CodeProject.com and Plain Text Passwords!
-
Micah71381 wrote:
I'm curious to know about it is all.
I'm curious to know why you want to besmirch the good names of the admins here and post intentionally (as you stated) in the wrong forum as a slap in the face to them to get them to make a change because you don't trust them to while in the same thread claiming you didn't see the suggestion forum. I'm curious about the arrogance required to do that. I'm curious how this whole thing is any kind of issue more important than a simple question in the suggestion forum. Curious indeed.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
As mentioned in another branch of this thread, I should have posted in the suggestion forum. It sounds like you misinterpreted my meaning when I referred to posting security concerns in a public forum. What I meant by that is a location that is viewable to the public, rather than in a private e-mail to an administrator or support personnel. The suggestion forum is a publicly viewable forum and that would have been the correct place to post my original message.
-
Miszou wrote:
without provocation
What the F...? The guy deliberately posts a completely inappropriate rant out of no where in the wrong forum, gets told it's the wrong forum and pretends to apologize for it then later says he deliberately posted in this forum because he expects the admins to be useless and do nothing unless he rides in like a shining knight in armour to bitch about something that, let's be honest here, is about as much of a non issue as there can be. If you think there is any justification in catering to first class douchebags I'd like to hear it.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
Is this how you get one of those "Bob" icons? By being completely obnoxious? I guess it depends on whether you're a glass half full or half empty kinda guy, but I didn't see anything wrong with the original post. You and Code-Frog on the other hand... well, quite frankly I'm a little saddened. First class douchebag? Seriously? Get a grip.
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
You deliberately twisted my meaning. You sarcastically asserted that my lack of concern must be due to me having a different password and user id at each website. Well, in fact you are correct. That is exactly why I am unconcerned about Code Project's security model. However, if you choose to use the same password everywhere, and the password gets revealed, and this causes you big trouble, then you have no one to blame but yourself.
Yes, I was being sarcstic in my original post.... Probably ought not to have done that, but whatever... The point still stands though. Many people use the same username/password combo for different websites. I'm known as Miszou on almost every forum I read. Just because you and I have the foresight to use different passwords all over the place, doesn't mean the potential security problem still doesn't exist. It's like putting a towel over your head because if you can't see the scary things, then they must not be there! The security issue is real and pretending it's the users fault for not having multiple passwords doesn't do a thing to help anyone.
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
Is this how you get one of those "Bob" icons? By being completely obnoxious? I guess it depends on whether you're a glass half full or half empty kinda guy, but I didn't see anything wrong with the original post. You and Code-Frog on the other hand... well, quite frankly I'm a little saddened. First class douchebag? Seriously? Get a grip.
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
Is this how you get one of those "Bob" icons? By being completely obnoxious?
He got the icon by spending money, obnoxious is free of charge.
Gary Kirkham Forever Forgiven and Alive in the Spirit "Truly, truly, I say to you, he who hears My word, and believes Him who sent Me, has eternal life, and does not come into judgment, but has passed out of death into life. Me blog, You read
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
Dammit, I use the same password here as for my Nigerian bank account. Now all my millions are at risk.
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
This isn't the Rex I know. :|
Cheers, Vıkram.
I've never ever worked anywhere where there has not been someone who given the choice I would not work with again. It's a job, you do your work, put up with the people you don't like, accept there are probably people there that don't like you a lot, and look forward to the weekends. - Josh Gray.
-
:rolleyes: Honestly what difference does it make? This isn't a bank.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
What? Then what is Chris doing with all the money I deposited?
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
I'm with frog man on this one. This guy could have handled this better. It had a spiteful air to it, and I think that's become clearer in the responses.
