Tuts+ Premium Account Security Compromised
notes.envato.comOh the sweet, sweet irony.
I wish I could upvote this one forever. lol
Still storing clear text passwords in 2012, how the hell do these people have businesses? I mean, I learned about this stuff at age 12 while learning PHP on my own, how hard can it be?
Getting hacked happens, even to the best but come on, how many times will we have to read blog posts like this one before people wake up? How hard can it be to hash and salt your passwords?
Glad I wasn't one of their customers (and never will be) but it's frustrating how we can't trust anyone with anything these days.
"Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)."
"(...) with a plan currently in progress to upgrade away from the current plugin."
Oh, it's the plugin fault. Not theirs. Blame it on the plugin.
And it's a company that teaches web development ...
Serious question; all of these tutorial sites.. are any of them a reliable source for web dev or are they just another Smashing Magazine where people get paid to write about things they don't understand?
IMO, Smashing is mostly typical blogspam with very occasional nuggets of good content. If you browse HN and some of the Reddit web/programming subreddits even somewhat frequently, both Smashing and tuts+ are pretty useless.
Yeah, I'm still trying to find the good dev subreddits. You get downvoted in /r/webdesign over some really pathetic crap but it seems to be the most active - any suggestions?
Honestly I don't think their tutorials are half bad and I enjoy reading Smashing Magazine. Mainly for fluffy stuff. For security & scaling stuff go elsewhere.
I guess half-bad is subjective. I don't feel like a site that allows such a vast array of decent information vs. downright terrible/wrong is worth my time trying to decipher between the two.
I know what I read on A List Apart is quality material from quality writers and people who have spent years and years in the field. Tommy the 17 year old graphic designer that only has mom-and-pop Wordpresses under his belt shouldn't be getting paid to tell thousands of people what's hot right now.
In principle I agree: it is bad practice.
But let's remember that either plain text or one-way hashed they will be broken eventually. The only thing hashing passwords buys you is a little bit of time before the "hacker" can use those passwords to access the compromised system.
It doesn't, for example, protect you from password re-usage issues. You also have to reset the passwords either way.
I think getting broken into is the biggest problem here; everyone has recently spent far too much time talking about hashes instead of asking questions about how the real break-in occurred at these businesses.
False. Getting broken through will happen because there are so many holes to plug, while strong and slow hashing + salting (while being extremely easy to set up) will make it so it's not even worth it for the attacker to crack passwords when he/she inevitably gets in.
Of course we need to plug holes in security and prevent people from getting in (SQL injection vulnerabilities are just as important an offence) but might as well protect the user's information when a breach happens. Especially since it's so much easier than the other way around.
What is "false?"
You deeply over-estimate how much effort it takes someone to break even correctly protected hashes. Most passwords are extremely poor and can be broken even without a rainbow table in less than a couple of hours.
Hell I can spin up an EC2 instance right now for free (AWS Free) running Linux and then just leave it there for 12 months at zero cost; giving me a nice formatted list of e-mail addresses and passwords to be used on third party sites.
At the end of the day most of these break-ins are news because the "hacker" got into a position to crack the user's passwords at all. What they do once they're in is not nearly as interesting from a learning perspective as how they got in originally.
Why, for example, are user's passwords on web-facing servers at all? Why not use several commonly available login API infrastructures to off-load that task to a firewall-ed box that can only be managed via VPN?
It isn't that crazy. It isn't that expensive either. A lot of software suites at minimum support a Kerberos protocol.
While I completely agree with you that the attacker getting into the database is an issue in the first place, "what is false" is that this is an excuse to divert the problem from blatant lack of understanding of basic principles in security.
My way of seeing this (and you might have a different opinion, which I respect as well. I want it to be clear my comment wasn't a personal attack) is that I use a strong password that would not be easily crackable by dumb bruteforce or rainbow tables. Therefore even if an attacker breaks in to a service that I use, steals database tables containing hashed and salted passwords and gets cracking, the likelihood that he/she breaks MY password is relatively low. Now the minimal effort from the company providing the service went to great length to complement MY effort of choosing a strong password.
There are a lot of problems in security. Weak passwords and password reuse are the burden of the user. Correct storing of passwords and preventing intrusions are the burden of the developer. Neither of those are an excuse for skipping hashing and salting because "it can be broken easily". You mention 12 months yourself, I'm sure my bcrypt'd/salted 16 character non-dictionary word unique password would discourage any cracker (and take more than 12 months to crack) and all of that was a lot easier to set up than a dedicated password storage solution.
Point is, do whatever you can to protect data. Better safe than sorry.
The issue is that if I were a hacker I'd have a program that: a) takes an email and password, b) checks if email is in ["gmail", "yahoo", "msn", "facebook", ...], c) attempts to access account using given password and then d) if successful, changes password / mines data.
This is not difficult. There may even be programs that already exist for this. The only difficulty would be not getting blocked by those services after a large number of incorrect attempts, but leverage services like Tor/EC2/botnets and that becomes a null issue.
With password hashing it would at least be _some_ amount of time between accessing the leaked data and havoc. Cleartext means disaster is instantaneous.
"I think getting broken into is the biggest problem here"
Perhaps. But that still does not undermine the importance of storing passwords securely with encryption. The idea is not to completely avoid an attack (crackers are pretty determined ), the idea is to delay or make it harder for the bad guys. so yes, encryption matters a lot.
We should start a new award for web sites with crap password security. Let's name it after Robert Morris (Senior) who essentially inventing password hashing.
A Morris Award would be a bit like a Darwin Award for people who've failed to learn anything about password security and in doing so have been exposed.
Recent Morris Award winners: LinkedIn, last.fm, eHarmony, Tuts+, ...
I have talked about & mentioned something similar before but bundeling the whole thing into a browser extension.
Every site you hit gets checked against a local list thats periodically updated. It throws up an information bar with bad security practices associated with the site you are browsing, everything from mailing plaintext password to the idiotic things like above.
If it becomes trusted enough it might move some developers/organisations to actually take action, if not it will at least warn individuals of the obvious problems before they signup and not afterwards like at the moment.
Edit: Last sentence didn't make sense.
Another criteria, perhaps...
My wife loves to use Big Oven to find recipe ideas. I thought I'd also start using it so we could share those ideas more easily. When they rejected my password for having "invalid special characters" however...
More potential "winners" are here http://plaintextoffenders.com/
I think for impact there should be one grand winner each year. Otherwise there will soon be too many to count I'm afraid.
Maybe also an award for most silly password policy?
I feel weekend project potential here!
I alerted them to the fact that their passwords were in plaintext a YEAR AGO. I got a response email on June 29, 2011 saying:
"Thanks for reporting the issue of plain text passwords to us. It's how passwords are handled with the membership software we use for Tuts+ Premium, which isn't extremely well coded and something we want to rebuild from scratch. In the mean-time our dev team will be hacking the software to bring password security up to the best practices we advocate on our Tuts+ sites, like Nettuts+."
Not only was this issue brought up to them, they stated very clearly that they were working to bring their password security up to best practices. In a YEAR, they couldn't hack on a password hash or rebuild their plugin from scratch?
If anyone knows if there is a lawsuit pending that could use my email as evidence, please let me know.
"Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)"
That make me sad. If you use a plugin, you use it because it's a better and a proven solution , not because you are lazy. Sad day..
This is ridiculous. In the email I received from Envato it says the following:
"-- What To Do
(1) Update passwords on ANY service you use that uses the same password as you had on Tuts+ Premium.
(2) In particular you should consider your own email account, PayPal, Moneybookers, and other payment services. These are the most sensitive targets, and if you had the same password, you should consider this an urgent priority. If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use.
(3) If you use the same password on any other Envato service such as the Envato Marketplaces, you should change your password there too."
You have to be kidding me? Do I really need to start using unique passwords on every site that I use? This just blows me away that one site messes up and then I have to spend hours of my time figuring out which passwords to change, update, etc. This just frustrates me so much. I'm also very surprised they put this in the blog post:
"As a company that teaches and preaches best practices, it’s deeply disappointing to me to not only have been the victim of a security attack, but to be running software that doesn’t follow those same best practices. This is a situation we will be working to address."
...Based on what has happened to LinkedIn and others, aren't they easily setting themselves up for a lawsuit by blatantly saying they did not follow best practices?
Ugh. I'm just very sick of this crap happening. /rant
>You have to be kidding me? Do I really need to start using unique passwords on every site that I use?
Errr, ...yes!
For this reason Facebook connect/Twitter login are becoming popular. 1password, lastpass, keypass etc are not that popular among casual users.
I already do to an extent but come on, you can't tell me you use a completely unique password for EACH of the HUNDREDS of sites that use passwords? That just seems ridiculous, or maybe it's just me...
Get LastPass (it's free and totally safe since it's client-side encrypted), but if you don't want that you can just use SuperGenPass.
There are quite a few ways to automate that. Lastpass, Keepass, KeepassX, 1Password, ...
1Password (https://agilebits.com/onepassword) is your friend
I do just that.
Between work and personal, roughly 130 password/account pairs.
I may be missing a few. I also don't believe in gratuitously creating accounts simply to make use of some site (information has value, including and often particularly, identifying information). I'll make use of BugMeNot and/or create throwaway accounts using Mailinator for one-offs.
Pay for Lastpass. They're fucking awesome.
Wish they'd add a system for private/public key storage though.
Salt the password with characters from the url. Maybe your password is P4ssw0rd, so your HN password is Py4csosw0rd. I've been using this scheme for years, works great!
In my opinion, using unique passwords on every site you use is perhaps the key to keeping yourself safe.
Facts: 1)Most people have way too many accounts to keep track of passwords for. 2)A unique password is essential.
So, get a password manager and store them there! It's almost the only secure solution.
If you have Firefox, use the Password Reuse Visualizer. https://addons.mozilla.org/en-US/firefox/addon/password-reus... Then realize that if any of these sites get hacked, the attacker now has access to all the sites connected to it (using the same password).
I use SuperGenPass (EnigmaPass for Chrome). I don't have to store passwords, I just have to remember the master one.
