|
<Teal'c voice>
Indeed.
</Teal'c voice>
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Software Zen: delete this;
|
|
|
|
|
Resist the urge to ruin a good silence.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
CodeWraith wrote: I have the Lounge for myself and nobody can stop me from looting the refrigerator
Just be aware, those are hamster snacks not fit for human consumption.
|
|
|
|
|
This was from a major well known international business, they sent me an email confirming my username and password in plain text!
There aren't any words or emoticons to describe my reaction.
Not only are they saving passwords in plain text but they are sending them via email too.
I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated?
Although, I do agree it's wrong if they can get your plain-text password on demand.
Also, why not name and shame? At least we can try to avoid them then.
|
|
|
|
|
You mean that if it was a company you considered registrering an account with because you needed their products and/or services, you'd refrain from doing so because of this?
Permit me to doubt that...
Anything that is unrelated to elephants is irrelephant Anonymous
- The problem with quotes on the internet is that you can never tell if they're genuine Winston Churchill, 1944
- Never argue with a fool. Onlookers may not be able to tell the difference. Mark Twain
|
|
|
|
|
Well that largely depends on what their products or services are exactly. Can I get them elsewhere, can I get them without registering an account (e.g. a phone order)...
And yes, if I thought a company had poor security implementations, then I would consider not using them... IF there are other options. Or maybe, because I know they are insecure, I could use a random generated password and then close the account when I have got what I need.
|
|
|
|
|
Johnny J. wrote: Permit me to doubt that... Better believe it. I am like that too. Currently I am registered at three websites total, one of them being CP. That might very well go down to only two very soon. I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'. Hear that, Fleabay?
That alone is one reason why Mickeysoft will not sell very much to me again. They insist that I join their Mickeysoft Club, complete with an account, the Mickeysoft hat and the secret decoder ring. The problem is that I don't want to marry them and also am not interested in any other closer relationship with them.
I have lived with several Zen masters - all of them were cats.
His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
|
|
|
|
|
CodeWraith wrote: I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'.
CodeWraith wrote: That alone is one reason why Mickeysoft will not sell very much to me again
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Daniel Pfeffer wrote: You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV. That's not quite the problem. If it were only that, I would have my ways to simply block everything I don't want.
For me the OS is just another component of the computer, no more or less. I really don't want to join a 'community' for every single part that I want to put into the box. Just send me what I ordered, take my money and then our relationship hopefully ends. No need for them to know anything more. When someone goes out of his way to force everyone to say amen to everything they do, the more suspicious I get of their motives. They are can only be in their best interest in the best case and very harmful to me in the worst.
I have lived with several Zen masters - all of them were cats.
His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
modified 19-Oct-19 21:28pm.
|
|
|
|
|
musefan wrote: How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? It was the password I entered, I use a password manager to generate random passwords.
musefan wrote: Although, I do agree it's wrong if they can get your plain-text password on demand. If they got their database hacked the hackers would have access to passwords and logins, many of which would have been reused across other sites too. So the hackers could access bank account, amazon accounts etc.
musefan wrote: Also, why not name and shame? At least we can try to avoid them then. and make it even more public to hackers that they store passwords in plain text, I don't think that would be sensible. "Hey look everyone, if you try and hack company X's site you can get hold of my password as well as thousands of other logins and passwords" I'd be willing to bet that the Web API has a service that returns the user logins and passwords in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();
SendEmailUsingGmail("Your username is " + username + " and your password is " + password);
string encryptedPassword = ConvertToBase64(password);
ExecuteSQL("insert into [users] values('" + username + "', '" + encryptedPassword + "');
}
catch
{
}
|
|
|
|
|
Love the code... although you missed a double-quote, so unfortunately I can't steal it for my own use
|
|
|
|
|
I don't get any exceptions so I doubt there is anything wrong with it.
|
|
|
|
|
"Well in that case blockchain it into a microservice and ping it to the mobile IoT cloud ASAP."
"But..."
"I SAID ASAP, DAMMIT!!!"
|
|
|
|
|
You are correct, they could be encrypting the password which is almost as bad as storing in plain text.
The current suggested method is to hash and salt, hashing on its own is not enough.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
What I'm saying is that they could be sending the email to you based on your input but the storing of the password is a different process so it may be stored using hashing.
|
|
|
|
|
Someone's been spending too much time in QA!
You wait - in a couple of weeks, there'll be a question from someone who copied and pasted this code into their application, and it doesn't work because they've only got 21 textboxes on their form.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
So you think it is better for people to keep storing unprotected user credentials and just hope that nobody tries to hack it?
If they are as big as you suggest then I am sure someone will have tried to hack them already.
|
|
|
|
|
musefan wrote: How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
|
|
|
|
|
They could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Rage wrote: Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature.
Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested.
While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
|
|
|
|
|
The email was sent to me on registration.
musefan wrote: While we are on the subject of one-way hash vs encrypted string, does it really matter either way? Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords.
Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins.
Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Well, if they can't be trusted, then they can just take a copy of the database home and brute force the hashed passwords. Hashing vs Encryption isn't going to matter to the dirty cop on the inside.
|
|
|
|