Passwords should not be stored in plain text

Let me repeat… Passwords should not be stored in plain text… ever!

So Practical Pentest Labs have had a fun week on Twitter.  If you’re not sure what I mean, check out this Tweet.  They made this bold statement…

We don’t allow users to pick passwords so that we don’t store any of your sensitive information. Instead, passwords are randomly generated by the system and they need to be stores in plaintext so that we can send you the reminder in case you forgot it.

This is clearly a system that was built for their convenience, and not with user experience in mind at all.

There are very broadly speaking, two types of users (with 99% of people somewhere on a scale between the two)…

  1. Technophiles – people who love tech – these people are more likely to have a password manager, understand that password re-use is bad, and therefore want to generate their own strong password, not have one given to them
  2. Technophobes – people who are scared of tech – these people, if they’re given a complex password that they can’t remember, are going to write it down (and lose it) or forget it, most likely the later

Being generous of spirit, I will assume that the reason Practical Pentest Labs went with this solution is to stop credential stuffing attacks, as the password generated cannot have been used anywhere else.  However, once a technophobe has written down this excellent password, what are the chances of them re-using it again?  Just because the password was only used once when it was generated, doesn’t mean it will never be used again.

Even if it made sense to generate a new password for them (which it doesn’t, just to be clear), why does that mean that it needs to be stored in plain text?  You could still store the password properly (ideally with a strong one-way hashing algorithm, like Bcrypt or Argon2) and then when they forget their password, generate a new one.

Better yet, don’t ever send out a password to someone by email, email isn’t secure and it causes all kinds of user experience problems (and customer support issues) with delivery delays, spam filters, etc..  Use a password reset link, where they come to a screen and enter their own password.  Or you generate one for them, if you have to, but show it to them on your secured website where they have the reassurance of authenticity and you can control the delivery, don’t push it out via email and hope for the best.

WordPress is largely pretty good at this – it does suggest a strong generated password, but allows the user to set something else if they’d like.  It works well with password managers, as it doesn’t try to block pasting into the fields, or any of that insanity.   My only complaint is that the password storage hashing is a bit weak, which is why I wrote my Better Passwords plugin.  This also lets you control the minimum length, which is the only complexity rule you actually need.