Plaintext Shame List (Malaysia)

Posted 21 May 2020. 2 min read.

Password should never be exposed and displayed in plaintext form. However it seems a lot of organisations (especially governments!) still somehow find it normal and acceptable to send passwords to their user in plaintext form.

When these organisation websites send passwords by email, it indicates some major flaw in their security. Most likely they store the passwords in plaintext in their database. Even if somehow they're storing it as hash or encrypted password, it's still inexcusable to ever expose a user's password in plaintext form. Emails are susceptible to MITM, they leave logs, and were never meant to be a secure form of communication.

===

So, to start off the list, the lucky organisation chosen to grace this Shame List is none other my alma mater, UiTM!

UiTM Logo

Yes, UiTM, which stands for Universiti Teknologi MARA (yep Technology in its name, which makes this even more embarrassing), has the honour of being the first in this Shame List. UiTM has a history of being exceptionally bad with their security. Case in point, just last year it was revealed that the university suffered a major data breach . What's worse is that it happened way before the exposé and the university decided to sweep it under the rug to save face.

Another example of their ignorance on web security is they've started implementing HTTPS on most, if not all, their websites only last year. But this was only because an individual threatened to leak the database to the public.

It's a shame though, even after all that, they clearly still don't give a crap about security.

Image of UiTM Student Portal

That's the student portal login. Notice how it says Click Here to Recover instead of the usual Reset Password link? Well, that's because it means exactly that. You recover your password. Lo and behold:

Image of student portal password reset

There it is, my password in plaintext form. Now, I don't know for certain how it's actually stored in the database, for all we know it might be encrypted. However, there's absolutely zero reason to store encrypted password instead of simply hashing it with a secure hashing algorithm. In fact, in this day and age, I can't think of a single reputable company/organisation who encrypt passwords at all.

That's all folks!

# plaintext # password # uitm # breach # security

Lazily updated content can be found here