Please don't email me my password

This will be a bit of a technical blog - sorry about that, but since it's something I have tried to teach my Senior Info. Tech. students, it is probably worth knowing about. And unfortunately it appears that lots of people in IT haven't learnt it yet.

We want to keep our passwords secure, and IT people are constantly reminding people of what makes a good password (length, capital letters, numbers, symbols etc. in a random mixture where possible). And IT people are also the same people who push out regular password changes.

So why then, do these IT people, frequently choose to store my password in plain text within a database??

Just to explain what I mean by plain text - inside a database of users, there would be these two fields: "username" and "password".

eg. Username: Freddy95, Password: mysecretpassword

It might seem natural that you actually store the username and password in these fields, but it is extremely bad practice to store the password inside the database.
 But how, you may ask, do you check someone's username / password if you don't have their password stored?

The answer is in one-way encryption (also known as 'hashing'). Think of it like a valve that lets water through one direction, but it can't return.



MD5 is a very common method, and for even better encoding, include a "salt" which makes it exponentially harder to be compromised by 'brute force attacks'.

eg. Username: Freddy95, Password: 4cab2a2db6a3c31b01d804def28276e6


(The computer has a way of getting from "mysecretpassword" to the password generated above, but it can't go the other way. You can check it using an MD5 generator, but you won't find any 'reverse MD5 generators' - please don't sign up to any of the pages you find via that search!)

Read an article here that outlines an example of where this happened. http://blog.moertel.com/articles/2006/12/15/never-store-passwords-in-a-database

The reason for IT people not following this practice is not lack of knowledge or laziness, but simply so that they can email out your password to you if you've forgotten.


If you've ever received an email from a company that includes your password in it, they are following this bad practice!!! (It's just a pity you can't know what they will do with your password when you are typing it into an online form, otherwise I wouldn't sign up for any of these companies!)


The risks associated with having your password stored in plain text are many:

• If the database is 'stolen' (or sold) or compromised in some way, your username / password is there
• Despite the IT people suggesting to use a different password for every account, it's likely that someone who got your username / password could try it in various other accounts (Ebay / Facebook / Paypal / Hotmail etc.) and likely find a match somewhere (if your username / password the same in each account??)
• Even if the database is not 'lost' or 'compromised' an email they've sent with the password in it could be intercepted (or read on a local network via packet capturing etc.) or even simpler, be read over your shoulder in your email client!
• Plus, I simply do not trust every single company online. It only requires one 'unethical' employee of one of those companies you've signed up for.

Is it any wonder that at the moment there are so many cases of people having their Facebook accounts hacked?? How many different places can you stick in your credentials with the many different Facebook applications and interfaces? (There's more to this which I might discuss in a different blog - Facebook applications are not stored on facebook.com but rather on individual / companies servers - playing Farmville means you are allowing the Farmville server access to your Facebook information.)



So please don't email my password, there are other ways of resetting it if I forget the 246th different password I've used on the net.