Advertisement

Half a Century of Practice: Who Is Still Storing Plaintext Passwords?

  • Erick BaumanEmail author
  • Yafeng Lu
  • Zhiqiang Lin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9065)

Abstract

Text-based passwords are probably the most common way to authenticate a user on the Internet today. To implement a password system, it is critical to ensure the confidentiality of the stored password—if an attacker obtains a password, they get full access to that account. However, in the past several years, we have witnessed several major password leakages in which all the passwords were stored in plaintext. Considering the severity of these security breaches, we believe that the website owners should have upgraded their systems to store password hashes. Unfortunately, there are still many websites that store plaintext passwords. Given the persistence of such bad practice, it is crucial to raise public awareness about this issue, find these websites, and shed light on best practices. As such, in this paper, we systematically analyze websites in both industry and academia and check whether they are still storing plaintext passwords (or used to do so). In industry, we find 11 such websites in Alexa’s top 500 websites list. Also, we find this is a universal problem, regardless of the profile of the websites according to our analysis of almost 3,000 analyzed sites. Interestingly, we also find that even though end users have reported websites that are storing plaintext passwords, significant amounts of website owners ignore this. On the academic side, our analysis of 135 conference submission sites shows that the majority of them are also still storing plaintext passwords despite the existence of patches that fix this problem.

Keywords

Dictionary Attack Cryptographic Hash Function Attack Vector User Password Password Management 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Easychair home page, http://www.easychair.org/
  2. 2.
  3. 3.
  4. 4.
    Microsoft’s conference management toolkit, https://cmt.research.microsoft.com/
  5. 5.
    Plain text offenders, http://plaintextoffenders.com/
  6. 6.
  7. 7.
    Softconf start v2 conferencemanager, http://www.softconf.com/
  8. 8.
  9. 9.
    Hackers released the passwords of over 70 million chinese internet accounts (2011), https://dazzlepod.com/rootkit/
  10. 10.
    Ieee data breach: 100k passwords leak in plain text (2011), http://www.neowin.net/news/ieee-data-breach-100k-passwords-leak-in-plain-text
  11. 11.
    rootkit.com cleartext passwords (2011), https://dazzlepod.com/rootkit/
  12. 12.
    Linkedin password hack: Check to see if yours was one of the 6.5 million leaked (2012), http://www.huffingtonpost.com/2012/06/07/linkedin-password-hack-check_n_1577184.html
  13. 13.
    Militarysingles.com hack exposes over 160,000 users information (2012), http://www.databreaches.net/militarysingles-com-hack-exposes-over-160000-users-information/
  14. 14.
  15. 15.
    Youporn passwords available for download, thousands of users exposed (2012), http://nakedsecurity.sophos.com/2012/02/22/youporn-password-download/
  16. 16.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  17. 17.
    Bojinov, H., Bursztein, E., Boyen, X., Boneh, D.: Kamouflage: Loss-resistant password management. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 286–302. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  18. 18.
    Bonneau, J., Herley, C., Oorschot, P.C.V., Stajano, F.: v. Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In: SP 2012, pp. 553–567. IEEE Computer Society, Washington, DC (2012)Google Scholar
  19. 19.
    Bonneau, J., Preibusch, S.: The password thicket: Technical and market failures in human authentication on the web. In: WEIS (2010)Google Scholar
  20. 20.
    Calin, B.: Statistics from 10,000 leaked hotmail passwords (2009), http://www.acunetix.com/blog/news/statistics-from-10000-leaked-hotmail-passwords/
  21. 21.
    Das, A., Bonneau, J., Caesar, M., Borisov, N., Wang, X.: The Tangled Web of Password Reuse. In: NDSS (February 2014)Google Scholar
  22. 22.
    Dell’Amico, M., Michiardi, P., Roudier, Y.: Password strength: An empirical analysis. In: INFOCOM 2010, pp. 983–991. IEEE Press, Piscataway (2010)Google Scholar
  23. 23.
    Florencio, D., Herley, C.: A large-scale study of web password habits. In: WWW 2007, pp. 657–666. ACM, New York (2007)Google Scholar
  24. 24.
    Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: SOUPS 2006, pp. 44–55. ACM, New York (2006)Google Scholar
  25. 25.
    Grimes, R.A.: Myspace password exploit: Crunching the numbersGoogle Scholar
  26. 26.
    Hart, J., Markantonakis, K., Mayes, K.: Website credential storage and two-factor web authentication with a java SIM. In: Samarati, P., Tunstall, M., Posegga, J., Markantonakis, K., Sauveron, D. (eds.) WISTP 2010. LNCS, vol. 6033, pp. 229–236. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Holz, T., Engelberth, M., Freiling, F.: Learning more about the underground economy: A case-study of keyloggers and dropzones. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 1–18. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  28. 28.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47(4), 75–78 (2004)CrossRefGoogle Scholar
  29. 29.
    Kohler, E.: Hotcrp conference management software (2014), http://read.seas.harvard.edu/~kohler/hotcrp/
  30. 30.
    Komanduri, S., Shay, R., Kelley, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F., Egelman, S.: CHI 2011, pp. 2595–2604. ACM, New York (2011)Google Scholar
  31. 31.
    McIlroy, M.D.: A research unix reader: Annotated excerpts from the programmers manual (1971)Google Scholar
  32. 32.
    Morris, R., Thompson, K.: Password security: A case history. Communications of the ACM 22(11), 594–597 (1979)CrossRefGoogle Scholar
  33. 33.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: CCS 2005, pp. 364–372. ACM, New York (2005)Google Scholar
  34. 34.
    Peyravian, M., Zunic, N.: Methods for protecting password transmission. Computers& Security 19(5), 466–469 (2000)CrossRefGoogle Scholar
  35. 35.
    Raphael, J.: Gawker hack exposes ridiculous password habits (2010), http://www.pcworld.com/article/213679/Gawker_Hack_Exposes_Ridiculous_Password_Habits.html
  36. 36.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger password authentication using browser extensions. In: Proceedings of the 14th Usenix Security Symposium, vol. 31 (2005)Google Scholar
  37. 37.
    Saltzer, J.H.: Protection and the control of information sharing in multics. Commun. ACM 17(7), 388–402 (1974)CrossRefGoogle Scholar
  38. 38.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Christin, N., Cranor, L.F.: Encountering stronger password requirements: User attitudes and behaviors. In: SOUPS 2010, pp. 2:1–2:20. ACM, New York (2010)Google Scholar
  39. 39.
    Siegler, M.: One of the 32 million with a rockyou account? you may want to change all your passwords (2009), http://techcrunch.com/2009/12/14/rockyou-hacked/
  40. 40.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: SP 2012, pp. 365–379. IEEE (2012)Google Scholar
  41. 41.
    Weir, M., Aggarwal, S., Collins, M., Stern, H.: Testing metrics for password creation policies by attacking large sets of revealed passwords. In: CCS 2010, pp. 162–175. ACM, New York (2010)Google Scholar
  42. 42.
    Weir, M., Aggarwal, S., de Medeiros, B., Glodek, B.: Password cracking using probabilistic context-free grammars. In: SP 2009, pp. 391–405. IEEE Computer Society, Washington, DC (2009)Google Scholar
  43. 43.
    White, C.: Adobe leaks 150 million passwords; facebook and others impacted (2013), http://www.neowin.net/news/adobe-leaks-150-million-passwords-facebook-and-others-impacted
  44. 44.
    Yang, C.-C., Chang, T.-Y., Hwang, M.-S.: Security of improvement on methods for protecting password transmission. Informatica 14(4), 551–558 (2003)MathSciNetzbMATHGoogle Scholar
  45. 45.
    Yee, K.-P., Sitaker, K.: Passpet: Convenient password management and phishing protection. In: SOUPS 2006, pp. 32–43. ACM, New York (2006)Google Scholar
  46. 46.
    Zhang, Y., Monrose, F., Reiter, M.K.: The security of modern password expiration: An algorithmic framework and empirical analysis. In: CCS 2010, pp. 176–186. ACM, New York (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceThe University of Texas at DallasRichardsonUSA

Personalised recommendations