|
musefan wrote: How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? It was the password I entered, I use a password manager to generate random passwords.
musefan wrote: Although, I do agree it's wrong if they can get your plain-text password on demand. If they got their database hacked the hackers would have access to passwords and logins, many of which would have been reused across other sites too. So the hackers could access bank account, amazon accounts etc.
musefan wrote: Also, why not name and shame? At least we can try to avoid them then. and make it even more public to hackers that they store passwords in plain text, I don't think that would be sensible. "Hey look everyone, if you try and hack company X's site you can get hold of my password as well as thousands of other logins and passwords" I'd be willing to bet that the Web API has a service that returns the user logins and passwords in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();
SendEmailUsingGmail("Your username is " + username + " and your password is " + password);
string encryptedPassword = ConvertToBase64(password);
ExecuteSQL("insert into [users] values('" + username + "', '" + encryptedPassword + "');
}
catch
{
}
|
|
|
|
|
Love the code... although you missed a double-quote, so unfortunately I can't steal it for my own use
|
|
|
|
|
I don't get any exceptions so I doubt there is anything wrong with it.
|
|
|
|
|
"Well in that case blockchain it into a microservice and ping it to the mobile IoT cloud ASAP."
"But..."
"I SAID ASAP, DAMMIT!!!"
|
|
|
|
|
You are correct, they could be encrypting the password which is almost as bad as storing in plain text.
The current suggested method is to hash and salt, hashing on its own is not enough.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
What I'm saying is that they could be sending the email to you based on your input but the storing of the password is a different process so it may be stored using hashing.
|
|
|
|
|
Someone's been spending too much time in QA!
You wait - in a couple of weeks, there'll be a question from someone who copied and pasted this code into their application, and it doesn't work because they've only got 21 textboxes on their form.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
So you think it is better for people to keep storing unprotected user credentials and just hope that nobody tries to hack it?
If they are as big as you suggest then I am sure someone will have tried to hack them already.
|
|
|
|
|
musefan wrote: How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
|
|
|
|
|
They could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Rage wrote: Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature.
Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested.
While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
|
|
|
|
|
The email was sent to me on registration.
musefan wrote: While we are on the subject of one-way hash vs encrypted string, does it really matter either way? Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords.
Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins.
Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Well, if they can't be trusted, then they can just take a copy of the database home and brute force the hashed passwords. Hashing vs Encryption isn't going to matter to the dirty cop on the inside.
|
|
|
|
|
On the other hand, if they've cracked the database and got your hashed/encrypted password, they'll more than likely ignore the password and just access your credit card, bank account, health details etc directly. If the company is lax about passwords, it's pretty unlikely that the rest of the data is encrypted! The only reason password encryption is any more important than any other data is that people tend to re-use passwords, so a hacker of one database can often then access others; or actually impersonate someone else rather than just steal their money / reputation.
|
|
|
|
|
The could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
GuyThiebaut wrote: The could with a rainbow lookup table if the hashes have not also been salted.
This would require them to have a copy of the database (or at least a direct connection to it).
And if you can get a hold of the application code (even the compiled version) then salting your hashes doesn't much matter. With some effort the hacker could identifier your salt key and process and adjust their "hacking software" to make their rainbow tables work again. Although you should be safe if you are using a password manager as it's likely they will have your password in their list.
Let's just hope this "company X" doesn't have your credit card details stored right next to the plain text password
|
|
|
|
|
|
Thanks - I will give the CEO the weekend and on Monday I will send that.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Just out of interest, where does all this fine money actually go? (Apologies for not researching it myself, I just assume you probably already know the answer).
Also, are you purposefully not playing CCC this week, or are you struggling with them like the rest of us?
|
|
|
|
|
Bribes, probably - this is the EU after all ...
I'm playing the CCC, but yesterday and today I have no idea what they might be.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
GuyThiebaut wrote: I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Or how about this email: "Our system has lost your password, which we store as plain text. Since you must have received a confirmation email at some point with your plain text password, could you please forward it to us and cc: GuyThiebaut, and we will restore your password. Thank you very much."
|
|
|
|
|
GuyThiebaut wrote: I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Skip that step - since you have his email address, just ask their system to initiate a password reset on behalf of him. I'm sure they've thought that process out better...
|
|
|
|
|
Cécile Corbel - Arrietty's Song[^]
Another soundtrack, but with (Japanese) lyrics this time.
The Secret Life of Arrietty is a more recent Studio Ghibli movie (2011, so no Miyazaki).
The English version is dubbed by Tom Holland, better known as Spider-Man (but I watch subs, not dubs).
This is probably the first Ghibli I've seen where Joe Hishaishi wasn't the music composer.
However, Cécile Corbel wrote an awesome soundtrack and perhaps it's even my favorite Ghibli soundtrack to date.
It has a bit of a Celtic vibe to it and there are quite a few lyrics that I don't understand.
I watched the movie, got the soundtrack and then played it on repeat
|
|
|
|
|
Wow … this is a really nice track …
now it is on repeat over here as well
|
|
|
|