CodeProject.com and Plain Text Passwords!
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
oh boy...:rose:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
So I guess if you are going to state something state it accurately. There are dozens of attempts at slander, trolling, etc here every week. Once upon a time people told "webmaster@website.com" things like this because he's probably the right person to tell. Don't get angry with me if you are going to complain about a technical issue with inaccurate information that leads myself and others to think you are trolling. I don't see how that's my fault. I disagree with your method and your intention. If you were simply wanting to alert people to the issue you would have. Instead you delivered it in such a way as to make it an insult. But hey don't let me hurt your feelings or anything. I'm sorry that you reported something in the wrong place using words structured such that it made others question your intentions. I apologize that I took 2 passwords to literally mean 2 passwords when evidently there was much more to your message than what you were saying. Next time I'll decrypt the plain text on my screen to make sure I'm not missing any hidden cyphers so that I don't accidentally offend someone being offensive. You have my sincere apologies apology (better make it singular to avoid confusion) for this affront.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
And I apologize if I came across as offended to your comments. I took your response as one from a normal forum troll which is why I responded in kind. I was not offended at your response, just continuing the banter. :D My intentions weren't to slander code project (I do like the site and what it has to offer), it was to both alert the community (in case they didn't know already, though it appears my searching failed me since I searched for "plain text" instead of "clear text") and to hopefully get a change.
-
code-frog wrote:
I guess I'm a member of internet version 1.0 back when you used to let the webmaster know about these things.
Well, in this case it's more of a design decision than an unintentional security hole. But ya, that's why i pointed him to the Suggestions forum. :)
----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
I'm clearly getting my head handed to me. The math didn't add up so I said as much. His tone in which he chose to report it wasn't exactly a "Hey I just noticed this ... so I thought I'd let you know." But anyway. I see my head coming off already no point prolonging the blade's fall.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Hehe, I like your logic :)
-
I'm clearly getting my head handed to me. The math didn't add up so I said as much. His tone in which he chose to report it wasn't exactly a "Hey I just noticed this ... so I thought I'd let you know." But anyway. I see my head coming off already no point prolonging the blade's fall.
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
code-frog wrote:
But anyway. I see my head coming off already no point prolonging the blade's fall.
's right, you bastard - die! die!
I mean, no worries. I think you both understand each other now. :badger:----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
-
And I apologize if I came across as offended to your comments. I took your response as one from a normal forum troll which is why I responded in kind. I was not offended at your response, just continuing the banter. :D My intentions weren't to slander code project (I do like the site and what it has to offer), it was to both alert the community (in case they didn't know already, though it appears my searching failed me since I searched for "plain text" instead of "clear text") and to hopefully get a change.
I think it's just best for me to remain silent here unless asked a direct question. I seem to get in less trouble that way. :^)
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
Hehe, I like your logic :)
Be careful associating yourself with me even in subtle ways. This comment alone will surely pull you a low vote but thanks.:-D
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
code-frog wrote:
But anyway. I see my head coming off already no point prolonging the blade's fall.
's right, you bastard - die! die!
I mean, no worries. I think you both understand each other now. :badger:----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
No. I understand this place but that's about the extent of it. Once upon a time I cared. Now I'm more along Chris's lines of thinking. I cannot make everyone happy therefore everyone is not happy. But if I make even one happy then perhaps it was good enough. I still think his logic and powers of deduction are reminiscent of Windows ME but I think I just better shut up while it's only my head I've lost.:sigh:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
Look how much more interesting I made this thread. Without me it would have been the same old boring rhetoric. I see I've clearly added value to it. It's market value has clearly risen by at least my .02 cents.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I guess you use a different password and username for every single website you visit, right? In which case, yeah, nothing to see here, move along... :rolleyes:
The StartPage Randomizer - The Windows Cheerleader - Twitter
If you don't have a different password for each website, then that's your fault, not the site's fault.
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
If you don't have a different password for each website, then that's your fault, not the site's fault.
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
-
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
You deliberately twisted my meaning. You sarcastically asserted that my lack of concern must be due to me having a different password and user id at each website. Well, in fact you are correct. That is exactly why I am unconcerned about Code Project's security model. However, if you choose to use the same password everywhere, and the password gets revealed, and this causes you big trouble, then you have no one to blame but yourself.
-
Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.
Micah71381 wrote:
I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was.
You have a password history which you can look up? That sounds most secure. :rolleyes:
* Developer Day Scotland 2 - Free community conference * The Blog of Colin Angus Mackay
Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
In an attempt to prove you wrong I just lit myself on fire. Unfortunately, it appears you were correct... I must be a troll, now a very warm one.
-
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
It's because you didn't use the "Joke" Message Type icon. :P
-
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
