eHattons security

[adriank]

I forgot my password when trying to log into my eHattons account and clicked the 'Forgotten password' button. Much to my surprise, I received an e-mail containing my password.

 

The inescapable conclusion is that my password was stored in an unencrypted form on their server. Fortunately, I had not added any credit card details to my account nor will I given such weak security.

 

Adrian

[RFS]

I would think it's most unlikely the password would be stored unencrypted on their servers.  A copy would simply have been decrypted and placed in the email.

[30801]

I would think it's most unlikely the password would be stored unencrypted on their servers.  A copy would simply have been decrypted and placed in the email.

 

Yes it's probably encrypted, but that still means it's stored as the password and not a one-way hash.

And then they emailed it....

 

Needless to say no one should use the same email & password combination for any accounts they really care about. That goes double for any password used for Hattons.

[jjb1970]

Would this not be better in the Hattons forum? I'm guessing a lot more Hattons customers would read it in that forum and I believe this is something that is worth bringing to their attention.

[mjkerr]

Loads of companies use this password recovery method, and there is a small risk

The existing password is sent to the registered eMail address, it does not appear on screen

 

If you are concerned about the security, try accessing your account with a lost username / password

If the details appear on screen then there is an issue

[adriank]

I don't understand why they would go to the trouble of decrypting a password when a one-way system would suffice. The majority of sites send you a temporary password when you forget the original because they cannot provide an unencrypted password. In Unix, passwords are stored only in their encrypted version and this dates from about 1969. What is it in security logic that has changed?

[adriank]

Perhaps you'd like to effect a cross-post?

[rue_d_etropal]

There is no such thing as a 100% safe system. I prefer the way some sites will send you a temporary password, but if someone had got hold of your email accounts then that does not stop that person getting to your other accounts. Remembering so many passwords is also a problem, along with PIN codes, so results in what is in effect insecure storage(ie written down somewhere).

In some ways, I am far more concerned with use of cookies, as this allows a very big back door into most systems, and I have seen card details stored this way. Having worked in IT for over 20 years, I  have worked through the various systems, and understand a lot of what sits beneath the surface in program code. It has not been unusual for terminology to change, making something look new and therefore better, but is just a simple re-branding, hiding visible security problems.

[RFS]

Hatton's give you an option not to store your credit card information on your account. If you're worried about security then simply use that option.

[adriank]

Thanks very much RFS. As already stated, I have not stored my credit card information on the Hatton's site. The point is that they offer this facility with no statement about how secure the information is. The fact that they can tell me my password indicates to me that my password is not encrypted and therefore not secure. It follows that if I were to provide them with my credit card information that it could be accessed by anybody with access to their server. I am not looking for reassurances or platitudes about what I can or cannot do. I am merely raising a warning to others who may be tempted to use their account system. Is this clear enough for you?

[Bernard Lamb]

I forgot my password when trying to log into my eHattons account and clicked the 'Forgotten password' button. Much to my surprise, I received an e-mail containing my password.

 

 

What exactly are you surprised about?

It would seem to me a perfectly normal way of working.

I better not quote any specific examples but I have had similar experiences with rather bigger organizations than Hattons.

Funnily I have in the last hour had an email from a county council pointing out that if I forget my password they will email a new one.

Bernard

[adriank]

Bernard, the point is that they will email you A NEW ONE. That is NOT YOUR EXISTING ONE. If they can email your existing one then they have stored an unencrypted version of it. Is it really that difficult?

[mjkerr]

Ultimately, if you are not happy with their website, submit a request for your account to be closed

You could also make a Data Protection Act request, but the information held is probably limited and so would be pointless

 

If you think that is bad, there are still ecommerce websites out there that obtain personal information in insecure website format, and worse credit card information

I tried to point this out to a local restaurant, and they just didn't understand, "Customers pay money on the website and we deliver, what's wrong with that?"

[Kenton]

 

Bernard, the point is that they will email you A NEW ONE. That is NOT YOUR EXISTING ONE. If they can email your existing one then they have stored an unencrypted version of it. Is it really that difficult?

Either way it doesn't matter! They are sending a password (or some sites send an open link to a change password form) BY EMAIL!.

 

The fact that a password is stored on a sites server (even in a secure database) also only matters if someone/anyone at that site has access to the decryption methods and code. Your password could be stored with very high encryption and very few people having access to it. The problem here is that we don't know, therefore cannot trust. It simply raises the doubt that the site may not be secure and that any credit card details might also be stored. But then there is the same problem every time we use a credit card in store, without a PIN.

