Picture this scenario: tickets for your favourite music festival are just minutes away from hitting sale. You’ve woken up early on your day off so you can be at your computer, logged in to your Ticketek account, and ready to hit that ‘Confirm’ button.
Alas, you’ve forgotten your password and can’t sign in. No worries though, you simply enter some personal details in the ‘Forgot password’ form and you instantly have your old password sitting in your email inbox, right there in plain black and white. Awesome, right?
Actually, it’s a giant red flag. As Fairfax notes, if a website you’re signed up to emails your password to you, it’s a sign that website has subpar security protocols and your password is out in the open to an unscrupulous developer or hacker.
Whilst we assume our passwords are hidden behind layers of Matrix-like encryption, a surprising number of major web outlets keep passwords in unencrypted plain text, making them vulnerable to anyone with access to the site.
“It is sloppy practice,” Insomnia Security consultant Adam Boileau told New Zealand’s The Wireless early last year, “and it’s generally indicative of bad practice in other areas of security”.
“The main thing we worry about is the fact that people often use the same password on other websites. If someone gets access to one of your passwords, it could mean access to other places like Gmail or Facebook.”
Boileau highlighted Ticketek, one of Australia and New Zealand’s biggest and most trusted ticketing providers, which relies heavily on online ticket sales and stores countless users’ credit card data, as a company that “should know better”.
“It is sloppy practice, and it’s generally indicative of bad practice in other areas of security.”“They’re a pretty big e-commerce site and it’s surprising that they still do that,” he said. “Generally what we see is that systems that are still using clear text storage are either really rubbish, or too-important-to-fix.”
According to Boileau, the right way to store a password is to not store the password itself, but rather a “hash” or representation of it. “Usually you create a one-way encryption,” he said. “Think the mathematical equivalent of putting a pig in a sausage grinder; you can’t crank the handle backwards and get a pig.”
We certainly don’t mean to single out Ticketek, either. According to the website Plain Text Offenders, which has named and shamed some 3,100 websites, other Aussie organisations that should know better include Australia Post, Pizza Hut, The Good Guys, and even the ATO.
[include_post id=”468765″]
“So far we’ve got 46 sites that we know have reformed their ways,” Plain Text Offenders co-founder Omer van Kloeten told Fairfax last year. A conversion rate of 1.25 percent isn’t high, he admitted, but it’s better than nothing.
However, Ticketek isn’t among that 46. When alerted to the issue by a concerned Facebook user in 2012, the company simply replied, “Hey Adam, thanks for your feedback, we’ve passed this on.” Four years later, nothing has changed.
Another Ticketek customer complained about the company’s “sloppy” web security practices as recently as yesterday, with Reddit user luckblade writing, “Needless to say I wasn’t going to let them ‘securely’ store my credit card details.”
So what can you do to protect yourself? Don’t store your credit card details with a site you know to be a ‘plain text offender’ and make sure you have different passwords for different sites. Apps like 1Password and LastPass can help store passwords so you don’t need to remember them all.