Tech, life, family, faith: Give me a visit. The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I was saying that posting what I see as a security flaw in a public forum is the way to get such security flaws resolved. I fully admit though that I chose the wrong public forum (I really did look for the proper one and I honestly missed it in the forum list, though I'm not sure how since it isn't exactly hidden). You are not the first person to mention that my original wording came across as offensive and after reading it through again I can see where this interpretation comes from, which is my fault. The reason for the tone of the post is that it's a pet peeve of mine mainly because it's so common for websites to neglect security when asking users for a password and since most users use the same password for everything this is quite bothersome. I was surprised that a site for developers had what I saw as a very basic flaw in their authentication system. This is the first time I've ever heard of someone encrypting passwords and storing them rather than hashing them or just storing them as plain text and even then, the password is e-mailed in plain-text (though this is not as big of a security concern in my eyes as storing them in plain-text). Again, my goal was not to try and trash the website or it's administrators but instead to bring up a security concern publicly, which has since been alleviated by the helpful administrators and members. :)
I apologize for being so harsh, I still think what you did was wrong but it was classless to call you names and impugn your character in such a coarse manner.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
-
I'm with frog man on this one. This guy could have handled this better. It had a spiteful air to it, and I think that's become clearer in the responses.
Tech, life, family, faith: Give me a visit. The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
-
This isn't the Rex I know. :|
Cheers, Vıkram.
I've never ever worked anywhere where there has not been someone who given the choice I would not work with again. It's a job, you do your work, put up with the people you don't like, accept there are probably people there that don't like you a lot, and look forward to the weekends. - Josh Gray.
Actually it really is. Go back and read his OP and a lot of his replies. Consistency is lacking and look at his methods. I may have been a tad strong but I still disagree with what/how he approached things. Someone who has been here for 2+ years and made 5 posts comes back to suddenly lecture Chris on site security having made very little effort to really investigate the matter seems suspicious to me. I still think he is. I'm willing to bet I'm more right than wrong. But Vikram if you find my behavior out of character then I have zero issues at all apologizing to you and am more than willing to extend one. I only ask in return read the entire thread, subsequent responses then make your own judgment from that point.
-
What? Then what is Chris doing with all the money I deposited?
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
The DBAs are the programmers - we're a small, tight ship here. But to put your mind at rest: very few have access to the key.
Micah71381 wrote:
Or does someone have access to the decryption key and could
Yes, obviously someone (me) has access to the key in order to ensure our system has access to the key so it can unlock the passwords. And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
Is this how you get one of those "Bob" icons? By being completely obnoxious? I guess it depends on whether you're a glass half full or half empty kinda guy, but I didn't see anything wrong with the original post. You and Code-Frog on the other hand... well, quite frankly I'm a little saddened. First class douchebag? Seriously? Get a grip.
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
By being completely obnoxious?
Yep.
-- Kein Mitleid Für Die Mehrheit
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
I hate to tell you (well actually I don't but it sounded nicer), sending your email with your password really is not any worse than signing into the system without https, it is still broadcast over the net without any security. There is also probably a cookie that could be stolen, since again we are using CP in plain text mode, which could be copied and used if you use the option to stay signed in. It would be nice though to have CP use OpenID for login and remove the need for a password log in system. With the open source libraries for OpenID, that should take a weekend or so to get running on CP. The main thing to think about is that this is one of many sites that have no really serious information to be concerned if someone hacked it anyway. If you are using a password here that is important somewhere else to you, then that would be a mistake on your part.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Doesn't that defeat the purpose of a hash (both cryptographic and indexing)...
There's a little icon to his post ;)
-
I think it's just best for me to remain silent here unless asked a direct question. I seem to get in less trouble that way. :^)
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
-
The DBAs are the programmers - we're a small, tight ship here. But to put your mind at rest: very few have access to the key.
Micah71381 wrote:
Or does someone have access to the decryption key and could
Yes, obviously someone (me) has access to the key in order to ensure our system has access to the key so it can unlock the passwords. And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Chris Maunder wrote:
And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
Hopefully, not because of this jerk?!?
Gary
-
Colin Angus Mackay wrote:
You have a password history which you can look up? That sounds most secure.
In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D
We can read your brain electronically, but we'd have to get it out first. It's got to be prepared. Treated, Diced. It could always be replaced,if you think it's important. Yes, an electronic brain, a simple one would suffice. Thanks to Frankie and Benji, with apologies to Douglas
Graham Librarians rule, Ook!
