Why Storing Plain Text Passwords Is Bad
No matter what bad news we hear about passwords – leaks, security breaches, compromised security – in the right circumstances, they can actually provide very strong protection. The real weak link here is the user. If users could remember long and random passwords, the “problem of passwords” would not exist.
Passwords stored in plain text create another weak link exploitable not only by hackers but also insiders.
If we could remember passwords like v(tb_FbxzX63Le^Ud*qh or _xzeg7rACv!4W#KfB9Pa then hackers would stand no chance, and password security would actually be much better than what, for example, biometric methods can provide. When I say no chance, what I actually mean is with a probability so small that we really don’t have to worry about it (you can see a brief introduction to big and small numbers on this page).
We can use tools to achieve this and certainly here at sCrib we’re trying hard to finally introduce such products, but that isn’t the end of the story for password security.
The problem is that nothing we users can do can protect us from the weak implementation of password security on a server. Even if I choose a very secure, unbreakable password, nothing can protect me from someone just reading it from the server that checks it, if it is stored in plain text.
Proper design, good implementation, and thorough testing (including penetration testing) significantly reduce the risk of a server being hacked but these measures can never be entirely sufficient against a professional targeted attack. The security of the server must be based on multiple layers of security – “defence in depth” is the term we use. When implemented correctly, security incidents can be contained and the server restored fairly quickly.
Plaintext passwords make containment much more difficult because the attacker instantly compromises the security of all of a server’s users. You could argue that a server being directly attacked is an extremely unlikely event, but recent and repeated incidents on a very large scale (affecting millions of users) say otherwise.
Case for Plain Text Passwords
There are situations when passwords (or PINs) have to be stored in plain text. These cases however seem to be quite rare, and extreme security measures have to be implemented in order to protect the integrity of the system.