THE BLOG
01/06/2015 10:35 am ET Updated Dec 06, 2017

Security Shock: Why Did 2700 Websites Expose Our Passwords?

2015-01-01-surprise570.jpg

Why did they do it?

With all the data breaches and website hacking that have been going on, how on earth could big brands like AT&T, The New York Times, and Macy's needlessly expose their users' passwords?

Here's what I'm talking about and why you should be worried: Over the past few years, my latest investigation for StateoftheNet.Net found, more than 2700 websites left their users' passwords in plain sight by placing them undisguised smack dab in the middle of e-mails to those users.

A Glaring Security Lapse

Security pros consider this a terrible security practice. Here's why:

"When a company sends a password in plain-text it is essentially inviting a user's account to be compromised," says Rick Redman, Senior Security Consultant at KoreLogic Security. "It also means that the company not only KNOWS your password, but stores it in a method that anyone can see...it is an insult to the customer. In my mind, it is the same as saying, 'we do not care about your security.'" (If a site stores passwords in plain text, it's even worse than sending them in e-mails, experts say.)

Government officials agree. "Sending a user's password in plain text increases the risk of unauthorized access," Mark Eichorn, Assistant Director of the Federal Trade Commission's (FTC) Division of Privacy and Identity Protection, told me.

It Gets Worse

When a website commits such a lapse, it puts more at risk than just the personal information stored in your account at that site. A survey that I reported on in 2012 for Consumer Reports found that nearly one in five consumers used the same password for more than five accounts. So by exposing the passwords their users had entrusted to them, the thousands of sites in question were also increasing the risk of a breach of their users' accounts at other institutions, such as retail, banking, and social network sites.

And that kind of risk could linger for months, or even years, according to Redman. "Most users don't change their passwords," he points out. "So an email with your password in it is sitting somewhere deep in your inbox, long forgotten by you, but it still has valid credentials in it."

What does all this mean for you? Two things: Sloppy online security is more widespread than you probably thought; it's hardly limited to the few websites that have been in the news. And even if you follow to the letter my recent advice on how to avoid a big password mistake, whenever you divulge your password to a website that sends or stores it in plain text, you might just as well have used the word "password" as your password.

We know about this massive security failure thanks to two public-spirited techies, Omer van Kloeten, Chief Technology Officer at New York-based app developer, AppMyDay and Igal Tabachnik, Lead Developer at OzCode. Fed up with having his own passwords repeatedly e-mailed to him in plain text, since 2011 van Kloeten has been posting examples of similar experiences that users send him at the site Plain Text Offenders (PTO), which he and Tabachnik created and he says is "dedicated to publicly shaming this horrible practice." He typically receives and posts evidence for several offenders per day. For the year 2014 alone, the site's archive contains more than 980 screen shots of offending e-mails. The full archive bulges with more than 2,700 examples dating back to 2011.

Who Are the Culprits?

Besides the three major brands I mentioned above, PTO's archive also contains examples of culpable e-mails from such brands as Fedex, J. Crew, Laura Ashley, Office Depot, Rhapsody, Seaworld, and Sprint, as well as examples from government sites, such as Indiana.gov and BoulderColorado.gov; local and regional businesses; and sites that appeal mainly to gamers or geeks.

I began this investigation in October by registering with roughly 20 of PTO's reported sites to see if they were still exposing passwords. E-mails containing passwords are usually sent either when you first register with a site or when you tell the site you have forgotten your password. When I tried this with my small group of sites, quite a few did not include my password in their e-mail responses. But some did: One retailer of electronic lab equipment included both my user name and password in its account confirmation e-mail. And PetSmart, which stores customers' credit card numbers on its site, sent me a temporary password in plain text when I told the site I had forgotten my old one.

Most troubling to me were the e-mails I received from Princess Cruises, whose exposure of passwords had first been reported by PTO in May, 2014. When I told the Princess site I had forgotten my password, the site--which may store such sensitive personal information as your address, birthdate, passport number, medical conditions, or sexual preference--e-mailed me my password in plain text. When I checked back with the site again on New Year's Day, it sent me this e-mail with my password in it:

2015-01-01-princessjan1.png

The site's privacy policy says, "we take steps to protect your personal information and keep it secure." But, as noted above, security experts and government officials don't agree that e-mailing a password in plain text does keep personal information secure.

PTO's van Kloeten also maintains a list, called Reformed Offenders, of the good guys that he knows have stopped sending passwords in plain text. As of early January, 26 sites were listed. "I'm very hopeful. It's still an incredibly low percentage (less than 1 percent), but it's growing," he told me. He acknowledges that he hasn't had time to follow up regularly on every submission, so even he doesn't know just how many of the rest of the reported offenders may have reformed.

Earlier this year, software maker Dashlane, which offers a free password manager for consumers, published evidence that confirmed the sorry state of password security on many websites. Studying 100 of the top e-commerce sites in the U.S., it found that eight had sent passwords in plain text via e-mail. Among Dashlane's many other troubling findings were that 64 percent of the sites had questionable password practices and 55 percent still accepted some of the worst conceivable passwords, such as "123456."

What You Can Do

• If a website e-mails you your password in plain text, notify the owners of the offending site, if possible. Then report it to PTO using that site's submission form. PTO's van Kloeten welcomes submissions and offers a helpful FAQ that answers many of your questions. You may also want to report the incident to the FTC, which welcomes consumer complaints about such practices, according to Mark Eichorn. To file such a complaint with the FTC , use the FTC Complaint Assistant.

• Use a different password on each site plus a password manager, such as Lastpass, Keepass, or Dashlane. "Password Managers aren't perfect," says KoreLogic's Rick Redman. "And there is an inherent risk with using them, but the risk is much less than using the same password on every site."

• If a site you use (such as your bank, Google/Gmail, PayPal) offers two-factor authentication, a feature that provides extra security by requiring more than just a password for account access, take advantage of it.

• Look for telltale signs that a site isn't properly securing your password. Says PTO's van Kloeten, "You can be certain of it if the site shows you your password at any time. This can be in an email, on the site itself when viewing your account details, in a text message or even when conversing with a representative on the phone or via chat ("You forgot your password? Oh, it's kitten123."). If that's not the case, you can still be suspicious if, for instance, the site has weird restrictions like not letting you choose a long and/or strong password."

• To find out if sites you visit have ever been reported by PTO, install either the third-party Chrome Extension or the Firefox Add-on on PTO's tools page. I can't vouch for these tools' accuracy or security, but when I tried them myself they appeared to work and I didn't experience any noticeable problems. When they issue a warning, it doesn't guarantee that the site still exposes passwords in plain text, but does mean that it has been reported to have done so at some time since 2011.

How It Could Get Better

"We try to educate, not just shame," says van Kloeten. " Offenders who contact us are immediately pointed to our very detailed and lovingly crafted FAQs and I even take as much time as needed to help them understand why what they did was wrong and how to fix it. We also encourage our wonderful community to spread the word. Google has started working towards making the web more secure, like giving higher PageRank to sites that are all-SSL. I hope this trend continues."

I'll be reporting more soon at StateoftheNet.Net on issues that affect consumer online security and privacy.