CodeProject.com and Plain Text Passwords!
-
Is this how you get one of those "Bob" icons? By being completely obnoxious? I guess it depends on whether you're a glass half full or half empty kinda guy, but I didn't see anything wrong with the original post. You and Code-Frog on the other hand... well, quite frankly I'm a little saddened. First class douchebag? Seriously? Get a grip.
The StartPage Randomizer - The Windows Cheerleader - Twitter
Miszou wrote:
By being completely obnoxious?
Yep.
-- Kein Mitleid Für Die Mehrheit
-
I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.
I hate to tell you (well actually I don't but it sounded nicer), sending your email with your password really is not any worse than signing into the system without https, it is still broadcast over the net without any security. There is also probably a cookie that could be stolen, since again we are using CP in plain text mode, which could be copied and used if you use the option to stay signed in. It would be nice though to have CP use OpenID for login and remove the need for a password log in system. With the open source libraries for OpenID, that should take a weekend or so to get running on CP. The main thing to think about is that this is one of many sites that have no really serious information to be concerned if someone hacked it anyway. If you are using a password here that is important somewhere else to you, then that would be a mistake on your part.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Doesn't that defeat the purpose of a hash (both cryptographic and indexing)...
There's a little icon to his post ;)
-
I think it's just best for me to remain silent here unless asked a direct question. I seem to get in less trouble that way. :^)
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
-
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
-
The DBAs are the programmers - we're a small, tight ship here. But to put your mind at rest: very few have access to the key.
Micah71381 wrote:
Or does someone have access to the decryption key and could
Yes, obviously someone (me) has access to the key in order to ensure our system has access to the key so it can unlock the passwords. And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
cheers, Chris Maunder
CodeProject.com : C++ MVP
Chris Maunder wrote:
And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
Hopefully, not because of this jerk?!?
Gary
-
Colin Angus Mackay wrote:
You have a password history which you can look up? That sounds most secure.
In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D
We can read your brain electronically, but we'd have to get it out first. It's got to be prepared. Treated, Diced. It could always be replaced,if you think it's important. Yes, an electronic brain, a simple one would suffice. Thanks to Frankie and Benji, with apologies to Douglas
Graham Librarians rule, Ook!
-
Chris Maunder wrote:
And so this is why we're moving to hashes. Regardless of whether our members trust us, our system, and myself in particular, we're moving away from the convenience of two-way and over to a one-way.
Hopefully, not because of this jerk?!?
Gary
ghle wrote:
Hopefully, not because of this jerk?!?
No, I read through the links provided earlier and it appears that this concern was brought up a while back (in the correct forum even) and a poll was opened asking the user-base if they wanted their passwords hashed or encrypted (more or less). It appears that the poll resulted in people wanting hashes instead and I think that is what caused them to add the ticket to their list.
-
I hate to tell you (well actually I don't but it sounded nicer), sending your email with your password really is not any worse than signing into the system without https, it is still broadcast over the net without any security. There is also probably a cookie that could be stolen, since again we are using CP in plain text mode, which could be copied and used if you use the option to stay signed in. It would be nice though to have CP use OpenID for login and remove the need for a password log in system. With the open source libraries for OpenID, that should take a weekend or so to get running on CP. The main thing to think about is that this is one of many sites that have no really serious information to be concerned if someone hacked it anyway. If you are using a password here that is important somewhere else to you, then that would be a mistake on your part.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
My concern is that many people use the same password for everything (or at least a small set of passwords that they can remember). While I acknowledge that this is a security hole created by the end-user, it is not uncommon and therefor should be taken into consideration by companies wishing to keep their users safe. In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would). In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems. With a password in e-mail form the 'hacker' needs only to gain access to the victim's e-mail long enough to get a password reset e-mail sent to it. They then have the victim's password which likely gets them access to *many* accounts across the internet to which that user subscribes. If a password reset link was sent or a temporary password was sent then the hacker only gains access to the account(s) which a password reset is initiated on. It's also possible that the hacker only has access to already retrieved e-mails (perhaps they got a hold of the users local e-mail file but are unable to fetch more) and if the user's password is stored somewhere in their local e-mail the hacker now has access to everything. Again, I won't claim that switching to a hash solves *all* security problems but it improves the system which is a step in the right direction.
