CodeProject.com and Plain Text Passwords!
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
Look how much more interesting I made this thread. Without me it would have been the same old boring rhetoric. I see I've clearly added value to it. It's market value has clearly risen by at least my .02 cents.:rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I guess you use a different password and username for every single website you visit, right? In which case, yeah, nothing to see here, move along... :rolleyes:
The StartPage Randomizer - The Windows Cheerleader - Twitter
If you don't have a different password for each website, then that's your fault, not the site's fault.
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
If you don't have a different password for each website, then that's your fault, not the site's fault.
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
-
Settle. It's constructive valuable discussion. Who cares who bought up the topic?
cheers, Chris Maunder
CodeProject.com : C++ MVP
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
-
Richard Andrew x64 wrote:
If you don't have a different password for each website, then that's your fault, not the site's fault.
That's about the most apologist remark I've read in a long time. If the site has a security issue, then its my fault? :doh:
The StartPage Randomizer - The Windows Cheerleader - Twitter
You deliberately twisted my meaning. You sarcastically asserted that my lack of concern must be due to me having a different password and user id at each website. Well, in fact you are correct. That is exactly why I am unconcerned about Code Project's security model. However, if you choose to use the same password everywhere, and the password gets revealed, and this causes you big trouble, then you have no one to blame but yourself.
-
Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.
Micah71381 wrote:
I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was.
You have a password history which you can look up? That sounds most secure. :rolleyes:
* Developer Day Scotland 2 - Free community conference * The Blog of Colin Angus Mackay
Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
-
{ ;P } Member for 2+ years and only 5 posts. Since passwords are sent in plain text I deduced a troll had stolen your account and username and was now posting as you. I mean come on? The dang place is so insecure now I'm afraid to request my own password. That's why I always use the same 3 and just have to guess until I get it right. Admit it though you are a troll that stole a plain text password that was transmitted unsecurely and as you only had 2 to guess from to begin with and you are a troll cracking the password was very easy. So I know you are a troll but I can prove it. If you burn... then you are a troll. So I suggest we burn you. {/ ;P }
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
In an attempt to prove you wrong I just lit myself on fire. Unfortunately, it appears you were correct... I must be a troll, now a very warm one.
-
Um did you miss the smiley's? This part where you jumped in was supposed to be all fun. Boy! I actually thought this was the funnest part of it. I didn't say anything about who brought anything up. I think you read my title but not my content.
It's because you didn't use the "Joke" Message Type icon. :P
-
It's being stored encrypted and no one, except you (not even myself!) can see your password. The only time it's ever decrypted is for the sole purpose of sending it back to the email account you signed up with. However, we do have a ticket to change this to a one-way hash. Previously the consensus was that users wanted to be able to retrieve the actual password they entered and not have to keep resetting. All things change, though [Edit: as Shog helpfully linked[^] to], so we'll move to a different system.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
-
Micah71381 wrote:
I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was.
You have a password history which you can look up? That sounds most secure. :rolleyes:
* Developer Day Scotland 2 - Free community conference * The Blog of Colin Angus Mackay
Vogon Building and Loan advise that your planet is at risk if you do not keep up repayments on any mortgage secured upon it. Please remember that the force of gravity can go up as well as down.
Colin Angus Mackay wrote:
You have a password history which you can look up? That sounds most secure.
In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D
-
Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?
-
I learned long ago that web-masters don't change their websites because of e-mails (especially security related things) but they do change them (sometimes) when it's posted on a public forum (especially security related things). I think this started occurring in web 1.1, when it became more than a handful of guys that all knew each other.
You're acting like a first class dork here. In another post you claim that you didn't see the suggestion forum, now you're saying you deliberately posted here to slap the admins in the face because you pro-actively don't trust them. You've earned no right to do that. I was willing to give you the benefit of the doubt but this comment is beyond the pale. Get a bloody grip, it's a non issue and you're publicly shitting all over the admins who happen to be a very nice bunch of people in a public forum.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
modified on Thursday, January 22, 2009 8:59 PM
-
:rolleyes: Honestly what difference does it make? This isn't a bank.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
John C wrote:
Honestly what difference does it make? This isn't a bank.
