CodeProject.com and Plain Text Passwords!
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
I'm with frog man on this one. This guy could have handled this better. It had a spiteful air to it, and I think that's become clearer in the responses.
Tech, life, family, faith: Give me a visit. The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
-
I was saying that posting what I see as a security flaw in a public forum is the way to get such security flaws resolved. I fully admit though that I chose the wrong public forum (I really did look for the proper one and I honestly missed it in the forum list, though I'm not sure how since it isn't exactly hidden). You are not the first person to mention that my original wording came across as offensive and after reading it through again I can see where this interpretation comes from, which is my fault. The reason for the tone of the post is that it's a pet peeve of mine mainly because it's so common for websites to neglect security when asking users for a password and since most users use the same password for everything this is quite bothersome. I was surprised that a site for developers had what I saw as a very basic flaw in their authentication system. This is the first time I've ever heard of someone encrypting passwords and storing them rather than hashing them or just storing them as plain text and even then, the password is e-mailed in plain-text (though this is not as big of a security concern in my eyes as storing them in plain-text). Again, my goal was not to try and trash the website or it's administrators but instead to bring up a security concern publicly, which has since been alleviated by the helpful administrators and members. :)
I apologize for being so harsh, I still think what you did was wrong but it was classless to call you names and impugn your character in such a coarse manner.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
-
I'm with frog man on this one. This guy could have handled this better. It had a spiteful air to it, and I think that's become clearer in the responses.
Tech, life, family, faith: Give me a visit. The apostle Paul, modernly speaking: Epistles of Paul Judah Himango
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
-
This isn't the Rex I know. :|
Cheers, Vıkram.
I've never ever worked anywhere where there has not been someone who given the choice I would not work with again. It's a job, you do your work, put up with the people you don't like, accept there are probably people there that don't like you a lot, and look forward to the weekends. - Josh Gray.
Actually it really is. Go back and read his OP and a lot of his replies. Consistency is lacking and look at his methods. I may have been a tad strong but I still disagree with what/how he approached things. Someone who has been here for 2+ years and made 5 posts comes back to suddenly lecture Chris on site security having made very little effort to really investigate the matter seems suspicious to me. I still think he is. I'm willing to bet I'm more right than wrong. But Vikram if you find my behavior out of character then I have zero issues at all apologizing to you and am more than willing to extend one. I only ask in return read the entire thread, subsequent responses then make your own judgment from that point.
-
What? Then what is Chris doing with all the money I deposited?
Anyone who thinks he has a better idea of what's good for people than people do is a swine. - P.J. O'Rourke
-
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
The DBAs are the programmers - we're a small, tight ship here. But to put your mind at rest: very few have access to the key.
Micah71381 wrote:
Or does someone have access to the decryption key and could
Yes, obviously someone (me) has access to the key in order to ensure our system has access to the key so it can unlock the passwords. And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
Is this how you get one of those "Bob" icons? By being completely obnoxious? I guess it depends on whether you're a glass half full or half empty kinda guy, but I didn't see anything wrong with the original post. You and Code-Frog on the other hand... well, quite frankly I'm a little saddened. First class douchebag? Seriously? Get a grip.
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
By being completely obnoxious?
Yep.
-- Kein Mitleid Für Die Mehrheit
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
I hate to tell you (well actually I don't but it sounded nicer), sending your email with your password really is not any worse than signing into the system without https, it is still broadcast over the net without any security. There is also probably a cookie that could be stolen, since again we are using CP in plain text mode, which could be copied and used if you use the option to stay signed in. It would be nice though to have CP use OpenID for login and remove the need for a password log in system. With the open source libraries for OpenID, that should take a weekend or so to get running on CP. The main thing to think about is that this is one of many sites that have no really serious information to be concerned if someone hacked it anyway. If you are using a password here that is important somewhere else to you, then that would be a mistake on your part.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Doesn't that defeat the purpose of a hash (both cryptographic and indexing)...
There's a little icon to his post ;)
-
I think it's just best for me to remain silent here unless asked a direct question. I seem to get in less trouble that way. :^)
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
-
The DBAs are the programmers - we're a small, tight ship here. But to put your mind at rest: very few have access to the key.
