I’m not quite sure why Dave Crooke is using an e-mail list like the Progressive Exchange to talk about the technical aspects of the Convio security breach. However, it beats not getting anything at all. Dave is discussing the way passwords were stored on the GetActive system:
Date: Mon, 05 Nov 2007 14:55:38 -0600
From: Dave Crooke <dave@convio.com>
[header deleted for brevity]Hi Chris
The passwords are encrypted when stored, however (for constituents) they
are not one-way hashes … the application has the ability to decrypt
them, so that it can implement a “please email me my password” feature
for constituents. This is a security vs. convenience tradeoff – if one
way hashes were used, that would become “email me a reset token”,
requiring someone to go to the site, choose a new password, etc. However
the data being protected is pretty low risk – one constituent’s name,
street address and email subscriptions. By contrast, you can find my
home address (and the value of my house) on the web at the Travis
County, TX land registry’s site, with no passwords at all.The GetActive application has a feature whereby these constituent
passwords can be downloaded by client staff from the administrator
interface, so that clients can sync them with other web properties that
they operate. The majority of other SaaS vendors serving non-profits
also have that feature. We don’t have it on the Convio platform (and
this occasionally engenders client complaints) and we will be
withdrawing it from GetActive.Cheers
Dave
Basically, in order to make sure that single sign-on was possible, GetActive gave users the ability to dump unencrypted passwords en masse from the system so that a nonprofit’s GetActive users could be synched with a “foreign” system. How ironic that this “feature” would not have been necessary if GetActive had an open API that allowed for programmatic access to user authentication methods! Downloading passwords like this is what we in programming land is called a kludge. Dave is essentially pointing out that this is common for other SaaS vendors so we should probably now ask vendors who have this kludge to remove it in their software as well. The idea that there are text files out there with my username and unencrypted password on them is really annoying. This practice has to end now for all vendors selling nonprofit solutions.
My fellow nerds, geeks, and accidental techies, please be sure to tell your not-so-technical co-workers that they can no longer expect to be e-mailed their old passwords just because it’s more convenient. It was always bad practice and in a case where sometimes we can pressure vendors to accoomodate us, it was a doubly bad idea.
Loading ...
