Bookmyshow.com Saves User Passwords in Plain Text
With the recent wave of websites and services that have been compromised, I was pretty much surprised to find out that a website like bookmyshow.com saves the users’ passwords in plain text.
This news was surprising for me specially because it’s run by a well established company – TV18’s Bigtree Entertainment. When I clicked on the “forgot your password?” link on BookMyShow and entered my registered email address, I got an email giving out my existing password in plain text.
Now this is not a joke for a website like BookMyShow. It just emailed me back my own password! I checked whether the website’s Security Policies states using any form of encryption or not (read Term 11.4) and this is what I found:
Go ahead BookMyShow, paste the usual Terms & Conditions written by a bunch of cheap lawyers and lie to your users. Even play with their personal details!
A website storing passwords in plain text literally means that your passwords are there, simply waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password or not. So if you have an account with BookMyShow, I suggest you either change your passwords to a temporary one till (and if) they fix this issue.
Tip for BookMyShow: For starters (sic) follow this article and at least deploy some basic MD5 hashing and salting!
UPDATE: Some of the readers pointed out below that they could be deploying basic encryption (and not hashing). Using this method is not really efficient as the encryption key also has to be stored in a database and if the hackers get their hands on that key, they can decrypt the passwords. In and of itself this encryption method may not mean much; coupled with weak site security it can tantamount to a bigger issue.