-
So if you only have password for insecure sites and one for sites you trust more at most there were two options for your password and you couldn't remember it eh? Tell you what junior. Take your false police report and go bake a crap cake somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem "LIES". :rolleyes:
If you like this message don't vote me a 5 unless you thought of it. I'm not some wanna-be trying to get stupid votes to get an MVP here. The fact is I should be an MVL "Most Valuable Lounger" because ... everybody can put there feet on me to make themselves comfortable and I'm fine with that. The vote-count MVP system is broken and flawed. MVPs should be elected by peers in the group who understand what's really happening in the specific forums. I love Chris but vote's should have no place in ranking MVPs. NONE! - - - {Mark Salsbery approves this message.}
That is just about the most abusive post I've seen from a member whom proclaims community. Come on Frog, you are better than that. I'll just pretend I didn't see the post. After submitting this of course. (and this is a different account than the one you might be familiar with so before you go spouting abuse in response to this think twice)
This statement is false
-
I appreciate that. Too many people too willing to kick my teeth in these days. Course anymore I'm ready to rumble. Kind of tired of Maxwell House Decaf only kind of crud on this forum these days.
code-frog wrote:
Too many people too willing to kick my teeth in these days.
If you leap head first to kick in someone else's teeth in then you should expect that. Even if the original post was inappropriate, it in no way justifies you attacking him and calling him names in a belittling manner. Anyone who justifies that needs to readdress their humanity. I distinctly remember you depending on the good will of others. You should repay that in spades.
This statement is false
-
My concern is that many people use the same password for everything (or at least a small set of passwords that they can remember). While I acknowledge that this is a security hole created by the end-user, it is not uncommon and therefor should be taken into consideration by companies wishing to keep their users safe. In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would). In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems. With a password in e-mail form the 'hacker' needs only to gain access to the victim's e-mail long enough to get a password reset e-mail sent to it. They then have the victim's password which likely gets them access to *many* accounts across the internet to which that user subscribes. If a password reset link was sent or a temporary password was sent then the hacker only gains access to the account(s) which a password reset is initiated on. It's also possible that the hacker only has access to already retrieved e-mails (perhaps they got a hold of the users local e-mail file but are unable to fetch more) and if the user's password is stored somewhere in their local e-mail the hacker now has access to everything. Again, I won't claim that switching to a hash solves *all* security problems but it improves the system which is a step in the right direction.
Micah71381 wrote:
In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would).
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account unless it was tied to an IP and they did not replicate that IP, or some other information such as specific browser information, which in most cases neither are used. So, anyone intercepting between the two points would be able to hack your account. This is security lossed to convenience and is a security risk just about everywhere, but most of still use it anyway.
Micah71381 wrote:
In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems.
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login. Again, I would love to see OpenID used on CP as well as every site so that we can get rid of this password loging junk and make life much eaiser. I understand your concerns, but I would think you would already understand that a site like CP does not claim any form of security, that should be obvious by the plan text login.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Micah71381 wrote:
In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would).
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account unless it was tied to an IP and they did not replicate that IP, or some other information such as specific browser information, which in most cases neither are used. So, anyone intercepting between the two points would be able to hack your account. This is security lossed to convenience and is a security risk just about everywhere, but most of still use it anyway.
Micah71381 wrote:
In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems.
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login. Again, I would love to see OpenID used on CP as well as every site so that we can get rid of this password loging junk and make life much eaiser. I understand your concerns, but I would think you would already understand that a site like CP does not claim any form of security, that should be obvious by the plan text login.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
Rocky Moore wrote:
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account
This is true, but they would only be auto-logged into my codeproject account, not any of my other accounts for which I use the same (or similar) credentials.
Rocky Moore wrote:
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login.
