AAAI-08

Are you storing any passwords in plaintext?

Explanation

This question is asking whether your organization stores user passwords in their original, readable format (plaintext) rather than in a secure, encrypted form. Storing passwords in plaintext is considered a severe security vulnerability because if an unauthorized person gains access to your database or systems, they can immediately see and use all user passwords without any additional effort. This is particularly dangerous because many users reuse passwords across multiple services. In a security assessment, this question helps evaluate whether your organization follows basic security practices for credential management. Password storage is a fundamental security control that protects user credentials even if other security measures fail. The best practice is to never store passwords in plaintext. Instead, passwords should be stored using strong cryptographic hashing algorithms with salting (like bcrypt, Argon2, or PBKDF2). These methods convert passwords into irreversible hashed values, so even if your database is compromised, the actual passwords cannot be easily determined. When answering this question, be honest about your current practices. If you do store passwords in plaintext, acknowledge this as a security gap and outline your plans to remediate it. If you don't store plaintext passwords, briefly describe your password hashing approach to demonstrate security maturity.

Example Responses

Example Response 1

No, we do not store any passwords in plaintext All user passwords are hashed using the bcrypt algorithm with a work factor of 12 and unique salts for each password This approach ensures that even if our database were compromised, the original passwords could not be recovered from the stored hash values Additionally, our system administrators and developers have no capability to view user passwords at any point in the authentication process.

Example Response 2

No, our organization does not store passwords in plaintext We implement the Argon2id password hashing algorithm with appropriate memory, iterations, and parallelism parameters as recommended by NIST guidelines All password hashing operations occur server-side before storage, and we maintain separate salt values for each user account We regularly review our password storage mechanisms as part of our security program to ensure they remain aligned with current best practices.

Example Response 3

Yes, our current system does store some passwords in plaintext in our legacy customer database This has been identified as a critical security risk in our most recent security assessment, and we have an active remediation project underway We are implementing a new authentication system using industry-standard password hashing (PBKDF2 with SHA-256) that will be completed within the next 60 days In the interim, we have implemented additional access controls and monitoring around the database containing plaintext passwords to reduce risk.

Context

Tab
Product
Category
Authentication, Authorization, and Account Management

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron