Blog Post

Stop Storing Unencrypted Passwords!

,

Doctor Fox

I was called over today by a person doing application support to help troubleshoot a database connectivity issue. This isn't a big deal and something that's a regular job task for a database administrator. But then he did something that totally floored me.

He went into the registry and copied the password (in plain text) and used it to test the database connection. See, the application stores the username and password in the registry and encrypts neither. Yes, this is in the year 2012. What makes things worse is that this is a relatively new version of the software, released in the last couple of years. This software's target audience are enterprise-class organizations. And they've been operating on the Windows OS for years. So all of the standard excuses for why they might make this mistake don't hold in this case.

Look, vendors, if you store the username and password without encryption, whether in a text file or in the registry, then you've given every administrator those credentials and they don't even have to work for it. Based on how you've secured those permissions, the situation might even be worse. In any case, there is no excuse now for doing such things. Encyption algorithms are readily available. Computing power is not significantly impacted if you have to decrypt a single username/password. We've been doing it for years. 

So if you're vendor and you're doing it the wrong way, please, please, PLEASE, put it in your next enhancement build to fix this. It's not hard. It helps out overall security. It brings about non-repudiation. And it's a well-known, well-documented security best practice that should always be followed. PLEASE? Or do we have to start embarrassing you by posting names and software applications on-line like what was done with applications that couldn't play nicely under the UAC? This is beyond ridiculous.

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating