Jamie Thomson

Thoughts, words and deeds

JustGiving.com store passwords in clear text

with 6 comments

Yesterday I attempted to login to www.justgiving.com and discovered that I had forgotten my password. They have a “Forgotten your password” link which I used and was startled to find that they emailed me my actual password rather than emailing a link with which I could reset the password. This is BAD – it means they are storing passwords in clear text and are wide open to the type of hack that hit Gawker recently. I emailed them with the following remarks:

Hello,
I have just discovered that JustGiving.com stores user passwords in plain text in your database. I have no wish to be registered with an organisation that is so lackadaisical with their users’ security and hence I wish for my membership to be ceased and all my details removed from your database.

Please could you let me know when this has been done.

Thanks in advance
Jamie Thomson

Today I received this reply:

Thank you for your message about our emails and how we can improve the way we communicate passwords to our users.

Please note that the way we store card details is completely secure. We comply with Payment Card Industry standards, which means that a JustGiving login (email address and password) is not enough to make a donation. Card details aren’t visible in full to our account holders and we don’t store card security codes.

We send out login details and password reminders in clear to account holders as do several other major websites. However, as you have rightly pointed out, this may be a cause for concern for users and we’re looking at how best to address it.

We’re always working to improve our communication to users and welcome any suggestions you may have for us.

I have deactivated your account as requested. Please get back in touch if you’d like it re-activated at any time.

(emphasis is mine)

I’m disturbed that they think storing payment card details in an encrypted format is sufficient for protecting their user’s personal details and likewise I don’t like that their justification for putting their users at risk is “other websites do it”. On the plus side they have deactivated my account and said they are looking into a better way of storing passwords in the future. I replied with the following:

Hello Gillian,

Thank you for your reply.

You note that card details are stored in an encrypted format but clearly passwords are not. Here is a case study of another company that stored passwords in a similar way and was later hacked: http://www.computing.co.uk/ctg/news/1931991/gawker-passwords-hacked. I find it rather strange that you try to justify this by effectively saying “other people do it”.

Nevertheless I appreciate your response and action on my behalf. Please can you confirm that all my details have been removed from your database – simply deactivating the account is not sufficient.

I will update this post if I get a reply!

@Jamiet

Advertisements

Written by Jamiet

April 17, 2011 at 8:27 pm

Posted in Uncategorized

6 Responses

Subscribe to comments with RSS.

  1. ouch.. definately not best practice at work there!

    mark mann

    April 17, 2011 at 8:48 pm

  2. How do we know that the password isn’t encrypted in their database?

    Surely they might be decrypting it before emailing it out? Isn’t the point of encryption that you can get back to the original! They admit to emailing passwords in clear text but not to storing them.

    Of course most peeps just store a password hash. Which has its own problems (Rainbow Tables, etc, etc)!

    I’d stick to donating a few quid into charity tins! Assuming they are genuine ones 😉

    jez

    April 17, 2011 at 9:13 pm

    • Hi Jez,
      “Isn’t the point of encryption that you can get back to the original”
      Not when it comes to passwords, no. Absolutely not. For passwords encryption should be one-way. i.e. A password can be encrypted but it should not be possible to go from the encrypted value back to the password.

      “How do we know that the password isn’t encrypted in their database? ”
      It may well be, but if a computer can decrypt it then so can a human being.

      JT

      Jamiet

      April 17, 2011 at 10:11 pm

  3. This is crazy and I’m amazed like you guys that they are passing it off with “other people do it”.

    …off to ask for my details to be removed too.

    Nigel

    April 17, 2011 at 9:39 pm

  4. Even if they are encrypting I’d be curious to know why they or any other organisation need to know your real password when a hash will suffice!

    Atul Thakor

    April 18, 2011 at 1:36 am

  5. Good grief 😐

    No excuses for plain text passwords, or reversible encryption. They do not need to know your password. Hash functions.

    These days we should all also be encouraging the use of Javascript hashing in browsers which support it (following progressive enhancement), so that even under an SSL connection, ideally your plain text password never leaves your browser, and only the hash is ever transmitted.

    Ed Gillett

    April 18, 2011 at 9:25 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: