We’ve covered HootSuite, the Web based Twitter application which just recently released a cool iPhone app, twice during the last four weeks.
While we really like its send later feature, which allows users to schedule tweets and the stats HootSuite provides for tracking clicks on your tweeted hyperlinks, today I stumbled across a big no-no:
HootSuite stores our passwords in plaintext!
Now, why is this a bad thing and how do others handle it?
It’s bad because potentially anybody at HootSuite who has access to the website’s database (very likely just a plain old MySQL one) can easily take away every single password for every single HootSuite account, log in as you or try your “secret” little password with another service.
Even worse: If due to a security issue anybody outside of HootSuite gets access to the data, thousands of HootSuite accounts will be exposed to fraud.
If you’re like me and do use a password with more than a single service chances are, the combination of your HootSuite account email address and your plaintext password will work elsewhere. Yes, I know, we should create a very unique password for every service we use, but hey, we are all humans.
The standard way of storing account credentials is to create a hash for your given password.
A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data (your plaintext password) and returns a fixed-size bit string (the hash), such that an accidental or intentional change to the data will change the hash value (Wikipedia). The key here is: A hash is a one-way function. So, whenever you log in the hash for the password you provide is created again and compared to the one stored in the sites database.
However, there is no way for anybody to reverse engineer your password by just looking at the saved hash values.
That’s why the majority of websites do not provide any means to retrieve your current password via their “lost password” link, but ask you to create a new one. They don’t know it because they don’t store it.
So, dear HootSuite, please give your loyal users a bit more security and change the way you handle our passwords.
While you are on it, why don’t you migrate using OAuth for our Twitter accounts – we’ve been calling out for that since back in June and now there’s even a deadline and benefits for doing so.
Storing a one-way hash won’t work for HootSuite. They need to provide the password to Twitter for authentication, and how will they do that if they have a one-way hash of your password which cannot be reversed?
The actual solution would be to use a bi-directional encryption algorithm with a secret key that only HootSuite use. Therefore, if someone was to steal the database, they would not be able to obtain your passwords without also obtaining the secret key (which obviously should not be in the database). Then, HootSuite can decrypt the password when it needs to authenticate on your behalf.
But as you say, they really should be moving to OAuth now.
They can. And they should. It’s just a bit more work (though ready-baked solutions for it are available for all popular dynamic web languages).
Why can’t HootSuite use twitters OAuth API?
More worrying is the number of services which *don’t* encrypt this information. I’ve had a few recently which will quite happily re-email me my account password rather than generate a new one.
One particular company asked me to confirm my password with them over the phone (and I’m not naming names at this point).
Hey Ralf–
Jeff from HootSuite here. Thanks for the valuable feedback!
Please note that we do *not* store user passwords in plaintext in our database — we do currently encrypt them. However, you’re right in that we should improve this.
We are planning on implementing a one-way hashing algorithm as you suggest. We also have an update forthcoming for the iPhone app that will improve encryption there as well.
As for Twitter passwords, we do plan on migrating to oAuth as soon as we can. There are some underlying structural changes we need to make to HootSuite accounts/permissions before we can undertake this, but expect it in the coming months.
Thanks again for the feedback.
–Jeff
Raif, thanks for your attention to detail. It’s Grace, from HootSuite, here. As a follow up to Jeff’s comment above, we have implemented some changes.
We treat user security and credentials as a top priority. Although all passwords are encrypted for storage, forgotten passwords requests were sent in plain text. We have made an update to send password reset emails via one way hash passwords, and passwords are now not sent in plain format.
We hope this resolves the issue. :)
so its been half a year later, still no oAuth. Glad to see Hootsuite is going to be FORCE-FED oAuth by Twitter’s June 30th, 2010 date from turning off basic authorization from the API. Look, I love Hootsuite, I really do, and I really want to use it, but we all know if you don’t take your medicine what can ultimately happen to you.
The one-way hash would do for their own accounts. You’ve got to sign up with HootSuite and *then* provide your Twitter account credentials.
My post is suggesting that they move to a one-way hash for the HootSuite accounts and consequently migrate Twitter authentication to OAuth!
Thanks, Jeff, for following up. I’m looking very much forward to the changes and will remain a loyal HootSuite user!
Hello Jeff,
My company is looking at getting an account with HootSuite but are very concerned with security of our passwords. Can you give me an update on your status with making the security improvements to your site that you mentioned in this post?
Thanks,
-Michele-