Curiosity at this point. The method I mentioned is the only "secure" way that I know of to store secret data in an encrypted format that the data-host can't get to. If the method is different I'm curious to know about it is all.
-
Is this part of the new Code-Frog manifesto? Jump on the new guy without provocation?
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
without provocation
What the F...? The guy deliberately posts a completely inappropriate rant out of no where in the wrong forum, gets told it's the wrong forum and pretends to apologize for it then later says he deliberately posted in this forum because he expects the admins to be useless and do nothing unless he rides in like a shining knight in armour to bitch about something that, let's be honest here, is about as much of a non issue as there can be. If you think there is any justification in catering to first class douchebags I'd like to hear it.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
-
John C wrote:
Honestly what difference does it make? This isn't a bank.
Curiosity at this point. The method I mentioned is the only "secure" way that I know of to store secret data in an encrypted format that the data-host can't get to. If the method is different I'm curious to know about it is all.
Micah71381 wrote:
I'm curious to know about it is all.
I'm curious to know why you want to besmirch the good names of the admins here and post intentionally (as you stated) in the wrong forum as a slap in the face to them to get them to make a change because you don't trust them to while in the same thread claiming you didn't see the suggestion forum. I'm curious about the arrogance required to do that. I'm curious how this whole thing is any kind of issue more important than a simple question in the suggestion forum. Curious indeed.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
-
You're acting like a first class dork here. In another post you claim that you didn't see the suggestion forum, now you're saying you deliberately posted here to slap the admins in the face because you pro-actively don't trust them. You've earned no right to do that. I was willing to give you the benefit of the doubt but this comment is beyond the pale. Get a bloody grip, it's a non issue and you're publicly shitting all over the admins who happen to be a very nice bunch of people in a public forum.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
modified on Thursday, January 22, 2009 8:59 PM
I was saying that posting what I see as a security flaw in a public forum is the way to get such security flaws resolved. I fully admit though that I chose the wrong public forum (I really did look for the proper one and I honestly missed it in the forum list, though I'm not sure how since it isn't exactly hidden). You are not the first person to mention that my original wording came across as offensive and after reading it through again I can see where this interpretation comes from, which is my fault. The reason for the tone of the post is that it's a pet peeve of mine mainly because it's so common for websites to neglect security when asking users for a password and since most users use the same password for everything this is quite bothersome. I was surprised that a site for developers had what I saw as a very basic flaw in their authentication system. This is the first time I've ever heard of someone encrypting passwords and storing them rather than hashing them or just storing them as plain text and even then, the password is e-mailed in plain-text (though this is not as big of a security concern in my eyes as storing them in plain-text). Again, my goal was not to try and trash the website or it's administrators but instead to bring up a security concern publicly, which has since been alleviated by the helpful administrators and members. :)
-
Micah71381 wrote:
I'm curious to know about it is all.
I'm curious to know why you want to besmirch the good names of the admins here and post intentionally (as you stated) in the wrong forum as a slap in the face to them to get them to make a change because you don't trust them to while in the same thread claiming you didn't see the suggestion forum. I'm curious about the arrogance required to do that. I'm curious how this whole thing is any kind of issue more important than a simple question in the suggestion forum. Curious indeed.
"It's so simple to be wise. Just think of something stupid to say and then don't say it." -Sam Levenson
As mentioned in another branch of this thread, I should have posted in the suggestion forum. It sounds like you misinterpreted my meaning when I referred to posting security concerns in a public forum. What I meant by that is a location that is viewable to the public, rather than in a private e-mail to an administrator or support personnel. The suggestion forum is a publicly viewable forum and that would have been the correct place to post my original message.
