Atlassian and web password security
Update: Atlassian have taken a deep breath, composed themselves, and written a thoughtful and considered piece on what happened, how they reacted, and what they’ve learned. Go and read it, because there’s a lot of useful stuff in there
So, a disappointing day today. I got an email from Atlassian, makers of fabulous software development tools, as follows:
We are sending you this message because we experienced a security breach and suspect that your Atlassian customer account password details (only) may have been compromised. [...] Be aware that this security issue only affects Atlassian customers who created an Atlassian account and purchased one of our products before June 2008. Since then, we have been using a more secure user management system based on Atlassian’s Crowd product.
Now, this is just lame. It would appear that Atlassian have been storing passwords in clear-text in their database. This, by itself, is pretty inexcusable, but what’s even worse is that they were running a “more secure” system alongside it, but for whatever reason didn’t bother to migrate old accounts into it. Thanks guys.
What’s so disappointing about it is that Atlassian aren’t just some crappy rate-my-kitten-pictures website*. Every experience I’ve had with their tools (and I speak as someone who uses almost everything they sell) leads me to believe that they are really clever guys. They make brilliant software that I and the rest of my team depend on every single day to do our job.
If they were a dog, they’d be a prize-winning, trials champion sheepdog that’s just crapped on the kitchen floor. Bad Atlassian. In your kennel, now.
All of which leads me on to the lesson for today. It’s an oldie but, apparently, still needs reiterating every now and again.
DON’T STORE PASSWORDS IN PLAIN TEXT
That’s it, really. There is absolutely no excuse, ever, for doing this. Every single language in the world has a library hashing implementation that you can use, so use it. Hash with a random salt, and use a slow algorithm like blowfish if you can, but please, just hash it. Don’t encrypt it, because that means that somewhere you’ve got a decryption secret, and if I can get hold of that then I’ve got all your passwords in plain text.
And if you ever find yourself in the position that Atlassian are in, don’t do what they’re doing in the email above, and gloss over the most important message, which is this:
Change your password on every site which uses the same email address + password combination.
Sure, in a perfect world everyone would use a different password for every site, and the makers of OnePassword would be trillionaires, but in the real world they don’t and (as far as I know) aren’t. People re-use passwords, and once you’ve shared those passwords with the hacker community at large, you owe it to your users to remind them of that.
Oh, and one more thing. If you’re making a website with self-signup capabilities, please offer support for OpenID, or some other distributed authentication standard that I’m likely to have. If you’re not sure how that should work, go look at how StackOverflow do it. Then ask yourself; do I really need to demand a username and password from you at all?
* No offence to icanhazcheezburger.com, who I’m sure do a bang-up job of password security, though I don’t have an account with them myself.