Why Storing Passwords in Plain Text is A Horrible Idea

“Oh, dear. I have too many passwords and have no idea what to do with them.” This is a very normal reaction when you’re trying to diversify the passwords you’re using for various services. After all, you can’t use the same password for more than one service if you don’t want to suffer immense losses after a breach. So, how do you manage all of these passwords? After discovering the Notepad program on your computer, you may have figured out the secret. You can just store all of your passwords in a notepad document on your local drive or on the cloud, right?

Actually, storing a password list on your computer (or anywhere, for that matter) is the perfect way to invite breaches. You’ll have hackers piling up like hipsters at the Apple store during the release of a new iPhone. It doesn’t matter how strong your passwords are. If you are storing them on your computer, someone will see them. ZDnet reports that 48 percent of 22 million scanned computers had malware installed. Getting rid of it is sometimes more difficult than pressing a button on your antivirus software.

Believe it or not, there’s an even worse problem!

Let’s say you don’t store passwords on your computer. You’re still not in the clear. Many websites have decided to go the lazy route and store passwords in plain text in their databases instead of encrypting or hashing them. That’s the equivalent of putting up a billboard with “Hack Me!” written on it, then your URL right below it. In a world where MD5 hashing requires simply calling the md5() function in PHP, there’s absolutely no excuse for something like this. Of course, we’d recommend using stronger encryption, but MD5 is better than nothing. Alternatively, PHP developers can use SHA-1 hashing with the sha1() function.

There you go. If you are developing a website, we just gave away the “secret” to storing encrypted passwords many seem to be ignoring entirely.

Determining if a website stores your password in plain text is your responsibility.

The vast majority of people don’t even know how to tell if a website is storing their passwords in plain text. We’re going to tell you how:

  • Log out of the website you suspect might be storing your password in plain text.
  • Click “Forgot your password?” or something similar in the login prompt.
  • Wait for the email. Does the email contain your password, or does it give you a link to reset it?

If a website can tell you your password, it didn’t even bother to hash it. You can’t “un-hash” a password. You can decrypt a password, but websites that encrypt data don’t just give you your password. That’s a very naive thing to do. The only conclusion left if you see that a website gave you your password is that it is storing it in plain text.

What to do if a website stores your password in plain text.

If you see that a website is storing your password all willy nilly in plain text, delete your account there. You don’t want anything to do with such sites. Either that, or accept the fact that your account there will eventually be breached. Make sure you never use that password for another service.

After you’ve deleted your account (you’re really in for a nasty surprise if you didn’t do that), email the webmaster or whoever administers the site with an explanation as to why you deleted it. Of course, you can include a link to this post.

What if you store your passwords on your computer or in the cloud?

Having tons of passwords means that you have to manage them somehow. What if you’re fatigued by the amount of passwords you have to type in all sorts of different login prompts? Do you just commit them to memory? Are you even capable of remembering perfectly every single password you use?

Don’t fret! Just use PerfectCloud’s SmartSignin. Our software allows you to store as many passwords from various services as you’d like. The passwords are encrypted using a method that involves a key that you create, and the encryption/decryption happens on your computer. This ensures the most powerful identity security available today (and tomorrow, and perhaps until the sun swallows up the earth).

Make sure your passwords are always encrypted!

No matter what efforts you put to securing your identity, there will always be holes in it if you have accounts on sites that store your passwords in plain text. Don’t procrastinate. Take some time today to verify that every password you have is encrypted. Don’t stop until the only accounts you have left give you reset links when you ask for your password. Once you’re done, you will have at least secured your passwords enough for any other security you stack up on top of them to be effective.