WPML Emails Passwords to Affected Customers in Plaintext

Clear Text Password
photo credit: thegloamingcc
Customers who purchased WPML, a multilingual plugin for WordPress, are receiving a suspicious email that looks similar to a phishing attempt. Matt Radford, a customer of WPML, kindly sent the Tavern a copy of the email.

Dear Matt,

We want to make sure that your WPML account remains secure. For this, we are updating all client accounts with auto-generated strong passwords. A strong password helps prevent unauthorized use of your WPML account.

Our system will start the password update shortly. We will send you another email with your new password.

All the best,

WPML team

Radford received a follow-up email that includes his new password in plaintext. WPML explains why the passwords were sent in plaintext, “We detected weak passwords in our system and following this we are enforcing, on a one-time procedure, strong passwords to all our clients.

“As for sending them in plaintext, if you consider it not to be safe, please update your password in order to keep it secure,” WPML said.

When questioned if passwords are stored in plaintext within the database, WPML replied, “As for storing passwords in our database we are not storing it in plaintext, we are using standard WordPress. Yes they’re salted and hashed.”

Denise VanDeCruze, a WPML support forum moderator, says the email was generated automatically from their systems. She confirms that sending passwords in plaintext is not a best practice and urges users to login to their accounts and generate a new password using the reset password link.

This email was automatically generated by our system and sent to clients with passwords that were deemed too simple. However, sending new passwords in plain text via email without requiring user action is not best practice. I urge you to change your WPML account password. https://wpml.org/account/account-settings/

You were right to be cautious of this sudden email. Although it was not a phishing attempt, it was not the best way to ensure a safe password. In the future we will be mindful of adhering to strict security standards. Please let me know if you have any further questions.

WPML has not published any information on its blog that explains the situation and has yet to respond to our requests for comment. If you’re a WPML customer and receive an email with a new password, you should immediately login and generate a new password using the site’s reset password link and follow the instructions.

Emailing passwords in plaintext is a terrible security practice. One of the key improvements in WordPress 4.3 is that WordPress no longer emails passwords. Instead, it sends password reset links that expire after 24 hours. In hindsight, WPML should have generated and sent password reset emails to affected customers.

Would you like to write for WP Tavern? We are always accepting guest posts from the community and are looking for new contributors. Get in touch with us and let's discuss your ideas.

28 Comments


  1. To be fair, if they had a lot of bad logins lately, then testing everybody is a reasonable thing to do. Back when we did the big reset on org in 2011, we just blanked everybody’s passwords out and forced them to go through the two step reset process. Not the best, but the most straightforward thing to do at the time. Didn’t cause too much hassle, although I was dealing with the confused user emails for the next three years (not a joke).

    Report


      1. You should see a countdown timer that lets you edit your comment, do you not see it?

        Report


      2. And after a reload, I can’t see my previous comment at all.

        Call me biased, but I have never found any comment system as good, as simple, as obvious, as the built in one. Just saying, they all have problems. Major ones.

        Report


      3. That’s because your comment was moderated. You should it it appear but if you reload the page before I approve it, it disappears.

        Report


      4. In fairness, Epoch (the comment system here) is native.

        Think of it more as a skin for existing native template, but with added benefits of real-time commenting, Ajax load, caching support and SEO friendliness.

        The issues you had (edit and reload) is down to the way Jeff moderates comments, and would be present even if it were purely native comments.

        Report


  2. Sending a new password i plain text does not mean passwords are stored in plain text. Sending and existing password, on the other hand, will prove it.

    But how can they detect that an existing password is “too simple” when not stored? I guess it would mean walking through a huge list of “simple” and common passwords and compare with the stored salted hash of each user.

    I think, nobody and no script should ever do such, except for anonymous research purposes. The stored hash, and corresponding user ID, should only be retrieved for the purpose of password validation.

    Report


    1. Right. That’s the same question I had: How did they know the passwords were too simple? Shorter passwords generate a hash that is just as long as longer passwords. I’m curious.

      Report


      1. I am just a man of average WP intellect, but I would guess they took a list from some sort of “10,000 most used passwords”, ran it through their SALT, hashed it, and ran a database query to see if anyone is using that password? If so send the email?

        Or something like that :\

        Report


    2. sending passwords in email is a bad habit as all you need to do to get it is read access, and since emails are not encrypted every node in which it passes can read the password. For example if you use exchange then the admin of the server can read your emails, and same goes for google apps.