I fully agree that in the end security responsibility is up to the end-user. However, it is in the best interest of the websites to "help" end-users be secure by participating in best practices regarding authentication security. While intercepting a plain-text password in transit is possible, it is still harder than gaining access to an e-mail cache on someone's computer. If I use a web-based e-mail client on a public computer it's entirely possible that my e-mail cache will be left behind, even if the mail service used https (I do acknowledge that it's my responsibility as a user to ensure my mail cache isn't left behind, but in practice this is rarely done). Assuming my password was never e-mailed to me in plain-text, at worst the hacker would gain access to my personal mail with which they could do relatively little damage aside from blackmail perhaps. However, if a site e-mails me my password in plain-text to me, the hacker now knows my password and my e-mail address, without any targeted attacks, just by looking through the browser cache. They can now access any online accounts of mine that I use that password with (for the average user this is going to be all of their accounts). Without the plain-text e-mail password the hacker will have to do some kind of targeted attack such as a keylogger, man-in-the-middle, or fishing. Yet another issue is even less troublesome for the hacker. Say I'm using a public computer or kiosk t
-
Rocky Moore wrote:
It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account
This is true, but they would only be auto-logged into my codeproject account, not any of my other accounts for which I use the same (or similar) credentials.
Rocky Moore wrote:
It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login.
I fully agree that in the end security responsibility is up to the end-user. However, it is in the best interest of the websites to "help" end-users be secure by participating in best practices regarding authentication security. While intercepting a plain-text password in transit is possible, it is still harder than gaining access to an e-mail cache on someone's computer. If I use a web-based e-mail client on a public computer it's entirely possible that my e-mail cache will be left behind, even if the mail service used https (I do acknowledge that it's my responsibility as a user to ensure my mail cache isn't left behind, but in practice this is rarely done). Assuming my password was never e-mailed to me in plain-text, at worst the hacker would gain access to my personal mail with which they could do relatively little damage aside from blackmail perhaps. However, if a site e-mails me my password in plain-text to me, the hacker now knows my password and my e-mail address, without any targeted attacks, just by looking through the browser cache. They can now access any online accounts of mine that I use that password with (for the average user this is going to be all of their accounts). Without the plain-text e-mail password the hacker will have to do some kind of targeted attack such as a keylogger, man-in-the-middle, or fishing. Yet another issue is even less troublesome for the hacker. Say I'm using a public computer or kiosk t
Actually, all your examples are those of you lack of security. Again, if you choose to use a password without multiple sites with an unsecure site such as CP, the problem is more one of your own making. While CP could secure its systems and use SSL for everything, encrypt passwords and only send out reset steps instead of the password, the site has already proclaimed lack of security by its plain text signin and thus you should never use anything you would be concerned about. I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
-
Actually, all your examples are those of you lack of security. Again, if you choose to use a password without multiple sites with an unsecure site such as CP, the problem is more one of your own making. While CP could secure its systems and use SSL for everything, encrypt passwords and only send out reset steps instead of the password, the site has already proclaimed lack of security by its plain text signin and thus you should never use anything you would be concerned about. I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords.
Rocky <>< Recent Blog Post: Doughboy – R.I.P. Thinking about Silverlight? www.SilverlightCity.com
I fully agree with you that in all of the provided examples the end-user is ultimately responsible for their own security. That doesn't mean the websites should not go through a reasonable amount of effort to assist in the process. The issue is with the real worl, not the best case world (where end-users follow best practices). In the real world users do use the same password for multiple sites and users don't know what the difference is between a secure site and an insecure one. Users don't understand that their e-mail cache is accessible after they walk away from their computer and they don't realize that the guy sitting next to them could do a lot of harm by reading their password over their shoulder. Because users are not very security conscious website administrators should be. While it's not their responsibility by any means, it helps retain customers because ultimately, the customer will blame the company (erroneously) when their account is hacked. I worked at a company who had problems with lots of their users getting hacked and most of the time the users would blame the company, even though they are the one who downloaded the keylogger trojan or fell for a phishing attack. The company has since started issuing digital OTP tokens to help curb user stupidity. Though the cost of the tokens is offset onto the end-user, the company still had to pay for development time but in the end the number of support calls decreased and customer satisfaction increased.
Rocky Moore wrote:
I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords.
Agreed, though I do find the discussion stimulating none the less. :)