 

There is very few ways to avoid the "forgotten password" conundrum, sending a link or temporary password by email risks email interception; even sending a re-activation PIN by regular post can be intercepted (think about it next time a bank renews your credit card).

[rue_d_etropal]

Only the other day I saw an advert for a company offering a service where you only needed one password to their system which would then link to any of the websites you wanted to connect to and not have to remember so many passwords. Nice idea but security wise I would not recommend it. Ebay keep trying to get me to link their system to Paypay, with one password. Given the security problems Ebay have had the last thing I want is to allow it unprotected access to my Paypal account.

 

One method that is still popular is the telephone sale with card details being taken over the phone, and quite often written down . Cases of these written records being found where they shouldn't, and I have noticed some online selling has an off site card receipt sent with the goods, suggesting their system is not fully online. I quite often opt for Paypal if it is offered, as it is easier , and I feel safer.

 

I have heard that fax machines have become more popular because of worries with email security.Obviously what happens to the fax once it is received is important.

[adriank]

Today I received the following response from Hattons concerning the storage of my password:

 

Thank you for your email.

 

I am very sorry that you feel that our system is not secure. I can assure you that we are fully PCI compliant and all card details are fully encrypted on our server so that there is no way that anyone would be able to access them, including ourselves. You are able to change your password on your account should you wish to now that it has been sent to yourself to maintain your own security and I have let our IT Team know of your concerns.

 

I hope this helps but if you need any further assistance, please don't hesitate to get in touch.

 

Kind regards,

 

Katie Mylett

Retail Assistant

 

A welcome response but I'm still not happy about Hattons storing an unencrypted version of my password.

 

Adrian

[Reorte]

  Either way it doesn't matter! They are sending a password (or some sites send an open link to a change password form) BY EMAIL!.

The sending of a temporary password or link by email isn't desirable but it's somewhat more understandable (what's a practical alternative, oapart from backing it up with some alternative information that you've hopefully not forgotten when you log back in?) than something that suggests their data is permamently stored in an insecure fashion.

[Kenton]

 

A welcome response but I'm still not happy about Hattons storing an unencrypted version of my password.

I'm sorry but there is nothing to suggest that they do not store your password unencrypted and of course nothing to state that they do either.

 

What you do not like is the fact that they appear to be able to recover your password from their database - either by decrypting it (probably as part of the password recovery program) or in plain text.

 

Sending that decrypted password to you is no different (AND NO LESS SECURE) than sending you a temporary password to access your account. Sending anything by email is the weak link.

 

They need to store your password somewhere in some form (preferably encrypted) otherwise how are they to check you against the login form?

[mjkerr]

Interesting they claim to be PCI Compliant, as this requires the password is changed after 90 days

My account at Hattons has never applied this requirement

 

A welcome response but I'm still not happy about Hattons storing an unencrypted version of my password

I've checked my own servers password recovery method

The passwords are encrypted

The eMail then sends out the stored password in plain text

I am now looking into this...

[knitpick]

Interesting that Hattons state they encrypt your card details but no one can get them back.  So why store the card details if they can't be recovered for your next visit / purchase?  They also say nothing about storage of passwords.  On the plus side, they claim PCI compliance - but that is mandated by the card companies anyway.

 

Back to the original issue of sending you your password.  This could be stored in two way (i.e. reversible) encryption rather than one way (hash) encryption.  The primary issue is how well your details - password and card details - are protected.  If a hacker can get at the file with your details and obtain details of how the encryption is implemented then both two way encrypted and hashed passwords can be recovered.  Hashed passwords will take longer.  But as hashing involves either merging or removing information during the encryption process, you will find that more than one password will hash to the same result.  It's just that the alternative passwords will be completely different and unpredictable from the "true" password.

 

As noted elsewhere, it is much better practice for a site to create and email you a new "one time" password; one that you have to reset when you log back on.

 

Incidentally, I note that RMWeb, like a lot of other sites, offers to remember your password for you.  To translate, this means that your password together with your username will be stored unencrypted on your own PC.  As your home PC will be less well protected than any half decent commercial web site, then that information will be available to anyone who can get access to your PC - Internet hacker, burglar or visitor.

 

Come on RMWeb - show the rest how to do it.  Remove that dangerous option.  

