How not to be secure: blogsvertise.com stores passwords in insecure ways

The blog is currently being ported from WordPress to over 12 years of static pages of content. If there's an article missing that you're hoping to see, please contact me and let me know and I'll prioritize getting it online.

April 12, 2011


I was approached by blogsvertise.com recently to reactivate my account, because I let it die a slow, agonizing, forever-alone, kind of death.

I figured writing occasional sponsored blog articles would give me some extra Starbucks money here and there, and after talking to “Melissa”, and telling her why I’d left (I was flooded by irrelevant advertising ideas like lawnmowers) and what I’d need to make it worth my while, she reactivated my account, at which point their system sent me an Email:

Blogsvertise stored my old password in plain text!

I was stunned. Either they’d stored my password in plaintext, or they’d stored it using an encoding algorithm, both of which are a Bad Thing™. If their systems are compromised, your passwords are either immediately readable by the attackers, or they can see which encoding scheme is used and how to decode them.

I wrote Melissa a scathing letter telling her that her development team needed to adhere to industry best practices of using hash/salt setups, and while waiting for her reply which never came, I got an Email from them saying I had a new advertisement to blog about: nurse uniforms. Sigh.

Thankfully, LastPass generates lovely 100-byte passwords for me full of uppercase and lowercase letters, numbers and punctuation (I couldn’t tell you my Amazon password if you held a gun to my head), so I immediately logged into the blogsvertise.com web site, edited my profile, and changed my password to some random 40-byte password which I didn’t save in my LastPass vault, so even if/when their systems get compromised, I won’t ever have to care that someone knows one of my passwords.

I’m looking forward to attending some of the OAuth2/OpenID sessions at Google IO to hear more about third-party authentication schemes so I don’t have to register with so many other services for things.

Then again, if blogging actually paid anything worthwhile in terms of advertising, I wouldn’t have even bothered with blogsvertise.com in the first place. Too bad The Rubicon Project kicked out all of their small publishers in late 2009; I was making decent money with them.