What is really absurd is they've gone offline and given people no way to confirm their password. Their suggestion:
"If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use"
All I need is to try a handful of "important" passwords, make sure that none of them work for this compromised service, and I can go on with my day. But they figure, hey, if you can't remember our password, go change them all, not our problem.
Real brilliant way to handle it.
As a regular author for Tuts+ I am absolutely FUMING with them.
I'll never visit an envato site again, let alone pay for any of their services. I can understand everyone gets hacked, but cleartext! wtf.
From the article:
Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.
Still, this not being priority number one for them (before even making this service public!) means I will never do business with them. It says a lot about how they value their customers.
The sad thing is, it's completely trivial and non-disruptive to switch to from a cleartext database to a hashed+salted one.
Not if you depend on a software that requires plaintext passwords (as they obviously do). Whether it's a wise choice using such a software is open to discussion though.
Sometimes business/marketing managers and IT security managers disagree. Looks as though the business guys trumped the security guys on this one. That happens a lot in the real world.
Since there's no such thing as absolute security, all security effort is a balance between an assumed threat and the havoc it could create and costs. So it's always business vs. security. I'm a bit on the fence here and I guess I'd have taken another route but well, if the product was not viable without the plugin... Who knows.
Given that: My remark was directed at the blank statement that it's always easy to switch. It obviously is not in that case, the change was on the agenda [1], so it's a bit tough that this happened in the meantime.
[1] At least according to the official statement. I don't have any reason to believe otherwise.
It's not like it's hard for a site which offers programming tutorials to just change the password storage method.
"plan currently in progress" - A bit late, don't you think?
Cleartext? Are you kidding me? I actually have an account there, sorry Envato but you just lost a customer.
According to some comments the plugin in question is "amember" but there are several (old) posts on their forums say they don't use plaintext. I'd be surprised if it was, but then again ...
http://www.amember.com/forum/threads/db-password-encryption-... http://www.amember.com/forum/threads/password-on-resend-sign...
Posts are from spring this year, so it's not "old". The first post also references an upgrade from version 3 to version 4, so I guess they still use version 3 and didn't get around to updating to v4 yet, and now they pay the price.
What really irks me are the weak excuses in that blog entry. I don't care that it was a 3rd party plugin or that you wanted to encrypt the passwords. You screwed up and endangered your users.
I like how they blamed it on a "3rd party plugin".
Plain text? Are you KIDDING me?!
Cleartext!
A good indication that you probably shouldn't be using their tutorials.
their tutorials are good
actually they are filled with bad practices and mistakes
Agreed... LinkedIn's hackathons are great too. Whats wrong with these companies... :/
If you're going to store passwords in clear text...
You're gonna have a bad time.
It is high time a site's registration form/process has a confirmation box confirming that they do not store passwords unencrypted before the user clicks "sign me up". This is getting ridiculous. I unfortunately used another site recently that sent me my password back in clear text over email.
My email to Envato:
I seriously can't understand how Envato found it responsible to even implement something that saves plaintext passwords. You must of known when inplementing it. If this "3rd party" plugin was so important, then implement the plugin later on when it is secure - you don't fuck around with private details. If it was important for the initial release, you shouldn't of launched until this was sorted.
You have hereby lost a customer. I now have to reset my password on a ton of forums and probably also themeforest. I will give you some other feedback. Maybe I'm blind but to login on Nettuts, don't make users have to scroll and look for a dinky login text.
On ThemeForest, seriously remove the fucking Captcha from the login form. Sorry for my French but seriously, on a contact or registration form, I could understand why. If you are afraid of brute force, there are other great ways to do so.
Fail, Sam Granger
Ps. You should read your own tutorials on security, they aren't too bad.
Why would you have to change your password on "a ton of forums" if you yourself have been using password best practices? Envato was responsible in their disclosure- you think those "tons" of forums are all going to do the same? For all you know your password has been in the wild for years.
You should use this as an opportunity to get a password manager (Lastpass, for instance) and use unique passwords for each site.
I agree that it's my fault not having a unique password for Envato, I do have unique passwords for most important things, but to have unique weird passwords for everything is too much for me, especially since I'm switching computers all the time, it'd be quite a hassle each time. Especially since I log into a lot of less important sites with this password. If it was a salted and encrypted, I wouldn't bother changing them. But seriously, plaintext. It's the biggest cockup I can imagine. Some may argue, but you can also keep passwords on your phone or online, you're correct, but what if my pass phrase gets hacked to all my unique passwords? How do I know that these services are waterproof? It's not the most secure way of storing passwords either to be honest, but they don't have any other way. It has to be decryptable. In the end, nothing is waterproof.
Sure, nothing is water proof. However, some solutions are better than others- and as a lastpass user I know I don't have to change my password on "a ton of forums".
I think its wrong that you are espousing password security, when you have not taken the required steps to secure your own accounts across "a ton of forums"?
Security in the real world is hard. I worked as a penetration tester, so I have some authority to say so.
For most startups getting users is a priority and everyone is prone to taking shortcuts (clearly including YOU - sharing passwords across forums); incidents like this are common place in the business world and the fact that Envato had the balls to own up is kudos to them.