BTGuard stores passwords in plain text -

BTGuard stores passwords in plain text

Pete Zaborszky

July 25, 2013

btguard logoA user has reported to the reddit forums that on forgetting his password for the Canada based BTGuard VPN service, he was sent his password in a plain text email. The full text of the post is:

Storing plain text passwords is something I would expect from a forum made by a hack, but not a security tool, seriously hashing pw’s isn’t hard. This is the letter I sent torrentfreak after receiving my forgotten pw back in plain text.

I read your article about VPNs I tried out btguard for a month and stopped using it. Tonight I decided to give it another go and I realized I forgot my login name, so I used their forgot my username link and provided the email I had associated with the account. I was disturbed to get my password back in the email as well, not a reset password link or any thing just my password, meaning they store PWs in plain text and don’t hash them. I feel like this is a no no for security, especially for a company who is supposed to be providing a secure service. I think this is a particularly poor move on their part and I wont be renewing my service with them. I feel as if this should be something you warn readers about, giving that you have recommended them in two articles about VPN services, the aforementioned one and

image of email I got after requesting my forgotten pw after changing it to something more appropriate I’ve changed it again hopefully they don’t keep a log of prior passwords.’

We agree that storing passwords in clear text is a shocking lapse of security in a company whose raison d’etre is to provide security for its customers, and therefor wish to pass on this warning to our readers. Keeping passwords in such an insecure way is unforgivable in an age where the problem of storing passwords safely on a server has been overcome, and leaves BTGuard users’ accounts vulnerable to hacking.

As another forum member observed, it is possible the passwords are not being stored unhashed, but are being encrypted before storage, and decrypted before being emailed to customers in plain text messages. However even this is very poor in terms of security, and means that an encryption key exist on BTGuard’s servers which, if those servers were hacked, could be used to compromise all BTGuard’s customers’ accounts.