Vacation is over, time to take a look at the password security of another online webshop software solution. This time named Webmercs, from a Norwegian company named Data Design. I got triggered to do this blog post after visiting www.avshop.no, where I am a registered customer. Lets take a look at Webmercs...
On July 4, 2011, I released a blog post (in Norwegian) about password security in a software solution for logistics and online sales from a Norwegian company named MultiCase. Their solution sent passwords by unencrypted e-mail, and either stored passwords in plaintext or using reversible encryption. Their response came quickly, time will show if, and how they follow up.
Webmercs seems to be a hosted solution, lots of domains link to secure.webmercs.com. Running that site through ssllabs gives us unsatisfactory results: (MITM, SSL 2.0, 40-bit support etc)
|(Click to view full size, or visit SSLLABS)|
They have a bunch of customers, which is always good to display - until something goes wrong.
As a small side-step before continuing, here are two opposite views on security, which I am constantly facing in my daily work:
Customers: "We trust our service provider. We have to trust our provider. We see no reason not to trust our provider. Of course our provider will be give us an acceptable security level. Our providers security is of course at an acceptable level. Our provider knows what an acceptable security level is, has implemented it, and maintains it continuously. Our provider is (solely) responsible for designing, implementing and maintaining an acceptable (best practice) level of security. We do not possess the necessary skills and experience to design such security ourselves, which is partially why we choose to buy this service from an external provider."
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
My point is simple: most (software) providers will provide an absolute minimum of security by default, leaving it all to you to decide what kind of security you want to configure. However; they will provide lots of buttons, parameters, flags and options that you may change to improve (or weaken) the default security level. Few of them will provide an additional "best practices" document, with recommendations on how you *should* configure those parameters...
As I've seen over and over and over again, default security parameters are often left right there - at default.
Well, that was my general complaint for the day. Let's get back to Webmercs. Here's a screenshot from an e-mail I received, after changing my password and then going through the "forgotten password" procedure at www.avshop.no, where I am a registered customer. They use Webmercs:
Even though its Norwegian, I guess you do understand what it says. (Oh, and that password is not my default one! :-))
Lots of evidence there already, showing that the Webmercs solution sends my existing password, username and all the info you need to access my account through unencrypted e-mail. If they do any kind of password encryption at Webmercs, it still is nowhere near what I would call "best practice".
I have also looked at a few other sites that are using Webmercs, and some seem to have at least somewhat better minimum password requirements configured. Obviously the choice of password policy is left to the customer to decide, and I do fear that the default from Webmercs is length 1, obviously without any type of complexity thrown in.
Do we need any more? To me I've got all the evidence of bad password practices I need. I'll uphold my recommendation on focusing on software developers & providers first for increasing password security & awareness, before bashing end-users for bad password behavior. I will of course get back to this in future blog posts as well.
I have sent information to email@example.com to inform them about this blog post, in accordance with their .. interesting stand on how to provide support. No online ticketing system for your support requests there, but at least they are honest about it.