      Getting password in an email is like putting it on a paper and trying to hide it.

      As for how did they know the passwords are bad, this probably can be done without having the password in plain text by using some rainbow tables for a quick brute force attack against the account.

      Report


      1. If they have brute forced the salted and hashed passwords in order to expose short or common passwords, then I think they’re being security conscious. I’m not sure its right to crack your customers own passwords, but if they’re doing it to improve security in the context of increasing bad login attempts, then ok.

        But the way in which this has been carried out does not give me confidence that they have security best practice in mind. If they couldn’t send password reset emails then blanking all passwords would have been better. My password was perfectly secure until a new, shorter one was emailed to me in plaintext.

        Report


      2. To be fair, if they can read your emails, they can do a password reset and get in as well. Most people’s email accounts are the central core of their online identities. Which is why you should use two factor authentication on email and only go with good providers who know what they’re doing.

        Report


      3. That is not exactly true. If I need to reset a password in order to login into your WPML account then most likely you will be notified and will be alerted to the fact that someone is trying to do bad things with your account. To avoid you noticing it I will need to prevent your access to your email, something that you will notice as well sooner then later.
        So if I have a RO access to your email and you just sending unencrypted data in it I may as well just seat quietly and do nothing.

        And then there is the issue with not so private computers in the household and workplace. Do you really want your kids to have free access to your amazone account?

        Report


    3. WordPress didn’t enforce strong passwords until 4.3 (recently released). It is easy to deduce that there are going to be weak passwords.

      Report


  3. It’s easy to write a plugin that would measure the strength of users passwords. You just intercept the $_POST variable when users log in.

    As to emailing only customers who had weak passwords, I received this email and my previous password was something like “Mf7JU!eP43ps”. Not fantastic, but hardly weak.

    I don’t see a problem with emailing customers passwords, so long as you insist that they change the password after log in. But you’re right, a password reset email would have been much better.

    Report


  4. My password was 15 characters, upper/lowercase mix, 4 numbers, and 2 “odd balls”.

    On https://howsecureismypassword.net/

    a similar password gets the result “It would take a desktop PC about
    157 BILLION years to crack your password”.

    How can that be a weak password??

    And I could change back to my old “weak” password again!

    Report


    1. “a similar password gets the result “It would take a desktop PC about 157 BILLION years to crack your password”.”

      Now THAT’s secure! Perhaps WPML were referring to 157 billion years plus one day…. ;-)

      Report


  5. Thanks very much for the explanation – I thought it was spam – and as you say – there was nothing on their web site it. Keep up the good work being at the forefront on WordPress matters !

    Stephen

    Report


  6. It is not a good idea to send new password in plaintext. Period. They should instead initiate a password reset email and let the user to change their password by clicking a reset link in the email.

    Report


    1. Hey Amit, thanks for clarifying that there was no breach. Would you mind saying how you scanned for weak passwords? I received the email yet my password was a long string. No, not “passwordpasswordpassword” ;)

      Report


    2. Good for you, Amit. And nice PR work by keeping an eye on this post and jumping in with a response.

      Report


  7. So, to put it into a nutshell:

    1. they decided that some of their customers may have insecure passwords

    2. to make these accounts more secure, they’ve sent the new passwords of all of these accounts in plaintext via unsecure email to the customers

    3. any user that logs in with the new “secure” password can easily change it back to their old, “unsecure” password

    4. before and while sending these emails, that very easily may have been considered as phishing emails by their customers, they haven’t published any information about the whole process on their company blog, so their customers weren’t able to verify the source and authenticity of these emails

    5. after many users and blogs complained about the whole thing, they published a blog post stating in the end that “As always at WPML we are committed to learning from our clients”, although the initial intention behind the whole thing seems to be that their clients should learn from them and set more secure passwords for their accounts.

    Call me crazy, but I thought that a professional company – developing some of the most important, commercial wordpress plugins – does not require to learn from their customers how to implement a basic level of security, trust and professionalism…

    As someone stated in the WPML support forum, with the above Facts in mind, it is at least questionable if they are able to maintain a decent level of security in all of their wordpress plugins…

    Report


    1. Stefan,

      I agree with you as for the lack of communication (points 4 & 5) from our side, but the rest seems to me a bit exaggerated.

      No account was compromised and the simple fact is that at the end of the day strong passwords are an essential part of online security and are at the hands of each user.

      As we said we’ll review how all this process was handled and make sure we learn from it.

      Cheers!

      Report

Comments are closed.