Hash those Passwords

web

Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.

To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer. His username and password for the billing system were stored in a document unencrypted on his computer. This information was used to access parts of our billing system that, in retrospect, should have been protected better. There are many tools that we can use to limit the access to sensitive information, unfortunately the measures we had already implemented fell short of stopping this specific type of breach.

We are certain that credit card numbers were not exposed, however we do know that a limited number of email addresses and plain text passwords were exposed. We highly recommend that if your PayPal password was the same as your Spry password that you immediately change it.

http://blog.spry.com/2007/11/14/security-breach/

There are at least two things that would have helped Spry here:

  • Hash those passwords - when you store a password, you shouldn't store the plain text password it should be hashed. If for some reason you need to be able to recover the password then you should encrypt it.
  • Apply the Principle of Least Privilege - My guess is that the Employee who stores his password in a word doc on his computer shouldn't have needed access to customer's passwords.

This also shows that large web hosting environments are not as secure as you might think they would be.



Related Entries

7 people found this page useful, what do you think?

Trackbacks

Trackback Address: 660/AF7424305B34392134F15EB0C5DBE926

Comments

On 11/16/2007 at 1:57:31 PM EST Aaron Johnson wrote:
1
And make sure your hash is salted:

http://en.wikipedia.org/wiki/Rainbow_table

AJ

On 12/10/2007 at 8:43:46 AM EST Raja wrote:
2
try to show how it will be used wit the help of clear Example.

On 10/29/2012 at 5:07:27 AM EDT MBT WALKING SHOES wrote:
3
As early as 7 Popular dom Wimpffen had convened one additional government of combat,comprising above twenty generals. MBT WALKING SHOES http://buy-alot.com/

Post a Comment




  



Spell Checker by Foundeo

Recent Entries



foundeo


did you hack my cf?