Thank you for registering email confirming my username and password in plain text
-
The could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
The could with a rainbow lookup table if the hashes have not also been salted.
This would require them to have a copy of the database (or at least a direct connection to it). And if you can get a hold of the application code (even the compiled version) then salting your hashes doesn't much matter. With some effort the hacker could identifier your salt key and process and adjust their "hacking software" to make their rainbow tables work again. Although you should be safe if you are using a password manager as it's likely they will have your password in their list. Let's just hope this "company X" doesn't have your credit card details stored right next to the plain text password :laugh:
-
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
Send him a link to this: High GDPR Fines: German Data Protection Authority Joins the Club - Lexology[^] No CEO wants to risk a fine of €200,000,000 because of incompetent software developers ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
Just out of interest, where does all this fine money actually go? (Apologies for not researching it myself, I just assume you probably already know the answer). Also, are you purposefully not playing CCC this week, or are you struggling with them like the rest of us?
-
Johnny J. wrote:
Permit me to doubt that...
Better believe it. I am like that too. Currently I am registered at three websites total, one of them being CP. That might very well go down to only two very soon. I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'. Hear that, Fleabay? That alone is one reason why Mickeysoft will not sell very much to me again. They insist that I join their Mickeysoft Club, complete with an account, the Mickeysoft hat and the secret decoder ring. The problem is that I don't want to marry them and also am not interested in any other closer relationship with them.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
CodeWraith wrote:
I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'.
:thumbsup:
CodeWraith wrote:
That alone is one reason why Mickeysoft will not sell very much to me again
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
Just out of interest, where does all this fine money actually go? (Apologies for not researching it myself, I just assume you probably already know the answer). Also, are you purposefully not playing CCC this week, or are you struggling with them like the rest of us?
Bribes, probably - this is the EU after all ... I'm playing the CCC, but yesterday and today I have no idea what they might be.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
CodeWraith wrote:
I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'.
:thumbsup:
CodeWraith wrote:
That alone is one reason why Mickeysoft will not sell very much to me again
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
Daniel Pfeffer wrote:
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
That's not quite the problem. If it were only that, I would have my ways to simply block everything I don't want. For me the OS is just another component of the computer, no more or less. I really don't want to join a 'community' for every single part that I want to put into the box. Just send me what I ordered, take my money and then our relationship hopefully ends. No need for them to know anything more. When someone goes out of his way to force everyone to say amen to everything they do, the more suspicious I get of their motives. They are can only be in their best interest in the best case and very harmful to me in the worst.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
-
GuyThiebaut wrote:
It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();SendEmailUsingGmail("Your username is " + username + " and your password is " + password); string encryptedPassword = ConvertToBase64(password); ExecuteSQL("insert into \[users\] values('" + username + "', '" + encryptedPassword + "');}
catch
{
}Someone's been spending too much time in QA! :laugh: You wait - in a couple of weeks, there'll be a question from someone who copied and pasted this code into their application, and it doesn't work because they've only got 21 textboxes on their form. :-D
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Or how about this email: "Our system has lost your password, which we store as plain text. Since you must have received a confirmation email at some point with your plain text password, could you please forward it to us and cc: GuyThiebaut, and we will restore your password. Thank you very much."
Latest Articles:
Client-Side TypeScript without ASP.NET, Angular, etc. -
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Skip that step - since you have his email address, just ask their system to initiate a password reset on behalf of him. I'm sure they've thought *that* process out better...
-
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
On the other hand, if they've cracked the database and got your hashed/encrypted password, they'll more than likely ignore the password and just access your credit card, bank account, health details etc directly. If the company is lax about passwords, it's pretty unlikely that the rest of the data is encrypted! The only reason password encryption is any more important than any other data is that people tend to re-use passwords, so a hacker of one database can often then access others; or actually impersonate someone else rather than just steal their money / reputation.
