Bookmyshow.com Saves User Passwords in Plain Text

With the recent wave of websites and services that have been compromised, I was pretty much surprised to find out that a website like bookmyshow.com saves the users’ passwords in plain text.

This news was surprising for me specially because it’s run by a well established company – TV18′s Bigtree Entertainment. When I clicked on the “forgot your password?” link on BookMyShow and entered my registered email address, I got an email giving out my existing password in plain text.

Now this is not a joke for a website like BookMyShow. It just emailed me back my own password! I checked whether the website’s Security Policies states using any form of encryption or not (read Term 11.4) and this is what I found:

The Password entered by you is transmitted in one- way encrypted form to our database and stored as such. Thus the Password will not be known even to Bigtree.

Go ahead BookMyShow, paste the usual Terms & Conditions written by a bunch of cheap lawyers and lie to your users. Even play with their personal details!

A website storing passwords in plain text literally means that your passwords are there, simply waiting for someone to come and take it. It doesn’t even matter if you’ve created the strongest possible password or not. So if you have an account with BookMyShow, I suggest you either change your passwords to a temporary one till (and if) they fix this issue.

Tip for BookMyShow: For starters (sic) follow this article and at least deploy some basic MD5 hashing and salting!

UPDATE: Some of the readers pointed out below that they could be deploying basic encryption (and not hashing). Using this method is not really efficient as the encryption key also has to be stored in a database and if the hackers get their hands on that key, they can decrypt the passwords. In and of itself this encryption method may not mean much; coupled with weak site security it can tantamount to a bigger issue.

Also read...

Comments

  1. You don’t know the password was stored in plaintext. It could be encrypted, just as their site says it is. When you request your password, it is decrypted and displayed.

    • Hey zengr,

      I was going to suggest them using bycrypt but instead suggested them the basic “for starters” MD5 hashing as I don’t think they have any clue of security out here.

  2. While I completely agree with you – and support pointing it out, I do as well with my Dutch companies where I try to order something (and then they won’t get my business because I simply discontinue my expected trust in them). I do feel to point out that they mention ‘encryption’, not hashing. Ergo they can encrypt it, and upon request by you, decrypt it. Appearing like it’s stored in plain text. Your article doesn’t show a dump of their database disclosing it’s stored in plain text.

    Encrypting a password is as secure as a banana taking a bus. Which means nothing. They probably store the encryption key in the same spot as the rest, meaning that during a compromise the malicious party can simply decrypt the encrypted database.

    That all said, they shouldn’t just encrypt it, they should hash it strongly, use a unique salt per user.

    So yeah, if a company mails me back my test account’s account pass reset with the pass in it, yikes, I can’t foresee something positive coming out of that in the future.

Comments are closed.