I’m not quite sure why Dave Crooke is using an e-mail list like the Progressive Exchange to talk about the technical aspects of the Convio security breach. However, it beats not getting anything at all. Dave is discussing the way passwords were stored on the GetActive system:
Date: Mon, 05 Nov 2007 14:55:38 -0600
From: Dave Crooke <dave@convio.com>
[header deleted for brevity]Hi Chris
The passwords are encrypted when stored, however (for constituents) they
are not one-way hashes … the application has the ability to decrypt
them, so that it can implement a “please email me my password” feature
for constituents. This is a security vs. convenience tradeoff - if one
way hashes were used, that would become “email me a reset token”,
requiring someone to go to the site, choose a new password, etc. However
the data being protected is pretty low risk - one constituent’s name,
street address and email subscriptions. By contrast, you can find my
home address (and the value of my house) on the web at the Travis
County, TX land registry’s site, with no passwords at all.The GetActive application has a feature whereby these constituent
passwords can be downloaded by client staff from the administrator
interface, so that clients can sync them with other web properties that
they operate. The majority of other SaaS vendors serving non-profits
also have that feature. We don’t have it on the Convio platform (and
this occasionally engenders client complaints) and we will be
withdrawing it from GetActive.Cheers
Dave
Basically, in order to make sure that single sign-on was possible, GetActive gave users the ability to dump unencrypted passwords en masse from the system so that a nonprofit’s GetActive users could be synched with a “foreign” system. How ironic that this “feature” would not have been necessary if GetActive had an open API that allowed for programmatic access to user authentication methods! Downloading passwords like this is what we in programming land is called a kludge. Dave is essentially pointing out that this is common for other SaaS vendors so we should probably now ask vendors who have this kludge to remove it in their software as well. The idea that there are text files out there with my username and unencrypted password on them is really annoying. This practice has to end now for all vendors selling nonprofit solutions.
My fellow nerds, geeks, and accidental techies, please be sure to tell your not-so-technical co-workers that they can no longer expect to be e-mailed their old passwords just because it’s more convenient. It was always bad practice and in a case where sometimes we can pressure vendors to accoomodate us, it was a doubly bad idea.
Loading ...
The point of securing passwords is not so someone can find the value of your house, it’s because many people use the same passwords on many systems. Someone’s donation site passoword may be the same password they use to access their e-mail, or God forbid, their banking information!
Agreed. However, I don’t think it was necessarily the vendor’s fault. There’s a lot of demand for an “e-mail the forgotten password to the user” feature as well as for the “mass download of passwords for a single sign-on” feature. I would venture to say that those demands were generated from the marketing and fundraising departments of large nonprofits. Both features would certainly enhance ease of use for all users on a GetActive-powered site. That was probably why it was demanded of GetActive.
And frankly, it’s the techies that should have been the last check on those “features”. Clearly, the techies should have demanded a one-way hash for password storage. Also, techies have been demanding an open API for years and that would have obviated the need for a single signon kludge like the “mass download of passwords” feature. There needs to be a balance between the fundraisers and techies in the nonprofit sector. If anything, this shows the need to have all stakeholders equally represented and given equal say when selecting a vendor and asking for new features.
An OPEN API, or agreeing on what one-way encryption method to use would have been the way to go, and shouldn’t take significantly more time to implement.
Maybe we tell folks to ask for OpenID support for single-sign on?
OpenID for your average donor??? I can imagine a lot of pushback from the development people for that. However, this last episode might convince them it’s actually not a bad idea at all. For one thing, OpenID would help to lower the number of stored passwords on Convio’s site thus lowering its attractiveness to potential ID thieves. Of course, they’d hit the OpenID providers instead but at least that would be a lot more distributed. Even if an OpenID provider were penetrated, it wouldn’t affect your entire user community like an eCRM provider breach would.
I don’t think it’s a bad idea but there would have to be a lot of handholding material on the site to migrate users to OpenID.