CodeProject.com and Plain Text Passwords!
-
And I apologize if I came across as offended to your comments. I took your response as one from a normal forum troll which is why I responded in kind. I was not offended at your response, just continuing the banter. :D My intentions weren't to slander code project (I do like the site and what it has to offer), it was to both alert the community (in case they didn't know already, though it appears my searching failed me since I searched for "plain text" instead of "clear text") and to hopefully get a change.
I think it's just best for me to remain silent here unless asked a direct question. I seem to get in less trouble that way. :^)
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
Hehe, I like your logic :)
Be careful associating yourself with me even in subtle ways. This comment alone will surely pull you a low vote but thanks.:-D
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
code-frog wrote:
But anyway. I see my head coming off already no point prolonging the blade's fall.
's right, you bastard - die! die!
I mean, no worries. I think you both understand each other now. :badger:----
You're right. These facts that you've laid out totally contradict the wild ramblings that I pulled off the back of cornflakes packets.
No. I understand this place but that's about the extent of it. Once upon a time I cared. Now I'm more along Chris's lines of thinking. I cannot make everyone happy therefore everyone is not happy. But if I make even one happy then perhaps it was good enough. I still think his logic and powers of deduction are reminiscent of Windows ME but I think I just better shut up while it's only my head I've lost.:sigh:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
Look how much more interesting I made this thread. Without me it would have been the same old boring rhetoric. I see I've clearly added value to it. It's market value has clearly risen by at least my .02 cents.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I guess you use a different password and username for every single website you visit, right? In which case, yeah, nothing to see here, move along... :rolleyes:
The StartPage Randomizer - The Windows Cheerleader - Twitter
If you don't have a different password for each website, then that's your fault, not the site's fault.
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
If you don't have a different password for each website, then that's your fault, not the site's fault.
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
-
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
You deliberately twisted my meaning. You sarcastically asserted that my lack of concern must be due to me having a different password and user id at each website. Well, in fact you are correct. That is exactly why I am unconcerned about Code Project's security model. However, if you choose to use the same password everywhere, and the password gets revealed, and this causes you big trouble, then you have no one to blame but yourself.
-
Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.
Micah71381 wrote:
I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was.
You have a password history which you can look up? That sounds most secure. :rolleyes:
* Developer Day Scotland 2 - Free community conference * The Blog of Colin Angus Mackay
Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
In an attempt to prove you wrong I just lit myself on fire. Unfortunately, it appears you were correct... I must be a troll, now a very warm one.
-
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
It's because you didn't use the "Joke" Message Type icon. :P
-
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
-
Micah71381 wrote:
I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was.
You have a password history which you can look up? That sounds most secure. :rolleyes:
* Developer Day Scotland 2 - Free community conference * The Blog of Colin Angus Mackay
Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
Colin Angus Mackay wrote:
You have a password history which you can look up? That sounds most secure.
In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D
-
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
-
I learned long ago that web-masters don't change their websites because of e-mails (especially security related things) but they do change them (sometimes) when it's posted on a public forum (especially security related things). I think this started occurring in web 1.1, when it became more than a handful of guys that all knew each other.
You're acting like a first class dork here. In another post you claim that you didn't see the suggestion forum, now you're saying you deliberately posted here to slap the admins in the face because you pro-actively don't trust them. You've earned no right to do that. I was willing to give you the benefit of the doubt but this comment is beyond the pale. Get a bloody grip, it's a non issue and you're publicly shitting all over the admins who happen to be a very nice bunch of people in a public forum.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
modified on Thursday, January 22, 2009 8:59 PM
-
:rolleyes: Honestly what difference does it make? This isn't a bank.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
John C wrote:
Honestly what difference does it make? This isn't a bank.
Curiosity at this point. The method I mentioned is the only "secure" way that I know of to store secret data in an encrypted format that the data-host can't get to. If the method is different I'm curious to know about it is all.
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
without provocation
What the F...? The guy deliberately posts a completely inappropriate rant out of no where in the wrong forum, gets told it's the wrong forum and pretends to apologize for it then later says he deliberately posted in this forum because he expects the admins to be useless and do nothing unless he rides in like a shining knight in armour to bitch about something that, let's be honest here, is about as much of a non issue as there can be. If you think there is any justification in catering to first class douchebags I'd like to hear it.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
