Pentesting Training Website Challenges Authentication Best Practices

The penetration testing company Practical Pentest Labs has recently come under fire for how they handle user passwords. The passwords for user accounts were sent via email to users upon sign up in clear text. The argument was made that these could be intercepted via email account takeover or MITM(man in the middle).

While it first seamed like a cut and dry pitchfork raising against the company are the infosec twitter influencers wrong?

While this first appears to be an issue if you look closer this does have several benefits. Practical Pentest Labs stated in a tweet that the only information stored in the database is the Username, Email and Passwords of its users.

Practical Pentest Labs released the following response:

Often times in the Infosec Twittersphere many are quick to parrot the “standard” best practices. The bandwagon effect is definitely real in this industry and questioning any though leaders is met with instant backlash.

Is Practical Pentest Labs Right?

While many look in the past to obtain guidance on various security implementations Practical Pentest Labs appears to be looking into the future and challenging the status quo. Why might this just be crazy enough to work?

  • Password reuse is one of the biggest factors when it comes to account takeover. When a user reuses a password on multiple platforms and then that platform is breached all other accounts are also vulnerable. Practical Pentest Labs creates a random password server side preventing this.
  • If a password was compromised the impact is very small. Only an email and username could be found. This information would already be available to the attacker anyways.
  • All payment information was handled via PayPal and no financial information was stored on the site.

Practical Pentest Labs makes a great case for innovation and not following the pack in the IT security landscape.

Feel free to comment and let us know what you think.