Slashdot Mirror

← Back to Stories (view on slashdot.org)

Millions of Utility Customers' Passwords Stored In Plain Text (arstechnica.com)

Posted by BeauHD on from the plain-wrong dept.

schwit1 shares a report from Ars Technica: In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email -- not reset! -- lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox. This was frustrating and insecure, and it shouldn't have happened at all in 2018. But this turned out to be a flaw common to websites designed by the Atlanta firm SEDC. After finding SEDC's copyright notices in the footer of the local utility company's website, X began looking for more customer-facing sites designed by SEDC. X found and confirmed SEDC's footer -- and the same offer to email plain-text passwords -- in more than 80 utility company websites. Those companies service 15 million or so clients (estimated from GIS data and in some cases from PR brags on the utility sites themselves). But the real number of affected Americans could easily be several times that large: SEDC itself claims that more than 250 utility companies use its software.

10 of 81 comments (clear)

  1. Re:Up to *some* good. by ShanghaiBill · · Score: 2

    Yes bad things will happen...like a criminal will pay my electric bill. Thanks, bad guy!

    Many people use the same password for everything. So if you know the password they use to pay their electric bill, you also know the password to their bank account.

    We need to have some basic security education. People should know that password reuse is bad, but they should also know that a website should not be offering to email them their plaintext password.

  2. I think my bank stores passwords in plain text by whoever57 · · Score: 3, Interesting

    The login doesn't ask for the complete password. Instead, it asks for 4 selected characters from the password plus 3 selected characters from my PIN.

    I don't see how they can validate a few characters from a password unless they have it stored in plain text.

    Actually, this applies to two banks. Both UK based.

    --
    The real "Libtards" are the Libertarians!
    1. Re:I think my bank stores passwords in plain text by Anonymous Coward · · Score: 4, Interesting

      JP Morgan Chase, until about 26 months ago, only stored the first 8 characters of your password. Let that sink in for a second. A company that is creating a cryptocoin for internal transaction processing was only storing 8 characters of your online banking password.

      Unfortunately these schmucks are still in business.

    2. Re:I think my bank stores passwords in plain text by Time_Ngler · · Score: 3, Informative

      If they are hashing a bunch of combinations of just a few characters of the password, these characters could be easily brute forced, salted or not! After knowing these combinations, brute forcing the rest of the password would be as easy as hell

    3. Re:I think my bank stores passwords in plain text by munch117 · · Score: 2

      I think my bank stores passwords unhashed.

      FTFY. They might store them unencrypted, or they might have an elaborate keyserver setup with a reasonable level of security, you can't know that. Hashing would have been better, but that doesn't mean everything else is garbage.

  3. So? by Anonymous Coward · · Score: 2, Informative

    How do you know your passwords are stored securely on any given website anyway? Most websites won't (and probably shouldn't) tell you how they store passwords/hashes. Even if they do tell you, should you trust them to tell the truth? The only defense is to never assume your password is stored securely and take measures (don't reuse, 2-factor, change often, etc.) accordingly.

  4. Name and Shame by darkain · · Score: 2

    I warned my ISP at the time, Rainier Connect, of this very issue back in 2012.... is 7 years plenty of time to consider it reasonable discloser to talk about it publicly? Damn right it is. NAME AND SHAME this horrible and dated practice!! https://www.rainierconnect.com...

  5. http://plaintextoffenders.com by Anonymous Coward · · Score: 2, Interesting

    http://plaintextoffenders.com

  6. Re:Is there a list of affected utility companies? by Cmdln+Daco · · Score: 3, Informative

    I would need to have an 'online relationship' with my utility companies for this to become a problem. I practice security-through-postage-stamps.

  7. Re: Is there a list of affected utility companies? by YrWrstNtmr · · Score: 3, Informative

    An example of why America needs more regulation. This doesn't happen in other western nations.

    Sweden - https://www.bbc.com/news/techn...
    Germany - https://www.theguardian.com/wo...
    France - https://techcrunch.com/2018/12...
    Spain - https://www.theinquirer.net/in...