|
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me
I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
|
|
|
|
|
"A request was made to send you your email and password for your CodeProject login. We can't send you your original password so instead we've generated a time-limited password you can use to login in again:"
I didn't see any evidence of my original password being stored in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
No, they don't. The one that was sent to you is a temporary value which you can use to log in and change your "real" password when you have forgotten it.
Think about it: You have forgotten your password.
You tell the site this.
There are four options here:
1) It emails you with a message which says "OK, We've changed it" but doesn't tell you what to.
You can't log in.
2) It changes it and doesn't tell you what to.
You can't log in.
3) It automatically logs you in to change it.
You get very annoyed because I just stole your account.
4) It emails you a new password so you can log in, provided you have access to your registered email address.
You can log in if you are you, not if you are me.
Only the last one retains any security and allows you to forget your password.
Sent from my Amstrad PC 1640
Never throw anything away, Griff
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
5) Emails a message that says it was changed and the email has the password but in fact it doesn't. It does however have a customer support telephone line that rings on a conference room phone that absolutely no one ever answers.
|
|
|
|
|
6) I had this one a couple of years ago, change your password and get a letter a week later by traditional snail mail containing your new password. You've guessed it, government
Since it was government I think I needed that password pretty bad too, I'm thinking it was something with moving/new house/mortgage...
|
|
|
|
|
OriginalGriff wrote: 4) It emails you a new password so you can log in,
Preferably without changing your current password until you use the new one. No password DoS, please!
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Maybe it is better to really read the messages before complaining
Just saying...
enum HumanBool { Yes, No, Maybe, Perhaps, Probably, ProbablyNot, MostLikely, MostUnlikely, HellYes, HellNo, Wtf }
|
|
|
|
|
Your enum seems to be missing a sensible default value: IllGetBackToYouOnThat
And we all know that means the exact opposite
|
|
|
|
|
We have an expression for that: tossing the dust under the carpet
enum HumanBool { Yes, No, Maybe, Perhaps, Probably, ProbablyNot, MostLikely, MostUnlikely, HellYes, HellNo, Wtf }
|
|
|
|
|
phil.o wrote: Maybe it is better to really read the messages before complaining The OP DID read through the email quickly. It just so happened that the random new password was the SAME password as OP's original password.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
Like anyone else with and degree of competence, your password is stored as a hash of the original and cannot be recovered.
Even if a site stored your password encrypted (not hashed), it is best to consider it totally insecure.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
I hope it is salted and hashed.
A merely hashed password is insecure.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
And not tasty enough.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Salted,hashed,and I think it is time-limited as well.
"Time flies like an arrow. Fruit flies like a banana."
|
|
|
|
|
I suppose that's why a periodic confirmation email comes.
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
The OTP may be time-limited, but I don't think the real password is. I haven't changed mine in over four years.
The problems with forcing regular password expiry[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Oops - you may now remove your foot from ... you need one of these
Never underestimate the power of human stupidity -
RAH
I'm old. I know stuff - JSOP
|
|
|
|
|
If you were resetting your password, presumably you'd forgotten your password. If you'd forgotten it, how do you know they emailed it to you? Maybe it was a different password? Your assertion does not make logical sense.. And, even if they did email you your actual password, how do you know it had been stored in "plain text"? It may have been encrypted, and decrypted only for the purpose of sending it to you. You have no way of deducing, simply from the emailed password, whether it was held in plain text or encrypted. (True, even encrypted isn't great; as others on this thread pointed out, hashed + salted is more secure).
|
|
|
|
|
DerekTP123 wrote: It may have been encrypted, and decrypted only for the purpose of sending it to you.
Same thing as plain text with a false assurance of security. "Thou passwords shall not travel on thy network, nor be retrievable should the server be compromised" the Commandment says.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
|
Ah, so having living things is the only ways of getting methane!
That's good to know!
It must be why all the cows on Neptune live at the poles.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Neptune? It's Uranus you have to worry about...
Sent from my Amstrad PC 1640
Never throw anything away, Griff
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
And what Hisanus to be worried about?
M.D.V.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
|
|
|
|
|
Given that I do actually own a bread knife, it's not Uranus that you have to worry about!
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
Subterranean cow colony?
Give me coffee to change the things I can and wine to accept the things I cannot!
JaxCoder.com
|
|
|
|