MySpace security FAIL

Friday 29th May, 2009

MySpace store users original passwords in clear-text, and return them by email on request. Enough said really. FAIL.

For reference purposes, there are better ways to do this:

One step better: don’t return the original password (potentially revealing additional information to an attacker), just create a generated one or a one-off link that allows a new one to be created by the user.

Two steps better: don’t store the original password at all, store a one-way hash instead, that way even an attacker who compromises the DB can’t see it (assuming you do it right).