Victoria Silman | Assistant News Editor

Featured Image: York’s School of Arts, Media, Performance, and Design uses TixHub for ticket purchases to various events at the theatre. | Fatema Ali

An anonymous source has come forward revealing unsafe password storage practices on the ticketing website, TixHub. According to the source, the third-party website is used by the School of Arts, Media, Performance, and Design (AMPD) for selling tickets to various events around campus.

Hashing, as the anonymous source explains, is the process of turning passwords into codes to make them secure. According to them: “When a website stores your password, it goes through a process called hashing, so, for example a password such as ‘password123,’ is translated into a series of digits such as ‘AS$dN$RTA%,’ and then saved, when users log into their accounts and enter their passwords, the website will translate it. If it matches with the translated version that is saved, then it knows the correct password was input.

“TixHub stores the passwords in plain text, meaning they compare users’ passwords—such as ‘password123’—to the stored password directly without hashing it,” they continue.

The reason for this, according to the source, is that if anyone were to access the passwords, the only thing revealed would be a series of hashed codes.

Associate Professor Uyen Trang Nguyen of the department of electrical engineering and computer science, explains the importance of this, stating: “When passwords are hashed, if a user forgets their password, they cannot request to obtain their plaintext password from the website, since the website does not store plaintext passwords. Instead, they have to reset their password, typically by using a link or temporary password sent to their email address, answering security questions, or providing other identifiable information—for example, a code sent to their cell phone.

“These approaches are more secure, because they do not rely on the exchange of the user’s forgotten password in plain text,” she continues.

In a series of photos provided by the source, evidence that TixHub not using hashing is revealed. Through an email, the source’s password is provided to the source, instead of the website offering to change said password.

According to Nguyen, websites that fail to use hashing risk their users’ information. “If a website does not follow industry recommended security measures, all information on their website is vulnerable, such as usernames, addresses, credit card information, and passwords. However, when the passwords are hashed using a strong hashing algorithm such as SHA-3, if a victim uses the same password on multiple websites, the hashed value does not allow the attacker to access the victim’s accounts on the other websites,” she explains.

Furthermore, Nguyen states: “Websites that do not hash passwords are not following the industry’s best practices, and allow their users accounts and passwords to be compromised more easily.

“Security breaches, such as the 2017 Equifax and 2018 Twitter incident, are two of the discussed recent incidents in which users’ plain-text passwords were compromised. Mishandling of passwords can be catastrophic for the users of a website, and the website itself, leading to loss of money, reputation, and brand.”

At the time of publication, TixHub and AMPD could not be reached for comment.