Thank you for registering email confirming my username and password in plain text
-
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? Although, I do agree it's wrong if they can get your plain-text password on demand. Also, why not name and shame? At least we can try to avoid them then.
-
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? Although, I do agree it's wrong if they can get your plain-text password on demand. Also, why not name and shame? At least we can try to avoid them then.
You mean that if it was a company you considered registrering an account with because you needed their products and/or services, you'd refrain from doing so because of this? :confused: Permit me to doubt that... :doh:
Anything that is unrelated to elephants is irrelephant
Anonymous
-----
The problem with quotes on the internet is that you can never tell if they're genuine
Winston Churchill, 1944
-----
Never argue with a fool. Onlookers may not be able to tell the difference.
Mark Twain -
You mean that if it was a company you considered registrering an account with because you needed their products and/or services, you'd refrain from doing so because of this? :confused: Permit me to doubt that... :doh:
Anything that is unrelated to elephants is irrelephant
Anonymous
-----
The problem with quotes on the internet is that you can never tell if they're genuine
Winston Churchill, 1944
-----
Never argue with a fool. Onlookers may not be able to tell the difference.
Mark TwainWell that largely depends on what their products or services are exactly. Can I get them elsewhere, can I get them without registering an account (e.g. a phone order)... And yes, if I thought a company had poor security implementations, then I would consider not using them... IF there are other options. Or maybe, because I know they are insecure, I could use a random generated password and then close the account when I have got what I need.
-
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? Although, I do agree it's wrong if they can get your plain-text password on demand. Also, why not name and shame? At least we can try to avoid them then.
musefan wrote:
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated?
It was the password I entered, I use a password manager to generate random passwords.
musefan wrote:
Although, I do agree it's wrong if they can get your plain-text password on demand.
If they got their database hacked the hackers would have access to passwords and logins, many of which would have been reused across other sites too. So the hackers could access bank account, amazon accounts etc.
musefan wrote:
Also, why not name and shame? At least we can try to avoid them then.
and make it even more public to hackers that they store passwords in plain text, I don't think that would be sensible. "Hey look everyone, if you try and hack company X's site you can get hold of my password as well as thousands of other logins and passwords" I'd be willing to bet that the Web API has a service that returns the user logins and passwords in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
Send him a link to this: High GDPR Fines: German Data Protection Authority Joins the Club - Lexology[^] No CEO wants to risk a fine of €200,000,000 because of incompetent software developers ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated? Although, I do agree it's wrong if they can get your plain-text password on demand. Also, why not name and shame? At least we can try to avoid them then.
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
-
Send him a link to this: High GDPR Fines: German Data Protection Authority Joins the Club - Lexology[^] No CEO wants to risk a fine of €200,000,000 because of incompetent software developers ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
Thanks - I will give the CEO the weekend and on Monday I will send that.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
musefan wrote:
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated?
It was the password I entered, I use a password manager to generate random passwords.
musefan wrote:
Although, I do agree it's wrong if they can get your plain-text password on demand.
If they got their database hacked the hackers would have access to passwords and logins, many of which would have been reused across other sites too. So the hackers could access bank account, amazon accounts etc.
musefan wrote:
Also, why not name and shame? At least we can try to avoid them then.
and make it even more public to hackers that they store passwords in plain text, I don't think that would be sensible. "Hey look everyone, if you try and hack company X's site you can get hold of my password as well as thousands of other logins and passwords" I'd be willing to bet that the Web API has a service that returns the user logins and passwords in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();SendEmailUsingGmail("Your username is " + username + " and your password is " + password); string encryptedPassword = ConvertToBase64(password); ExecuteSQL("insert into \[users\] values('" + username + "', '" + encryptedPassword + "');}
catch
{
} -
musefan wrote:
How can you be sure they are saving them in plain text? And is this a password you entered yourself, or auto-generated?
It was the password I entered, I use a password manager to generate random passwords.
musefan wrote:
Although, I do agree it's wrong if they can get your plain-text password on demand.
If they got their database hacked the hackers would have access to passwords and logins, many of which would have been reused across other sites too. So the hackers could access bank account, amazon accounts etc.
musefan wrote:
Also, why not name and shame? At least we can try to avoid them then.
and make it even more public to hackers that they store passwords in plain text, I don't think that would be sensible. "Hey look everyone, if you try and hack company X's site you can get hold of my password as well as thousands of other logins and passwords" I'd be willing to bet that the Web API has a service that returns the user logins and passwords in plain text.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
GuyThiebaut wrote:
It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();SendEmailUsingGmail("Your username is " + username + " and your password is " + password); string encryptedPassword = ConvertToBase64(password); ExecuteSQL("insert into \[users\] values('" + username + "', '" + encryptedPassword + "');}
catch
{
} -
:laugh: Love the code... although you missed a double-quote, so unfortunately I can't steal it for my own use :doh:
I don't get any exceptions so I doubt there is anything wrong with it.
-
GuyThiebaut wrote:
It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();SendEmailUsingGmail("Your username is " + username + " and your password is " + password); string encryptedPassword = ConvertToBase64(password); ExecuteSQL("insert into \[users\] values('" + username + "', '" + encryptedPassword + "');}
catch
{
}You are correct, they could be encrypting the password which is almost as bad as storing in plain text. The current suggested method is to hash and salt, hashing on its own is not enough.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
They could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
Rage wrote:
Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature. Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested. While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
The could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
You are correct, they could be encrypting the password which is almost as bad as storing in plain text. The current suggested method is to hash and salt, hashing on its own is not enough.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
What I'm saying is that they could be sending the email to you based on your input but the storing of the password is a different process so it may be stored using hashing.
-
I don't get any exceptions so I doubt there is anything wrong with it.
-
Rage wrote:
Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature. Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested. While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
You mean that if it was a company you considered registrering an account with because you needed their products and/or services, you'd refrain from doing so because of this? :confused: Permit me to doubt that... :doh:
Anything that is unrelated to elephants is irrelephant
Anonymous
-----
The problem with quotes on the internet is that you can never tell if they're genuine
Winston Churchill, 1944
-----
Never argue with a fool. Onlookers may not be able to tell the difference.
Mark TwainJohnny J. wrote:
Permit me to doubt that...
Better believe it. I am like that too. Currently I am registered at three websites total, one of them being CP. That might very well go down to only two very soon. I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'. Hear that, Fleabay? That alone is one reason why Mickeysoft will not sell very much to me again. They insist that I join their Mickeysoft Club, complete with an account, the Mickeysoft hat and the secret decoder ring. The problem is that I don't want to marry them and also am not interested in any other closer relationship with them.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
