CodeProject.com and Plain Text Passwords!
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
Yeah, it's been mentioned here before. In the suggestions forum. There's also been a discussion/straw poll on the subject here in The Lounge.
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
That reminds me one site (this one[^]). They just update their site so for the new system they change my password without asking me and send me the new password in plain text format which I didn't like. I mean how can you change somebody's password without his/her permission. What if I didn't get that email? Isn't it frustrating. Anyway as I believe CP is good site and you should always trust it. :-)
-
Nah, just dehashes it before emailing.
Doesn't that defeat the purpose of a hash (both cryptographic and indexing)...
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
Get off the soapbox! There is no money or sensitive information involved here. Jeez.
You wouldn't want someone to post inflamatory messages under your name or delete your articles would you?
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
+5 Well said. :thumbsup:
-
Yeah, it's been mentioned here before. In the suggestions forum. There's also been a discussion/straw poll on the subject here in The Lounge.
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
Thanks. :) I looked at the forum list but I somehow glazed right over the site/suggestion forum (the one I was looking for!).
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Chill, Rex! We get in the habit of looking for things like this, and end up seeing them everywhere. For instance, suggesting family members not use their real names in face-to-face introductions until they've verified the identity of the person they're being introduced to. It's... an occupational hazard. :-\
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
-
Get off the soapbox! There is no money or sensitive information involved here. Jeez.
I guess you use a different password and username for every single website you visit, right? In which case, yeah, nothing to see here, move along... :rolleyes:
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
Chill, Rex! We get in the habit of looking for things like this, and end up seeing them everywhere. For instance, suggesting family members not use their real names in face-to-face introductions until they've verified the identity of the person they're being introduced to. It's... an occupational hazard. :-\
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things. I'm sorry if the logic didn't fit and I didn't like the smell. But hey if that's how we like it then slice it up and pass it around.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things. I'm sorry if the logic didn't fit and I didn't like the smell. But hey if that's how we like it then slice it up and pass it around.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
I learned long ago that web-masters don't change their websites because of e-mails (especially security related things) but they do change them (sometimes) when it's posted on a public forum (especially security related things). I think this started occurring in web 1.1, when it became more than a handful of guys that all knew each other.
-
Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.
So I guess if you are going to state something state it accurately. There are dozens of attempts at slander, trolling, etc here every week. Once upon a time people told "webmaster@website.com" things like this because he's probably the right person to tell. Don't get angry with me if you are going to complain about a technical issue with inaccurate information that leads myself and others to think you are trolling. I don't see how that's my fault. I disagree with your method and your intention. If you were simply wanting to alert people to the issue you would have. Instead you delivered it in such a way as to make it an insult. But hey don't let me hurt your feelings or anything. I'm sorry that you reported something in the wrong place using words structured such that it made others question your intentions. I apologize that I took 2 passwords to literally mean 2 passwords when evidently there was much more to your message than what you were saying. Next time I'll decrypt the plain text on my screen to make sure I'm not missing any hidden cyphers so that I don't accidentally offend someone being offensive. You have my sincere apologies apology (better make it singular to avoid confusion) for this affront.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things. I'm sorry if the logic didn't fit and I didn't like the smell. But hey if that's how we like it then slice it up and pass it around.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
code-frog wrote:
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things.
Well, in this case it's more of a design decision than an unintentional security hole. But ya, that's why i pointed him to the Suggestions forum. :)
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
oh boy...:rose:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
So I guess if you are going to state something state it accurately. There are dozens of attempts at slander, trolling, etc here every week. Once upon a time people told "webmaster@website.com" things like this because he's probably the right person to tell. Don't get angry with me if you are going to complain about a technical issue with inaccurate information that leads myself and others to think you are trolling. I don't see how that's my fault. I disagree with your method and your intention. If you were simply wanting to alert people to the issue you would have. Instead you delivered it in such a way as to make it an insult. But hey don't let me hurt your feelings or anything. I'm sorry that you reported something in the wrong place using words structured such that it made others question your intentions. I apologize that I took 2 passwords to literally mean 2 passwords when evidently there was much more to your message than what you were saying. Next time I'll decrypt the plain text on my screen to make sure I'm not missing any hidden cyphers so that I don't accidentally offend someone being offensive. You have my sincere apologies apology (better make it singular to avoid confusion) for this affront.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
And I apologize if I came across as offended to your comments. I took your response as one from a normal forum troll which is why I responded in kind. I was not offended at your response, just continuing the banter. :D My intentions weren't to slander code project (I do like the site and what it has to offer), it was to both alert the community (in case they didn't know already, though it appears my searching failed me since I searched for "plain text" instead of "clear text") and to hopefully get a change.
-
code-frog wrote:
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things.
Well, in this case it's more of a design decision than an unintentional security hole. But ya, that's why i pointed him to the Suggestions forum. :)
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
I'm clearly getting my head handed to me. The math didn't add up so I said as much. His tone in which he chose to report it wasn't exactly a "Hey I just noticed this ... so I thought I'd let you know." But anyway. I see my head coming off already no point prolonging the blade's fall.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Hehe, I like your logic :)
-
I'm clearly getting my head handed to me. The math didn't add up so I said as much. His tone in which he chose to report it wasn't exactly a "Hey I just noticed this ... so I thought I'd let you know." But anyway. I see my head coming off already no point prolonging the blade's fall.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
code-frog wrote:
But anyway. I see my head coming off already no point prolonging the blade's fall.
's right, you bastard - die! die!
I mean, no worries. I think you both understand each other now. :badger:----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
