Storing Passwords in Plain Text
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
"A request was made to send you your email and password for your CodeProject login. We can't send you your original password so instead we've generated a time-limited password you can use to login in again:" I didn't see any evidence of my original password being stored in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
:sigh: No, they don't. The one that was sent to you is a temporary value which you can use to log in and change your "real" password when you have forgotten it. Think about it: You have forgotten your password. You tell the site this. There are four options here: 1) It emails you with a message which says "OK, We've changed it" but doesn't tell you what to. You can't log in. 2) It changes it and doesn't tell you what to. You can't log in. 3) It automatically logs you in to change it. You get very annoyed because I just stole your account. 4) It emails you a new password so you can log in, provided you have access to your registered email address. You can log in if you are you, not if you are me. Only the last one retains any security and allows you to forget your password.
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt -
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
Like anyone else with and degree of competence, your password is stored as a hash of the original and cannot be recovered. Even if a site stored your password encrypted (not hashed), it is best to consider it totally insecure.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
-
Like anyone else with and degree of competence, your password is stored as a hash of the original and cannot be recovered. Even if a site stored your password encrypted (not hashed), it is best to consider it totally insecure.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
I hope it is salted and hashed. A merely hashed password is insecure.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
:sigh: No, they don't. The one that was sent to you is a temporary value which you can use to log in and change your "real" password when you have forgotten it. Think about it: You have forgotten your password. You tell the site this. There are four options here: 1) It emails you with a message which says "OK, We've changed it" but doesn't tell you what to. You can't log in. 2) It changes it and doesn't tell you what to. You can't log in. 3) It automatically logs you in to change it. You get very annoyed because I just stole your account. 4) It emails you a new password so you can log in, provided you have access to your registered email address. You can log in if you are you, not if you are me. Only the last one retains any security and allows you to forget your password.
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
-
I hope it is salted and hashed. A merely hashed password is insecure.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
I hope it is salted and hashed. A merely hashed password is insecure.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
Salted,hashed,and I think it is time-limited as well.
"Time flies like an arrow. Fruit flies like a banana."
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
Oops - you may now remove your foot from ... you need one of these :-O
Never underestimate the power of human stupidity - RAH I'm old. I know stuff - JSOP
-
Salted,hashed,and I think it is time-limited as well.
"Time flies like an arrow. Fruit flies like a banana."
I suppose that's why a periodic confirmation email comes.
M.D.V. ;) If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about? Help me to understand what I'm saying, and I'll explain it better to you Rating helpful answers is nice, but saying thanks can be even nicer.
-
- Emails a message that says it was changed and the email has the password but in fact it doesn't. It does however have a customer support telephone line that rings on a conference room phone that absolutely no one ever answers.
- I had this one a couple of years ago, change your password and get a letter a week later by traditional snail mail containing your new password. You've guessed it, government :sigh: Since it was government I think I needed that password pretty bad too, I'm thinking it was something with moving/new house/mortgage...
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
Maybe it is better to really read the messages before complaining :) Just saying...
enum HumanBool { Yes, No, Maybe, Perhaps, Probably, ProbablyNot, MostLikely, MostUnlikely, HellYes, HellNo, Wtf }
Your enum seems to be missing a sensible default value: IllGetBackToYouOnThat And we all know that means the exact opposite :sigh:
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
Maybe it is better to really read the messages before complaining :) Just saying...
enum HumanBool { Yes, No, Maybe, Perhaps, Probably, ProbablyNot, MostLikely, MostUnlikely, HellYes, HellNo, Wtf }
phil.o wrote:
Maybe it is better to really read the messages before complaining
The OP DID read through the email quickly. It just so happened that the random new password was the SAME password as OP's original password. :-\
Social Media - A platform that makes it easier for the crazies to find each other. Everyone is born right handed. Only the strongest overcome it. Fight for left-handed rights and hand equality.
-
Your enum seems to be missing a sensible default value: IllGetBackToYouOnThat And we all know that means the exact opposite :sigh:
Best, Sander sanderrossel.com Continuous Integration, Delivery, and Deployment arrgh.js - Bringing LINQ to JavaScript Object-Oriented Programming in C# Succinctly
-
:sigh: No, they don't. The one that was sent to you is a temporary value which you can use to log in and change your "real" password when you have forgotten it. Think about it: You have forgotten your password. You tell the site this. There are four options here: 1) It emails you with a message which says "OK, We've changed it" but doesn't tell you what to. You can't log in. 2) It changes it and doesn't tell you what to. You can't log in. 3) It automatically logs you in to change it. You get very annoyed because I just stole your account. 4) It emails you a new password so you can log in, provided you have access to your registered email address. You can log in if you are you, not if you are me. Only the last one retains any security and allows you to forget your password.
Sent from my Amstrad PC 1640 Never throw anything away, Griff Bad command or file name. Bad, bad command! Sit! Stay! Staaaay... AntiTwitter: @DalekDave is now a follower!
OriginalGriff wrote:
- It emails you a new password so you can log in,
Preferably without changing your current password until you use the new one. No password DoS, please! :-D
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Salted,hashed,and I think it is time-limited as well.
"Time flies like an arrow. Fruit flies like a banana."
The OTP may be time-limited, but I don't think the real password is. I haven't changed mine in over four years. :) The problems with forcing regular password expiry[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Has anyone realised that Code Project is storing passwords in plain text? I just went to reset my password and had it emailed to me :wtf: I had expected better than this, especially from a site that includes so many security-based articles in their newsletter. Let's hope this gets fixed soon...
If you were resetting your password, presumably you'd forgotten your password. If you'd forgotten it, how do you know they emailed it to you? Maybe it was a different password? Your assertion does not make logical sense.. ;-) And, even if they did email you your actual password, how do you know it had been stored in "plain text"? It may have been encrypted, and decrypted only for the purpose of sending it to you. You have no way of deducing, simply from the emailed password, whether it was held in plain text or encrypted. (True, even encrypted isn't great; as others on this thread pointed out, hashed + salted is more secure).
-
If you were resetting your password, presumably you'd forgotten your password. If you'd forgotten it, how do you know they emailed it to you? Maybe it was a different password? Your assertion does not make logical sense.. ;-) And, even if they did email you your actual password, how do you know it had been stored in "plain text"? It may have been encrypted, and decrypted only for the purpose of sending it to you. You have no way of deducing, simply from the emailed password, whether it was held in plain text or encrypted. (True, even encrypted isn't great; as others on this thread pointed out, hashed + salted is more secure).
DerekTP123 wrote:
It may have been encrypted, and decrypted only for the purpose of sending it to you.
Same thing as plain text with a false assurance of security. "Thou passwords shall not travel on thy network, nor be retrievable should the server be compromised" the Commandment says.
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
