Tell me more ×
Answers OnStartups is a question and answer site for entrepreneurs looking to start or run a new business. It's 100% free, no registration required.
up vote 9 down vote favorite
1

I'm working as a technical advisor to a start-up company. The company licenses its product (a web and mobile application) to large groups of people who then use it for a relatively short period of time.

As part of my technical review I noticed that the development team is storing user credentials in clear text. I immediately advised my client of this and recommended that passwords be encrypted securely using any of a number of well-documented best practices.

It turns out that the software has a few features that would be considerably difficult - although not impossible - to implement without having access to the raw password. One example is printing "user passes" that have a user name and password on them for easy access to the system. I've also advised against this practice, but let's for the moment assume I'm going to lose that battle.

My concern for my client is that a number of things could happen with this information that may result in litigation troubles.

  • A disgruntled employee may leave the company and easily export this information before doing so. It doesn't help that the development works remotely in another country and can be difficult to supervise.
  • Since user account names are email addresses, it's possible for some users of the system to utilize a common password across all their accounts. This would be an easy attack vector to script and try to gain access to email accounts, and in turn much more sensitive information.
  • I believe that by now most users of web applications have some implicit trust in administrators to keep their private information securely stored.

Ethical issues are, sadly, less of a concern here at the moment. What immediate legal responsibility does my client have when it comes to this?

share|improve this question

6 Answers

up vote 5 down vote accepted

To answer definitively is hard, because laws are different from country to country, and with global Internet services it's often unclear which country is the governing one.

It can be a contractual issue, for example with the credit card / payments providers. The PCI Data Security Standard can be kind of vague and hard to follow, but section 8.4 is generally taken to mandate encrypted storage of all passwords including end-user passwords.

It's absolutely a potential customer trust / basic competency issue. We know humans re-use passwords, so the potential negative consequences for your users if you're breached are severe. Password hashing has been debated over and over, and competent developers know that hashing passwords is common best practice. (By the way, the commonly recommended password hash algorithms are bcrypt or PBKDF2-SHA256, or possibly scrypt)

It's absolutely a potential major publicity / marketing issue. If your database is hacked and plain-text passwords are stolen, then you're pretty much guaranteed to get very very bad publicity. There have been many cases over the years, and in most cases mass media picks up on the story and end users are enraged.

What immediate legal responsibility does my client have

For that kind of assessment you'd need to see a qualified lawyer, and to be clear about where you're incorporated, where your servers are located, and where your users are located. But if your customers are spread out over the world, then it's probably cheaper to just follow accepted best practice and hash passwords with bcrypt/PBKDF2, than to obtain a full legal analysis.

share|improve this answer
"...it's probably cheaper to just obey accepted best practice and hash passwords than obtain a full legal analysis..." - and certainly cheaper than doing damage control after the fact. – Yuck Nov 23 '11 at 18:42
up vote 6 down vote

It's an ethical, legal and liability issue.

Since a password is by nature a security precaution, it's perfectly proper for users to assume the developer/distributor used reasonable techniques to ensure customer security. Knowledge of the dangers (and poor practice) of storing clear text passwords -- and a failure to act on this knowledge -- is unethical.

It opens the door to accusations of negligence and financial liability if users suffer loss (or are even exposed to the risk of loss) by this negligence.

IANAL. I'd get a legal opinion on your responsibilities.

share|improve this answer
up vote 2 down vote

You need to point your client to the Sony security breach and the thousands of lawsuits that followed (and are still on going). Here's just one example of a class action lawsuit:

Motley Rice LLC

Can your client afford to defend against something like this? If not, they need to follow current standard security practices. That means they NEVER store a password, either in the clear or encrytped. You store only a salted hash of the password. If that makes your companies software work incorreclty, your company needs to change its software, or the way it operates.

share|improve this answer
+1 for salted hashes – Yuck Nov 24 '11 at 15:38
up vote 2 down vote

There is no justifiable business reason for anybody to know the password to a user account except for the user himself. That is the point of a password, it is his/her little secret.

If the user forgets their password then have them reset it. If the administrators need to know the password to obtain software access to the account, then that is a serious and gross negligence of the software design.

And it goes beyond being ethically and morally repugnant and grossly negligent, it is also a major legal liability. While it may not be a criminal offense in all regions, it certainly is justifiable grounds for civil suits as the damage this can do to a user is potentially catastrophic.

share|improve this answer
up vote 1 down vote

I heard in some jurisdictions (France?) companies have a legal responsibility to store unobfuscated personal details of their users to be used by state institutions (like law enforcement) when necessary.

YMMV

Yea, here you go:

France Goes Overboard In Data Retention: Wants User Passwords Retained

share|improve this answer
Scary. We'll keep this in mind as the application is used world-wide. – Yuck Nov 23 '11 at 14:54
up vote 1 down vote

Legal issues usually deal with personally identifiable information. Can you identify a person by looking at their password? No. So it is more of a ethical problem. However, does having someone's password lead to personal information? then it is a legal problem as well. But like Jesper said, why not cover all ends: 1) encrypt all you user data, personally identifiable or not, 2) keep personal and non-personal data on separate db servers (so hacking one does not automatically gives them everything), etc. etc

share|improve this answer
Passwords are generally stored in a table with usernames and/or email addresses too, so it's often / most often personally identifiable. – Jesper Mortensen Nov 23 '11 at 16:31
How do you suggest encrypting all userdata? Encryption like this seems like fake security because it's information that an employee will likely need to be able to access. – user606723 Nov 23 '11 at 18:08
@user606723: Actually I did not propose to encrypt all user account data; just to hash the passwords. But if you need full table encryption, then it can be done in more advanced databases -- research fx pgcrypto for PostgreSQL. – Jesper Mortensen Nov 23 '11 at 19:06

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.