Tuesday, 17 April 2012

FT.com and password protection?

I forgot my password for the FT.com site. Solution? Use a password recovery form, which I did, and received this email: 

Dear FT.com user,
Following your recent request, I am pleased to confirm that your FT.com password is:
Now that you have your password, we suggest that you change it for security purposes by going to your www.ft.com/your-account. Please note that your username/log in email address is case-sensitive, and may not be exactly in the case you entered it when requesting your password lookup. To log in to FT.com, simply enter your username/email address and password in the log in box in the top right-hand side of every screen. Use the link below to visit FT.com. http://www.ft.com If you have any questions, our Customer Service team will be happy to help. Visit us athttp://aboutus.ft.com/contact-us. Yours sincerely Customer Service The Financial Times Ltd, Number One, Southwark Bridge, London SE1 9HL, England. Registered Number 227590

Then I realised hat I actually had a record of my existing password, in the 1Password. I was rather surprised when I realised they actually sent me my current password. What this means to security? For starters, this indicates they do not store hash (such as SHA2) of my password but actual password, either in plain text or encrypted. This is poor development and security practice for 3 main reasons:
  1. The database field that stores password has limited length and such I am limited in the length of the password I can set 
  2. Administrators of the system can extract my password and impersonate me. 
  3. If the password is stored in clear, a SQL injection vulnerability in the application could allow hackers to retrieve my password. 
Furthermore, current best practice is to send password reset link in an email, not an actual password, whether current or new one. This ensures that when the email is intercepted and link is used by hacker, my click on the link will not work and I will most likely notice it.

Based on the concerns above I sent email to privacy office of FT.com and awaking the response. The email is below.

I am concerned of the password protection for my FT.com password. I requested a password reset and the system sent me my current password. That means that your system stores actual password, whether in clear or encrypted, and not a slated hash of my password. Also, as my password was sent to me via email, which does not offer any protection, I am concerned it could have been intercepted. 
The best practice is to send a link to a page where I can set my new password. My feeling is that security team was not able to put their input into the security design of your system properly. That begs the question what else is not up to best practice. 
I ask you to inform me what security controls you have to protect my data including password and why is it sent in clear in emails. Best regards 
Vladimir Jirasek

Updated on 10th May 2012:

I have received a response from FT today. I am actually quite pleased with the response as it shows FT does listen and acts on the feedback.

Dear Vladimir,

Further to my email dated 19 April I confirm that the FT password reset process was changed on 26 April 2012. Users who request a password reset are now emailed a link which prompts them to enter a new password, rather than providing their current one. I understand that you submitted your request on 17 April i.e. prior to these changes coming into effect.

We are in the process of rolling the new process out to requests submitted via mobile devices (such as an Ipad). I mention this in case you utilise the tool via a mobile platform in the near future and find that the new process has not yet been implemented.

I trust this answers your queries but if you have any further concerns please let me know.

Kind Regards,

The Financial Times Ltd
Number One Southwark Bridge
London SE1 9HL
Tel: +44 20 7873 3000



Post a Comment