Skip to main content

Storing Passwords in Plaintext: Websites’ Hall of Shame

signinRecently, at a security breach at LinkedIn, the hashed passwords of more than six million accounts were stolen and circulated on the web. Even though no harm came to pass as the passwords were hashed and not associated with corresponding email logins, it was a serious lapse in security. The breach at Microsoft India’s online store, early this year, produced a different story. When the site was hacked in February, the hackers stumbled upon passwords of users stored in plain text. Several sites have been caught in the past storing passwords in a form that could be recovered. The Sony PlayStation site hack of last year was among one of the most notorious, and the kind that leaves a bad taste in the mouth.

Storing passwords in plaintext is inexcusable. Sadly, this practice is very common particularly among small websites. According to the hacker who broke into some years ago and stole 32 million passwords, 30% of websites store plain text passwords. The usual line of thinking is that their website is too small and obscure for anybody to hack, or that their users are unimportant and low-value. But they totally ignore the fact that users often reuse passwords. Even if a website’s user accounts have no value in the context of the information they hold, the user’s login credentials are valuable. And the hackers know it, which is precisely why they target small, obscure websites because their developers think exactly that. Small sites follow poor security practices and consequently when they get hacked and the password database stolen, the attacker gets away not just with the users’ logins on the site but logins on Facebook, GMail, Paypal and their bank accounts.



While you can't control how a website stores your password, you can control what services you sign up for. Stay away from websites that stores your password in plain text. A better practice will be to use a different username-password combination for every website you sign up on. Remembering so many passwords is hard, and this is where password manager like KeepPass and LastPass comes in.

A good way to find out if a website stores your password in plaintext is to click the "forgot password" link. If the website sends you your password in an email, it means that they are storing the password itself and not the hash.

At, you can browse hundreds upon hundreds of websites that exhibit a complete lack of regard for customer password security. Of course, the collection represents only a small fraction of websites that follow sloppy password security.

We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put websites we believe to be practicing this to shame.

Regrettably, is not easy to browse. The website has a search function but it’s broken. The site itself is a simple Tumblr blog that hosts user submitted screenshots of password-reset email they received from the service with their passwords in plain sight. A better implementation of the same idea is at They even have a Chrome extension that warn users when they visit a website that stores password in clear text. But their database is small.

If you happen to come across a service that emails you the password in clear text, take a screenshot, redact your personal information and submit it to the Plain Text Offender’s Hall of Shame. I encourage you to contribute to as well. And don’t forget to notify the webmaster about their poor password security.

Photo credit: Big Stock Photo

[via Krebsonsecurity]


Popular posts from this blog

How to Record CPU and Memory Usage Over Time in Windows?

Whenever the computer is lagging or some application is taking too long to respond, we usually fire up task manager and look under the Performance tab or under Processes to check on processor utilization or the amount of free memory available. The task manager is ideal for real-time analysis of CPU and memory utilization. It even displays a short history of CPU utilization in the form of a graph. You get a small time-window, about 30 seconds or so, depending on how large the viewing area is.

How to Schedule Changes to Your Facebook Page Cover Photo

Facebook’s current layout, the so called Timeline, features a prominent, large cover photo that some people are using in a lot of different creative ways. Timeline is also available for Facebook Pages that people can use to promote their website or business or event. Although you can change the cover photo as often as you like, it’s meant to be static – something which you design and leave it for at least a few weeks or months like a redesigned website. However, there are times when you may want to change the cover photo frequently and periodically to match event dates or some special promotion that you are running or plan to run. So, here is how you can do that.

69 alternatives to the default Facebook profile picture

If you have changed the default Facebook profile picture and uploaded your own, it’s fine. But if not, then why not replace that boring picture of the guy with a wisp of hair sticking out of his head with something different and funny?