Hash those Passwords

November 16, 2007

Spry recently had an embarrassing security breach, in which several email addresses and passwords were stolen.

To start with it appears that the breach was made through some malware/spyware installed on an employee's office computer. His username and password for the billing system were stored in a document unencrypted on his computer. This information was used to access parts of our billing system that, in retrospect, should have been protected better. There are many tools that we can use to limit the access to sensitive information, unfortunately the measures we had already implemented fell short of stopping this specific type of breach.

We are certain that credit card numbers were not exposed, however we do know that a limited number of email addresses and plain text passwords were exposed. We highly recommend that if your PayPal password was the same as your Spry password that you immediately change it.


There are at least two things that would have helped Spry here:

  • Hash those passwords - when you store a password, you shouldn't store the plain text password it should be hashed. If for some reason you need to be able to recover the password then you should encrypt it.
  • Apply the Principle of Least Privilege - My guess is that the Employee who stores his password in a word doc on his computer shouldn't have needed access to customer's passwords.

This also shows that large web hosting environments are not as secure as you might think they would be.

Related Entries

7 people found this page useful, what do you think?


And make sure your hash is salted: http://en.wikipedia.org/wiki/Rainbow_table AJ
try to show how it will be used wit the help of clear Example.
As early as 7 Popular dom Wimpffen had convened one additional government of combat,comprising above twenty generals.
MBT WALKING SHOES http://buy-alot.com/

Recent Entries