Learning Password Security Jargon: Plain Text

It was in March 2019 that the promise of a GDPRevolution came to a skidding halt. This time it was the voice of Facebook’s VP of security and privacy that marked the occasion. In a public statement, Pedro Canahuti informed billions of Facebook, Instagram, and WhatsApp users that millions of their passwords had been stored in plaintext. Leaving them searchable by any of their 40,000 employees. Since this is the biggest security breach ever recorded, we’ll be exploring the dangers of plaintext — starting with the first question:

What is plaintext?

Plaintext just means normal, everyday language. If your password is stored in plaintext, it is left visible in databases which may not be secure. In cryptography, it refers to a message before encryption.

When a plaintext message gets encrypted, the characters become scrambled and unintelligible. The scrambled text then becomes known as ‘ciphertext’. Usually, ciphertext is paired with an encryption key, which allows the keyholder to unlock the scrambled data and turn it back into readable information (in other words, decrypt it). When we talk about encrypting passwords we refer to the whole process as ‘password hashing’.

Encryption is usually done for the following reasons:

  • Secrecy and confidential communication — Encryption protects information from unauthorized parties, making it ideal for government documents, trade secrets, and financial transactions.

  • Authentication — Regularly used in online banking and any other online account, including NordVPN and NordPass.

Plaintext encryption, or ciphertext, is basically a digital secret language — a principle that can be traced back as far as 1900 BC. From ‘Caesar-Cipher’ in classical Rome to scytale in ancient Greece, cipher script has always been humanity’s favorite way of protecting secrets. However, although the basis of encryption is the same, a lot has changed since papyrus and pigeon carriers. In fact, there’s a lot wrong with our secret code of the moment — mainly the corporate world’s failure to use it properly.

So what’s the problem with plaintext?

Despite the wealth of encryption methods out there, some companies still store customer passwords in plaintext (a readable format). This means that anyone with access can read all of your highly sensitive information like your password, date of birth, and debit card numbers. If your password is stored in plaintext, it may as well be scribbled down on a notepad and left in the world’s public waiting room. You can just imagine how delighted a hacker would be when they inevitably pass through.

How to tell if a site stores passwords in plaintext

The good news is, we’re about to teach you how to protect yourself. So you never have to worry about your password being in plain view, and potentially stolen.

Here are two red flags:

  1. If you receive an email containing your username and password after creating an account, it could mean that the encryption the website uses is reversible. Which means some of the company’s employees know how to decrypt and read them.

  2. If you suspect a site, click ‘Forgot password’ to see if they send you your username and password in an email. If however, you’re sent a link to reset your password, it’s likely your password is safe and has been hashed.

Can passwords be stored securely?

Since there’s no definite way to tell if your passwords are stored safely. The tell-tale signs that we’ve mentioned above will usually be your best bet in finding out. However, though you can’t control other people’s password practices, you can control your own. Which is why we’d like to remind you of our two golden rules for passwords:

  1. Use a different password for every site you use.

    If you use the same password for a few sites, and one of the sites has it stored in plaintext, it won’t be long before someone gains access to your card details or address. Rather than trawling through sites playing investigator, it’s easier to assume your password hasn’t been hashed and salted.

  2. Create difficult, random passwords that are at least 6 characters long. Be sure to include upper/lower case letters, special characters and an asterisk, for optimum security.

    Click here to generate a strong password now. Before you do this though, remember that by virtue, random passwords are impossible to recall. Which is why you’ll need a good password manager. If you have not already, take a look at NordPass - a password manager which uses XChaCha20 encryption in a zero-knowledge process to keep your passwords bulletproof but still in your pocket.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.