informa
News

Plain Text Database Storage At Heart Of Online Dating Site Breach

Plenty of Fish just another website to get burned by storing unencrypted passwords within an insecure database
The data breach at dating website Plenty of Fish illustrates once again the dangers of storing unencrypted passwords within insecure databases. In fact, Plenty of Fish is just one of several online services in recent years to be embarrassed with data exposure due to the disastrous combination of little to no encryption of passwords and poorly secured databases.

In recent memory, some notable security incidents caused by similar circumstances include the Gawker exposure in late 2010 and the RockYou exposure in late 2009.

"It's fairly common for websites to store plain-text passwords," says Luther Martin, chief security architect for Voltage Security. "The biggest reason that websites store plain-text passwords is that they don't know how to not do it. The easiest way to work around this requires understanding a bit of cryptography, which is an area which can be a bit inaccessible to many people."

The incident at Plenty of Fish hit the wires early this week after a bizarre set of circumstances led to the company's founder, Markus Frind, accusing a security researcher of extorting his firm for money and implicating security blogger Brian Krebs of being in on the scheme.

The researcher in question, Chris Russo of Argentina -- who had worked with Krebs earlier in 2010 to shed light on a breach at Pirate Bay -- reportedly found a SQL injection vulnerability in Plenty of Fish systems that made it possible to view username and password information for the dating service's accounts. He claims to have found the flaw after finding Plenty of Fish account information circulating in the underground hacker community.

Extortion accusations from Frind notwithstanding, the bottom line on the security front is that Plenty of Fish was, in fact, storing its passwords in plain text -- and, according to some blog commenters, sending password resets across e-mail in plain text.

"This happens quite a bit, particularly with companies the size of RockYou and Plenty of Fish -- smaller start-ups that are just getting their businesses going and are in high growth mode," says Gretchen Hellman, vice president of marketing and product management for Vormetric.

While Plenty of Fish did reset its passwords following the confusion with Russo and Krebs, the fact remains that even when exposures don't reveal credit card information or Social Security numbers, they have the potential to do damage due to the fact that many people reuse username and password combinations across multiple accounts, including sensitive financial accounts.

"That begs the question: Do states need to expand the requirement for data breach disclosure laws to passwords and for other information that could be leveraged for identity theft?" Hellman says.

Despite whether they're forced into it by regulation, organizations need to do a better job at encrypting passwords to prevent situations such as the one facing Plenty of Fish. Voltage Security's Martin says the easiest way to improve password storage practices is to eliminate the storage of passwords altogether.

"It's easy to do this using what's called a hash function. By using hash functions, it's easy to eliminate plain-text passwords: Instead of storing a password, store a hash of a password. If you're storing a plain-text password, you'd ask for a user's password and compare it to what's stored in a database. If you store a hash of the password instead, you'd get a user's password, calculate the hash of the password, and compare that hash to the hash that's stored in a database," he says. "If you do that, you can check to see if a password's valid, but in a way that doesn't require actually storing a copy of the password. And doing this also doesn't require storing any cryptographic keys. If you were encrypting passwords you'd need to do that, and managing keys can get difficult and expensive to do well."

According to Hellman, it isn't just a matter of encryption, either. Organizations need to do a better job with defense in depth.

"I know that everybody was pointing to the fact that the passwords were stored in plain text, but the passwords were also exposed through a vulnerability in the database, so I think this points to the fact that defense in depth is required for databases," she says. "Data encryption is absolutely important, but at the same time you need a good patching model, and you need to implement a Web application firewall."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: