How to tell if a site stores passwords in plain text

Question

When registering at a site the other day, one of their password requirements was that it couldn't contain any special characters, such as ' " = : ; < > ( )

While this alone doesn't indicate they don't hash their passwords, is it a strong indicator? If the password is hashed, these special characters will be translated into something else, and any harmful SQL will be turned into random characters. By virtue of the fact that they don't allow those characters, does it mean the password will be put into the database without being hashed?

I also registered on another site that appeared to have tight security and had good customer reviews. However, once I completed registration and got their welcome email, it included my password in plain text, which was an unpleasant surprise.

No one advertises their poor security, but what are some warning signs that your password may not be encrypted? Typically, you don't know how poor a site's security is until there is a break-in or massive data theft, and the average person on the site can't tell what is going on with their data.

Someone should create a site where you can highlight sites with poor security to steer customers away or shame the sites into changing their policies. I understand you have to have some trust in third party sites, but what are some warning flags that should turn you off of a site?

Answer 1

Two things come to mind.

A: Just because you received an email with a plain text password doesn't mean it's stored in plain text. We encrypt, and email out in plain text, it's bad practice, but a step up from plain text.

B: Use a password manager if you're worried about this type of thing. You can't control other people's password bad practices, what you can control is your good practices and the damage done if one of your passwords is compromised.

I use KeePass myself. It has a password generator that you can modify the rules to so that you can have super obscure passwords (such as: YhdyLa1PJSftp7) specific to the site's criteria.

Answer 2

Generally you'll only find out when you get a account confirmation email or you ask to "send a new password" and you get the original in plain text instead of a random one or password reset link.

I don't think any stupid rules on what can and can't be in a password are strong indicators. Your best bet is to use strong unique passwords for everything.

Answer 3

Unfortunately, in general there's no way of knowing for sure whether a site stores your unhashed password.

While this alone doesn't indicate they don't hash their passwords, is it a strong indicator? If the password is hashed, these special characters will be translated into something else, and any harmful SQL will be turned into random characters. By virtue of the fact that they don't allow those characters, does it mean the password will be put into the database without being hashed?

No, it doesn't necessarily mean that. p -> q (i.e. allowing special chars -> password hashed (unless their security is laughably bad)) doesn't allow you to conclude ~p -> ~q (i.e. disallowing special chars -> password not hashed). In other words, it is possible that they disallow those characters but do still hash your password.

I also registered on another site that appeared to have tight security and had good customer reviews. However, once I completed registration and got their welcome email, it included my password in plain text, which was an unpleasant surprise.

It is possible that they generated the e-mail while the password was in memory, but only stored a hash. Though e-mailing a plaintext password is, as you say, not good security practice.

Answer 4

The worst sign is if they CAN email you your password in plain text.

There's no guarantee that they're storing it in plain text, but if the encryption they are using is reversible then most of the developers of the site will know how the password is encrypted/decrypted and can probably read it.

Answer 5

If you get an email telling you that they're switching to a new system with a shorter password limit than the current system and that they will automatically truncate the password for you, that's a dead giveaway that they're storing passwords.

It happened to me with an online banking account recently. You would think that they would know better.

BTW, that doesn't tell you that they're stored in plaintext. They may well have been encrypted. But, from a security point of view, that's no better than storing them in plaintext. The actual passwords should never be stored in any form.

Answer 6

By virtue of the fact that they don't allow those characters, does it mean the password will be put into the database without being hashed?

No. It's generally a bad sign if some characters are disallowed (and incredibly irritating if you have a system for making up passwords with punctuation in), but it's not a red flag in itself. There are occasionally other technical reasons to disallow some characters(*), and very often stupid management policy reasons not to.

(*: in particular, HTTP Basic Authentication can't reliably include a ‘:’ character in a username, or any non-ASCII character in username or password.)

However, once I completed registration and got their welcome email, it included my password in plain text, which was an unpleasant surprise.

Yeah. Not good, but again it doesn't necessarily mean they're storing as plaintext; they could be sending the mail and then hashing it after that.

(Probably not though eh!)

what are some warning signs that your password may not be encrypted?

If a ‘recover password’ facility exists that can mail you the password after signup.

Someone should create a site where you can highlight sites with poor security to steer customers away

That would be nice, but then that someone would be constantly harassed by technically clueless but litigation-happy companies. And when most commercial sites are still also vulnerable to simple XSS or XSRF attacks, the list of “sites with poor security” would be much longer than “sites with good security”.