Movable Type and TypePad Passwords in Plain Text

Lloyd — Thu, 21 Aug 2008 14:39:38 +0000

“If Movable Type was as popular, and under the same amount of scrutiny, I can’t imagine they would still be storing passwords as plain text.” upset at least one reader of “Movable Type Pro, Setting Social Networking Free, Vaporware, WordPress, BuddyPress“. His comment wasn’t polite, so I’ll answer without here without publishing it or calling attention to the comment author.

While working on the TypePad and Movable Type AtomPub Exporters (still in progress), programmer Ronald Heft Jr had a problem interacting with the WSSE authentication both use. The problem ended up being in his own code, but it also led to some interesting observations about how the authentication works.

TypePad doesn’t require as secure code.

TypePad can handle the WSSE nonce either base64 encoded or plain text. Movable Type requires the nonce to be base64 encoded. Ronald had been using base64 on the nonce from the beginning, and TypePad accepted it. The APE does not encoding the nonce, so it works with TP but not MT.

TypePad allows the same nonce to be used multiple times, while Movable Type requires a new nonce for each request. The AtomPub library Ronald had been using did not regenerate the nonce as it was centered around TypePad. Once he started giving a new nonce for each request, MT started authenticating.

This is a good reminder that allowing programmers a less secure option, and they will likely take it because they trust you, and have other deadlines.

WSSE authentication is inheritantly insecure.

When Ronald looked in his Movable Type database he found that the passwords were stored in plain text. WordPress remote access development lead Joseph Scott explains that the only way to support WSSE is to store the passwords in plain text on the server, which is one of the reasons why WordPress won’t be supporting WSSE.

A Fool's Wisdom » Authentication

Movable Type and TypePad Passwords in Plain Text