[Kenton]

 

Incidentally, I note that RMWeb, like a lot of other sites, offers to remember your password for you. To translate, this means that your password together with your username will be stored unencrypted on your own PC. As your home PC will be less well protected than any half decent commercial web site, then that information will be available to anyone who can get access to your PC - Internet hacker, burglar or visitor.

 

Come on RMWeb - show the rest how to do it. Remove that dangerous option.

That is not necessarily the case.

 

What is common is that these details are also stored encrypted in a cookie (within your browser)

 

In the case of RMWeb (and most websites) the user name is not stored and a userid (a pointer to the data table) is stored - this is the case with RMWeb see the cookie named "member_id". The password is stored in an encrypted format in a separate (rather negligently) cookie called "pass_hash". RMweb's chosen software is very poor in its use of cookies and they are sprayed around the place. All these could be better secured in a single encrypted cookie - but that is not RMWeb's fault.

 

The problem with cookies is that IF they contain plain text then that information is available very easily to anyone using the computer. If your physical computer doesn't fall into someone else's hands then there is no problem.

 

BTW don't suppose that the ******* that you see in a password field for a web form is not visible - with the right simple tools it can be made visible.

[mjkerr]

Interesting that Hattons state they encrypt your card details but no one can get them back.  So why store the card details if they can't be recovered for your next visit / purchase?

This suggests they are using either a third party gateway provider or merchant service

They would only receive a confirmation the payment has been processed and receive the funds later

 

Perhaps an enquiry to determine what level of PCI Compliance is in place, but I suspect it will only be level 4

[PaulCheffus]

If they can email your existing one then they have stored an unencrypted version of it. Is it really that difficult?

Hi

 

Not necessarily if they have encrypted the password then they can decrypt it to send it. I do agree though that this isn't the best plan and it should be a one way encryption.

 

Cheers

 

Paul

[beast66606]

 

Incidentally, I note that RMWeb, like a lot of other sites, offers to remember your password for you.  To translate, this means that your password together with your username will be stored unencrypted on your own PC.  As your home PC will be less well protected than any half decent commercial web site, then that information will be available to anyone who can get access to your PC - Internet hacker, burglar or visitor.

 

Come on RMWeb - show the rest how to do it.  Remove that dangerous option.  

 

It's easy to "Remove that dangerous option" - don't allow the site to store the information if you are worried. 

 

Let's get serious, do you really think that a burglar is going to hack your PC ? - they will probably sell it to a mate who will reformat it and sell it for a few quid.

If you allow visitors to use your login then I have no sympathy, you get what you get.

A hacker ? - perhaps but then they are probably after bank details rather than RMWeb user ids.

[Andy Y]

An interesting choice of name and first post.

 

Incidentally, I note that RMWeb, like a lot of other sites, offers to remember your password for you.  To translate, this means that your password together with your username will be stored unencrypted on your own PC.  As your home PC will be less well protected than any half decent commercial web site, then that information will be available to anyone who can get access to your PC - Internet hacker, burglar or visitor.

 

Come on RMWeb - show the rest how to do it.  Remove that dangerous option.  

 

 

What is common is that these details are also stored encrypted in a cookie (within your browser)

In the case of RMWeb (and most websites) the user name is not stored and a userid (a pointer to the data table) is stored - this is the case with RMWeb see the cookie named "member_id". The password is stored in an encrypted format in a separate (rather negligently) cookie called "pass_hash". RMweb's chosen software is very poor in its use of cookies and they are sprayed around the place. All these could be better secured in a single encrypted cookie - but that is not RMWeb's fault.
 

 

 

It's easy to "Remove that dangerous option" - don't allow the site to store the information if you are worried. 

 

Let's get serious, do you really think that a burglar is going to hack your PC ? - they will probably sell it to a mate who will reformat it and sell it for a few quid.

If you allow visitors to use your login then I have no sympathy, you get what you get.

A hacker ? - perhaps but then they are probably after bank details rather than RMWeb user ids.

 

Kenton and Beast have ably responded with respect to the encryption of passwords within RMweb's cookies.

 

It is worth re-iterating previously given advice for other readers; do not use the same password for low-level security needs such as social media access as you may for high-level security needs such as banks or other financial transactions. Don't use the same password for ebay and Paypal etc etc.  All common sense so if there's any danger in passwords and RMweb it's down to the user's use of such rather than any site providers' systems.