Pandora Password Debacle

There’s a post going around on Google Plus that shows off a glaring security hole in the popular internet radio site Pandora. If you use FireBug (or the HTML inspection tool in your browser of choice), you can see that the Password field on the account settings page clearly shows your password in the value attribute. It displays bullets because it’s a password type form field instead of a plain input, but the password is still right there.

That’s not good, however you look at it. While updates to the post explain that it’s not necessarily indicative that Pandora is storing passwords in their database in plaintext—they could just be caching them client-side—it’s definitely in the realm of possibility. Not using a slow one-way hash and this sort of thing tend to go hand in hand.

Given that I was able to see my password, on a new computer I had yet to use Pandora on, with a browser that I had recently cleared of cookies and other local storage, Pandora is most likely storing passwords in plaintext and transmitting them over the internet. (Or, at best, using a two-way encryption scheme, which is little better.)

Pandora doesn’t one-way hash their passwords [Google Plus]