BYOD & Plaintext Password Storage

Posted by on May 23, 2013

Most businesses have already made the switch to the cloud to capitalize on the efficiency and convenience cloud computing provides. But with news of rampant hacking successfully targeting everyone from major sectors of private industry to governmental agencies, online data storage and file sharing has brought up a whole new world of security concerns. Companies that have Bring Your Own Device (BYOD) policies in place for the sake of convenience and workflow must navigate around the dangers of password hacking and threats from third party attacks via mobile devices. Such devices, like phones and tablets, utilize apps that can scan and seize data like addresses. And users that connect to company email servers with mobile devices could even jeopardize the entire network if infected with malware, halting production and stalling profits.

The U.S. Army Corps of Engineers’ National Inventory of Dams was breached

Photo courtesy of the Department of Interior.

As more and more businesses realize the vulnerabilities of BYOD policies, many have turned to “secure” cloud storage and sharing services to enjoy the benefits of the cloud while minimizing the risk of attack. But the standard password protections of yesteryear no longer hold water to today’s sophisticated hacker. Recently, the hosting service Linode was hacked. In the security breach, hackers accessed user credit card information and passwords held on the company’s database. The company issued a statement attempting to reassure users that their information was safe because sensitive data was secured with both public and private key encryption. But for company services like Linode Shell and Lish, some passwords were stored on the database in plaintext. These services allowed users unlimited access to server consoles even in the case of a network outage, which begs the question of why user passwords were ever hosted in plain text with such dangerously privileged server access.

A Systemic Problem

It wasn’t too long ago that the hacker group LulzSec became a household name through the very public breach of SonyPictures.com. With just one simple SQL injection attack, the group was able to access the private information of over a million individual users. Everything from passwords to email addresses and birthdates was compromised as SonyPictures.com took no measures to properly secure such sensitive data, practically leaving private user information up for grabs by storing it all in plaintext.

Users were outraged and from the consumer blowback, it seemed that data storage services around the world would finally take data security and user privacy seriously. Unfortunately, such hacks are now so commonplace they hardly even make the news anymore. From the continued and common practice of storing sensitive information in plaintext to weak password encryption services that give the illusion of safety, many popular companies continue to be the worst offenders.

In 2012, Yahoo quietly suffered an attack on one of its sub-domains. By simply exploiting an insecure URL, hackers were able to seize over 400,000 user passwords from Yahoo’s Contributor Network. Most revealing of all, the sensitive files weren’t even encrypted. Instead, this industry leader chose to dangerously store user information in plaintext.


Image courtesy of ABCNews.com

But even when storage services take precautions to secure their users’ data, these attempts can often be halfhearted, still leaving information that should be completely private, wide open to attack. The professional networking service LinkedIn was another recent victim to password breach, with over six million hashed passwords leaked. Essentially, hashing helps secure passwords by converting them into a jumble of encrypted characters. While taking this first step in security, LinkedIn failed to take the second common measure of salting the hashed passwords. Salting helps to randomize the hashed passwords by including an extra string of characters, making the salted and hashed password even harder to crack.

Salting and hashing

Image courtesy of QuickHeal.com

Though not completely secure by any means, the failure of many big companies to even undertake basic precautionary measures like salting and hashing passwords just goes to show how widespread this problem has become. As PayPal chief information security officer Michael Barrett put it, “Password hacking is now the work for script kiddies.” Even the U.S. Army has had trouble securing their databases from attack, as shown from a recent breach on the U.S. Army Corps of Engineers’ National Inventory of Dams.

Secure Solutions

In the wake of the cloud computing revolution, a new group of cloud storage services have emerged, marketing themselves as secure solutions to third party threats. But popular services like Dropbox have lately come under fire for the fact that employees have access to private and unencrypted user data. And even with encrypted data, the encryption keys could always be accessed through savvy hacking or even legislation like CISPA.

For users and businesses looking for a truly private storage solution, a zero-knowledge service provider like SpiderOak offers the convenience of the cloud while ensuring complete user privacy and anonymity. True zero-knowledge storage means that the company and its employees never have access to your password and plaintext encryption keys. Instead, the data encryption key is stored exclusively on the user’s computer, so that sensitive consumer information stays completely private.

Leave a Reply