Micah71381 wrote:
Or does someone have access to the decryption key and could
Yes, obviously someone (me) has access to the key in order to ensure our system has access to the key so it can unlock the passwords. And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Chris Maunder wrote:
And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
Hopefully, not because of this jerk?!?
Gary
-
Colin Angus Mackay wrote:
You have a password history which you can look up? That sounds most secure.
In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D
We can read your brain electronically, but we'd have to get it out first. It's got to be prepared. Treated, Diced. It could always be replaced,if you think it's important. Yes, an electronic brain, a simple one would suffice. Thanks to Frankie and Benji, with apologies to Douglas
Graham Librarians rule, Ook!
-
Chris Maunder wrote:
And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
Hopefully, not because of this jerk?!?
Gary
ghle wrote:
Hopefully, not because of this jerk?!?
No, I read through the links provided earlier and it appears that this concern was brought up a while back (in the correct forum even) and a poll was opened asking the user-base if they wanted their passwords hashed or encrypted (more or less). It appears that the poll resulted in people wanting hashes instead and I think that is what caused them to add the ticket to their list.
-
I hate to tell you (well actually I don't but it sounded nicer), sending your email with your password really is not any worse than signing into the system without https, it is still broadcast over the net without any security. There is also probably a cookie that could be stolen, since again we are using CP in plain text mode, which could be copied and used if you use the option to stay signed in. It would be nice though to have CP use OpenID for login and remove the need for a password log in system. With the open source libraries for OpenID, that should take a weekend or so to get running on CP. The main thing to think about is that this is one of many sites that have no really serious information to be concerned if someone hacked it anyway. If you are using a password here that is important somewhere else to you, then that would be a mistake on your part.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
My concern is that many people use the same password for everything (or at least a small set of passwords that they can remember). While I acknowledge that this is a security hole created by the end-user, it is not uncommon and therefor should be taken into consideration by companies wishing to keep their users safe. In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would). In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems. With a password in e-mail form the 'hacker' needs only to gain access to the victim's e-mail long enough to get a password reset e-mail sent to it. They then have the victim's password which likely gets them access to *many* accounts across the internet to which that user subscribes. If a password reset link was sent or a temporary password was sent then the hacker only gains access to the account(s) which a password reset is initiated on. It's also possible that the hacker only has access to already retrieved e-mails (perhaps they got a hold of the users local e-mail file but are unable to fetch more) and if the user's password is stored somewhere in their local e-mail the hacker now has access to everything. Again, I won't claim that switching to a hash solves *all* security problems but it improves the system which is a step in the right direction.
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
That is just about the most abusive post I've seen from a member whom proclaims community. Come on Frog, you are better than that. I'll just pretend I didn't see the post. After submitting this of course. (and this is a different account than the one you might be familiar with so before you go spouting abuse in response to this think twice)
This statement is false
-
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
code-frog wrote:
Too many people too willing to kick my teeth in these days.
If you leap head first to kick in someone else's teeth in then you should expect that. Even if the original post was inappropriate, it in no way justifies you attacking him and calling him names in a belittling manner. Anyone who justifies that needs to readdress their humanity. I distinctly remember you depending on the good will of others. You should repay that in spades.
This statement is false
-
My concern is that many people use the same password for everything (or at least a small set of passwords that they can remember). While I acknowledge that this is a security hole created by the end-user, it is not uncommon and therefor should be taken into consideration by companies wishing to keep their users safe. In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would). In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems. With a password in e-mail form the 'hacker' needs only to gain access to the victim's e-mail long enough to get a password reset e-mail sent to it. They then have the victim's password which likely gets them access to *many* accounts across the internet to which that user subscribes. If a password reset link was sent or a temporary password was sent then the hacker only gains access to the account(s) which a password reset is initiated on. It's also possible that the hacker only has access to already retrieved e-mails (perhaps they got a hold of the users local e-mail file but are unable to fetch more) and if the user's password is stored somewhere in their local e-mail the hacker now has access to everything. Again, I won't claim that switching to a hash solves *all* security problems but it improves the system which is a step in the right direction.
