores Passwords In Clear Text
It is 2012 and with the growing web threats you would expect to see increased measures to protect user credentials. We hope that in the wake of events with LinkedIn and dHarmony others realize the importance of an increased security posture.
Consider the recent Linkedin, e-Harmony or similar breaches in the past to see how important this topic has become.
Back to the topic at hand…
For some crazy reason I was looking at PRweb today and forgot to
save the password I had chosen. As we all do, I clicked on the forgot password link and
got this pretty email from them:
Here is your login information for PRWeb.
Log In URL: https://app.prweb.com/Login.aspx?LanguageID=1033&SkinID=-1
PRWeb, a Vocus, Inc. Company
Oh no…they didn’t… Yes, they do!!! Do you see the problem?
They are storing your password in clear text and sending it in the clear as well, via email. At no point did I have the requirement to change, I could go on about my day using the same credentials as if nothing.
Now, go back to the recent breaches. At least the password were hashed making it much harder to identify and break all the accounts (specially the ones with good passwords). On PRWeb, there would be no work for anyone to do, other than gaining access.
It also means that anyone with access to their database can easily see the password for all the users. This is an example of what you should not do if you’re storing credentials for your users.