Advertisement

A popular fetish app stored passwords in plain text

When a human asks you for your password, that's usually a bad sign.

"Pursuant to our records, we have not identified an account associated with [your email address]. In order to enable us to exercise your request to receive access to your personal data, we kindly request the below information (please respond with the below to this email):

· The email address you registered with on Whiplr;

· Your username on Whiplr;

· Your password on Whiplr."

I'd made many data requests before, but this was the first time I'd been asked for a password to prove my identity. It meant one disturbing truth: Whiplr was storing my login details in plain text.

It's impossible to see how many times the iOS app Whiplr has been downloaded, but it describes itself as "the world's biggest online fetish community." It's a place for people with kinks of all kinds to connect. Naturally, privacy is paramount. You'll rarely find a handle resembling a real name, and many profiles don't have publicly available pictures. Of those that do, faces are often hidden or obscured. Users don't want to be recognized or judged for their bedroom proclivities by people they might encounter in "normal" daily life. They prefer to remain mysterious, if not outright anonymous.

This is exactly why Whiplr storing login details in plain text is such a serious faux pas. Should hackers have gained access to this database, they could've potentially figured out the real identities of users either through the app itself or through other services where those credentials are identical. The potential for extortion is very real. Think the Ashley Madison hack, just with more ropes and spanking, and less relationship-ending infidelity.

An inexplicably retriever-focused commercial for Whiplr

Storing login credentials in plain text is not a good idea. Without any form of encryption, this data is most powerful in its rawest form. Should a company's systems be breached, a hacker could use the info to access your account, find out more about you and prospect elsewhere with the same login details. If you are consistent with your password choices, one plain-text database could be the key to your digital life.

As a sensitive service, you'd think any form of database encryption would be a sensible move for Whiplr. A common password-protection technique is hashing. A hashing algorithm will take your password and scramble it into a random string of characters. When you log in to a service with your password, it'll get run through the same hashing algorithm. Whatever it spits out will be referenced against the database to see if it matches. Only the hash is stored, not your actual password.

Importantly, hashing algorithms will always produce a string of characters of the same length, regardless of the length of the passwords. This makes them pretty hard to crack, as the hash can't be used to identify anything about the composition of the password. It's not impossible to reverse-engineer passwords from their hashes though. With enough time and computing power, you can throw anything you want into a hashing algorithm and cross-reference the output to, say, a database dump. The shorter and more common a password is, the more quickly you're likely to get a hit.

This is why more than 100 million LinkedIn account details appeared for sale online a few years ago. The service was hacked in 2012, and though it stored passwords in a hashed format, they were decrypted in time. And that's why you have to sprinkle a little salt in that cauldron.

There are plenty of ways people can get your password without hacking.

Salting basically adds a random string of characters to either the front or back of your password before it's run through the hashing algorithm. It means that two identical passwords will have different hashes, because every user has a unique salt to add complexity. Therefore, there's no pattern to the hashes in the database because every single password is different. Even if hackers got hold of the hash and the salt database -- you have to keep a record of the salt to add it to the password every time a user tries to log in -- they would have to run every possible password plus the salt through the hashing algorithm to get a match. And even if they did, they'd have to start all over again for a new user. It's just not feasible.

While that more or less stops people from getting your login information from hacked databases, it doesn't protect you if someone already knows your password. Key-logging malware, social engineering, shoulder surfing: There are plenty of ways people can get your password without being an actual hacker. Two-factor authentication is a common roadblock, not only stopping unwanted logins but also alerting you that someone's trying to break in. Always turn it on, even if it feels like an inconvenience.

Another way you can protect yourself is by applying the common sense rules of using awkward passwords that are different for every site and service. Password managers can help you here by generating ridiculously complex passwords for you, remembering them and logging you into services automatically. Remember that complicated passwords aren't nearly as easy to crack, even if a database uses just hashing.

"This case was an error of judgment in a specific situation when a user could not have been identified via email address."

Whiplr isn't the only service that's been guilty of storing passwords in plain text. It's more notable than many, given it's a fetish app with a user base that values privacy, but it's not that uncommon. There's even a website dedicated to naming and shaming other places of lax security.

"Whiplr places both the security and privacy of its millions of users around the world at the highest priority," Ido Manor, the service's data protection officer, told us. "This case was an error of judgment in a specific situation when a user could not have been identified via email address," he continued. "We took steps to make sure this never happens again, just as it has never happened before this incident."

Manor said that, while Whiplr used to be able to view unencrypted passwords, since being made aware of the error, the app has secured them with "one-way encryption" and is "adding more security measures to protect our users' data."

While it may be an unsettling realization for Whiplr users, there are no laws against companies storing passwords in plain text. They are only required to put reasonable barriers between hackers and that data. There are no guarantees that other apps and services you may use, fetish-focused or otherwise, aren't tempting fate in exactly the same way.

Data retrieval
How big tech manages your personal information

Data retrieval series credits
Features editor: Aaron Souppouris
Lead reporter: Chris Ip
Additional reporting: Matt Brian, Dan Cooper, Steve Dent, Jamie Rigg, Mat Smith, Nick Summers
Copy editor: Megan Giller
Illustration: Koren Shadmi (data drones)