My Uniden Insecurity

[belvdr]

I forgot my password to My Uniden and clicked the Forgot Password link. Lo and behold, I discover Uniden is storing credentials in cleartext. This is unacceptable these days.

Word to the wise, ensure you use a random password there.

EDIT: Per my conversation below, I thought it prudent to add that the password is stored in either cleartext or in a reversible encryption. I apologize for misleading on that point. Either way, it's not stored properly.

 

[mule1075]

Word to the wise, ensure you use a random password there.

As you would anywhere.

 

[belvdr]

As you would anywhere.

Agreed, but most people don't subscribe to that concept. This is one place you want to.

 

[diskmonger]

How do you know they are storing passwords in plain text? I think what you meant to say is the password was emailed to you.

 

[jonwienke]

I forgot my password to My Uniden and clicked the Forgot Password link. Lo and behold, I discover Uniden is storing credentials in cleartext.

How did you manage to do that? Do you have access to the drives on Uniden's server?

 

[belvdr]

How did you manage to do that? Do you have access to the drives on Uniden's server?

Using the "Forgot Password" link is all that's required. No physical access needed.

 

[jonwienke]

Using the "Forgot Password" link is all that's required. No physical access needed.

WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.

 

[belvdr]

WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.

Sure, it could be encrypted, but I have never seen that done in practice. I'd venture it's > 90% probable it's in the clear.

Regardless, the password storage mechanism is reversible and that's the root of the issue: it's a flawed storage mechanism, therefore insecure. Passwords should always be stored using a one way hash and the Forgot Password mechanism should never email you the password they have on file directly, not to mention sending it via email puts it in the clear as well.

No need for caps, I can hear you clearly.

 

[belvdr]

How do you know they are storing passwords in plain text? I think what you meant to say is the password was emailed to you.

The password they have on file was emailed to me, not a new random password. That's not secure unfortunately.

 

[RogueSteward]

Sure, it could be encrypted, but I have never seen that done in practice. I'd venture it's > 90% probable it's in the clear.

Regardless, the password storage mechanism is reversible and that's the root of the issue: it's a flawed storage mechanism, therefore insecure. Passwords should always be stored using a one way hash and the Forgot Password mechanism should never email you the password they have on file directly, not to mention sending it via email puts it in the clear as well.

No need for caps, I can hear you clearly.

Unless Uniden wants to be the next company in the news with the headline, "Security researcher discovers credentials for 5,000 users", this problem should be fixed asap.

 

[slicerwizard]

WRONG. Having your password emailed to you in the clear does NOT mean that the password is stored on Uniden's server in the clear.

If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.

 

[GTR8000]

If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.

^ This.

If the server is returning the password in clear text via email or any other method, then the server can be compromised. Passwords should be one-way encrypted on the server so that no one, including the company that owns the server, can recover a password. Only the hash gets compared when logging in, not the actual password itself, as the server shouldn't be able to decrypt it.

A properly setup and secure server will never return your password to you, it will force you to reset it.

 

[jonwienke]

If the server can serve up the password, it either has the cleartext password or an encrypted password and the decryption key - which is the same thing.

Not necessarily, if the data is stored on something like this:
https://www.amazon.com/Apricorn-Padlock-Fortress-Validated-Encrypted/dp/B00NTQGZNS/

The decryption key is entered separately into the storage device, and the server doesn't have access to the encryption/decryption key.

Is it possible that Uniden is storing passwords in the clear on an unencrypted drive? Yes.

And I agree that storing a cryptographically strong hash of a password is much more secure than storing the password itself.

But getting a password in an email is not proof that passwords are being stored in the clear on an unencrypted drive, which was the original claim.

 

[belvdr]

Not necessarily, if the data is stored on something like this:
https://www.amazon.com/Apricorn-Padlock-Fortress-Validated-Encrypted/dp/B00NTQGZNS/

The decryption key is entered separately into the storage device, and the server doesn't have access to the encryption/decryption key.

Is it possible that Uniden is storing passwords in the clear on an unencrypted drive? Yes.

And I agree that storing a cryptographically strong hash of a password is much more secure than storing the password itself.

But getting a password in an email is not proof that passwords are being stored in the clear on an unencrypted drive, which was the original claim.

How would Uniden then be able to email me the password they have on file without the server having access to the key? It has to have that access in order to decrypt the password.

I updated the my original post after our first discussion.

 

[jonwienke]

How would Uniden then be able to email me the password they have on file without the server having access to the key? It has to have that access in order to decrypt the password.

The key is entered separately, directly into the storage device, and the storage device handles the encryption and decryption, rather than the server. Or, the server can use something like BitLocker in addition to the encryption built into the external drive.

It's still not the same as storing hashed passwords, though.

 

[iMONITOR]

The best thing you can do to protect yourself is not to let websites remember your charge card billing information. Yes it's very convenient not to have to reenter it every time. But I'll take the time to renter it each time rather than make it convenient for the hacker as well!

 

[belvdr]

The key is entered separately, directly into the storage device, and the storage device handles the encryption and decryption, rather than the server. Or, the server can use something like BitLocker in addition to the encryption built into the external drive.

It's still not the same as storing hashed passwords, though.

The drive encrypts data stored on it. That would not work as you'd expect for a web service. The service would think it is writing cleartext and the drive would encrypt it. Thus, a password is still readable and if the web service were compromised, so is the data.

It's similar to transparent data encryption, which solves the issue of data at rest, but doesn't solve the problem of the application writing cleartext. This is an application issue, not an issue at the hardware or operating system level.

I cringe when web services do this. A hash isn't hard to do and is the most secure option, especially with a salt.

 

[jonwienke]

The Uniden site doesn't store CC info, so the worst case scenario if a hacker got my password is that they would be able to see the serial numbers of the scanners I've purchased and the upgrade keys associated with them.

If you use the same password across multiple sites (and I know people do), that raises the stakes a little.

 

[Ubbe]

I have to agree. I have never seen a web server give you the current password, it always says that it has been reset and you need to change it by following a link. If its true that Uniden sends out the active password in an email then that are very odd indeed.

/Ubbe

 

[RayAir]

Hopefully you don't enter your pw on an http site either or they didn't send it to you insecurely.
One in-the-clear captured log in and pw can cause all kinds of trouble, especially if its used for multiple accounts (very common).

Side note: Right here when logging into Wiki, I noticed it was http and my PC gave a warning that credentials could be compromised. I found a way to log in secure, but had to go through some hoops. I run Https Everywhere.