Micah71381 wrote:
In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would).
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account unless it was tied to an IP and they did not replicate that IP, or some other information such as specific browser information, which in most cases neither are used. So, anyone intercepting between the two points would be able to hack your account. This is security lossed to convenience and is a security risk just about everywhere, but most of still use it anyway.
Micah71381 wrote:
In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems.
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login. Again, I would love to see OpenID used on CP as well as every site so that we can get rid of this password loging junk and make life much eaiser. I understand your concerns, but I would think you would already understand that a site like CP does not claim any form of security, that should be obvious by the plan text login.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Micah71381 wrote:
In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would).
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account unless it was tied to an IP and they did not replicate that IP, or some other information such as specific browser information, which in most cases neither are used. So, anyone intercepting between the two points would be able to hack your account. This is security lossed to convenience and is a security risk just about everywhere, but most of still use it anyway.
Micah71381 wrote:
In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems.
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login. Again, I would love to see OpenID used on CP as well as every site so that we can get rid of this password loging junk and make life much eaiser. I understand your concerns, but I would think you would already understand that a site like CP does not claim any form of security, that should be obvious by the plan text login.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
Rocky Moore wrote:
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account
This is true, but they would only be auto-logged into my codeproject account, not any of my other accounts for which I use the same (or similar) credentials.
Rocky Moore wrote:
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login.
I fully agree that in the end security responsibility is up to the end-user. However, it is in the best interest of the websites to "help" end-users be secure by participating in best practices regarding authentication security. While intercepting a plain-text password in transit is possible, it is still harder than gaining access to an e-mail cache on someone's computer. If I use a web-based e-mail client on a public computer it's entirely possible that my e-mail cache will be left behind, even if the mail service used https (I do acknowledge that it's my responsibility as a user to ensure my mail cache isn't left behind, but in practice this is rarely done). Assuming my password was never e-mailed to me in plain-text, at worst the hacker would gain access to my personal mail with which they could do relatively little damage aside from blackmail perhaps. However, if a site e-mails me my password in plain-text to me, the hacker now knows my password and my e-mail address, without any targeted attacks, just by looking through the browser cache. They can now access any online accounts of mine that I use that password with (for the average user this is going to be all of their accounts). Without the plain-text e-mail password the hacker will have to do some kind of targeted attack such as a keylogger, man-in-the-middle, or fishing. Yet another issue is even less troublesome for the hacker. Say I'm using a public computer or kiosk t
-
Rocky Moore wrote:
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account
This is true, but they would only be auto-logged into my codeproject account, not any of my other accounts for which I use the same (or similar) credentials.
Rocky Moore wrote:
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login.
I fully agree that in the end security responsibility is up to the end-user. However, it is in the best interest of the websites to "help" end-users be secure by participating in best practices regarding authentication security. While intercepting a plain-text password in transit is possible, it is still harder than gaining access to an e-mail cache on someone's computer. If I use a web-based e-mail client on a public computer it's entirely possible that my e-mail cache will be left behind, even if the mail service used https (I do acknowledge that it's my responsibility as a user to ensure my mail cache isn't left behind, but in practice this is rarely done). Assuming my password was never e-mailed to me in plain-text, at worst the hacker would gain access to my personal mail with which they could do relatively little damage aside from blackmail perhaps. However, if a site e-mails me my password in plain-text to me, the hacker now knows my password and my e-mail address, without any targeted attacks, just by looking through the browser cache. They can now access any online accounts of mine that I use that password with (for the average user this is going to be all of their accounts). Without the plain-text e-mail password the hacker will have to do some kind of targeted attack such as a keylogger, man-in-the-middle, or fishing. Yet another issue is even less troublesome for the hacker. Say I'm using a public computer or kiosk t
Actually, all your examples are those of you lack of security. Again, if you choose to use a password without multiple sites with an unsecure site such as CP, the problem is more one of your own making. While CP could secure its systems and use SSL for everything, encrypt passwords and only send out reset steps instead of the password, the site has already proclaimed lack of security by its plain text signin and thus you should never use anything you would be concerned about. I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com