Thank you for registering email confirming my username and password in plain text
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
They could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
The could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
musefan wrote:
How can you be sure they are saving them in plain text?
Where would they have them from otherwise ? If it is stored hashed, as one would expect for the least, even they would not be able to retrieve the original string in pain text.
Rage wrote:
Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature. Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested. While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
-
You are correct, they could be encrypting the password which is almost as bad as storing in plain text. The current suggested method is to hash and salt, hashing on its own is not enough.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
What I'm saying is that they could be sending the email to you based on your input but the storing of the password is a different process so it may be stored using hashing.
-
I don't get any exceptions so I doubt there is anything wrong with it.
-
Rage wrote:
Where would they have them from otherwise ?
Basically what F-ES Sitecore posted. The OP was unclear if this plain-text password was sent immediately after registration, or later on via some password reminder feature. Either way it's not conclusive of plain text storage, although the latter would imply it is at best a reversible encryption as you have suggested. While we are on the subject of one-way hash vs encrypted string, does it really matter either way? The main concern with storing user credentials is how to protect the source data, protect the source code (in terms of identifying how the password is hashed/encrypted), and restrict any method of being able to brute force login attempts (for example, locking accounts after X attempts, etc.).
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
You mean that if it was a company you considered registrering an account with because you needed their products and/or services, you'd refrain from doing so because of this? :confused: Permit me to doubt that... :doh:
Anything that is unrelated to elephants is irrelephant
Anonymous
-----
The problem with quotes on the internet is that you can never tell if they're genuine
Winston Churchill, 1944
-----
Never argue with a fool. Onlookers may not be able to tell the difference.
Mark TwainJohnny J. wrote:
Permit me to doubt that...
Better believe it. I am like that too. Currently I am registered at three websites total, one of them being CP. That might very well go down to only two very soon. I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'. Hear that, Fleabay? That alone is one reason why Mickeysoft will not sell very much to me again. They insist that I join their Mickeysoft Club, complete with an account, the Mickeysoft hat and the secret decoder ring. The problem is that I don't want to marry them and also am not interested in any other closer relationship with them.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
-
The could with a rainbow lookup table if the hashes have not also been salted.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
The could with a rainbow lookup table if the hashes have not also been salted.
This would require them to have a copy of the database (or at least a direct connection to it). And if you can get a hold of the application code (even the compiled version) then salting your hashes doesn't much matter. With some effort the hacker could identifier your salt key and process and adjust their "hacking software" to make their rainbow tables work again. Although you should be safe if you are using a password manager as it's likely they will have your password in their list. Let's just hope this "company X" doesn't have your credit card details stored right next to the plain text password :laugh:
-
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
-
Send him a link to this: High GDPR Fines: German Data Protection Authority Joins the Club - Lexology[^] No CEO wants to risk a fine of €200,000,000 because of incompetent software developers ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
Just out of interest, where does all this fine money actually go? (Apologies for not researching it myself, I just assume you probably already know the answer). Also, are you purposefully not playing CCC this week, or are you struggling with them like the rest of us?
-
Johnny J. wrote:
Permit me to doubt that...
Better believe it. I am like that too. Currently I am registered at three websites total, one of them being CP. That might very well go down to only two very soon. I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'. Hear that, Fleabay? That alone is one reason why Mickeysoft will not sell very much to me again. They insist that I join their Mickeysoft Club, complete with an account, the Mickeysoft hat and the secret decoder ring. The problem is that I don't want to marry them and also am not interested in any other closer relationship with them.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
CodeWraith wrote:
I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'.
:thumbsup:
CodeWraith wrote:
That alone is one reason why Mickeysoft will not sell very much to me again
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
Just out of interest, where does all this fine money actually go? (Apologies for not researching it myself, I just assume you probably already know the answer). Also, are you purposefully not playing CCC this week, or are you struggling with them like the rest of us?
Bribes, probably - this is the EU after all ... I'm playing the CCC, but yesterday and today I have no idea what they might be.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony AntiTwitter: @DalekDave is now a follower!
-
CodeWraith wrote:
I don't merrily give away any data in the first place and all who have caused as little as some spam appearing go out the window faster than they can say 'please login'.
:thumbsup:
CodeWraith wrote:
That alone is one reason why Mickeysoft will not sell very much to me again
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
Daniel Pfeffer wrote:
You can set your Microsoft profile so they do not send you stuff. Given that I use their Community tools for development, I find the requirement to register to be a fair exchange. YMMV.
That's not quite the problem. If it were only that, I would have my ways to simply block everything I don't want. For me the OS is just another component of the computer, no more or less. I really don't want to join a 'community' for every single part that I want to put into the box. Just send me what I ordered, take my money and then our relationship hopefully ends. No need for them to know anything more. When someone goes out of his way to force everyone to say amen to everything they do, the more suspicious I get of their motives. They are can only be in their best interest in the best case and very harmful to me in the worst.
I have lived with several Zen masters - all of them were cats. His last invention was an evil Lasagna. It didn't kill anyone, and it actually tasted pretty good.
-
GuyThiebaut wrote:
It was the password I entered, I use a password manager to generate random passwords.
That still doesn't mean they are saving the passwords in plain text.
try
{
string username = TextBox22.Text.ToString();
string password = TextBox23.Text.ToString();SendEmailUsingGmail("Your username is " + username + " and your password is " + password); string encryptedPassword = ConvertToBase64(password); ExecuteSQL("insert into \[users\] values('" + username + "', '" + encryptedPassword + "');}
catch
{
}Someone's been spending too much time in QA! :laugh: You wait - in a couple of weeks, there'll be a question from someone who copied and pasted this code into their application, and it doesn't work because they've only got 21 textboxes on their form. :-D
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Or how about this email: "Our system has lost your password, which we store as plain text. Since you must have received a confirmation email at some point with your plain text password, could you please forward it to us and cc: GuyThiebaut, and we will restore your password. Thank you very much."
Latest Articles:
Client-Side TypeScript without ASP.NET, Angular, etc. -
This was from a major well known international business, they sent me an email confirming my username and password in plain text! There aren't any words or emoticons to describe my reaction. Not only are they saving passwords in plain text but they are sending them via email too. I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
GuyThiebaut wrote:
I emailed the CEO to let him know, let's see if he responds and if he does what his response is.
Skip that step - since you have his email address, just ask their system to initiate a password reset on behalf of him. I'm sure they've thought *that* process out better...
-
The email was sent to me on registration.
musefan wrote:
While we are on the subject of one-way hash vs encrypted string, does it really matter either way?
Yes it does matter, because everyone who has access to the data and encryption methods within the company can see logins and passwords. Just because someone works for a company does not mean that they can be trusted with highly confidential information such as passwords and logins. Hence why data protection laws exist.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
On the other hand, if they've cracked the database and got your hashed/encrypted password, they'll more than likely ignore the password and just access your credit card, bank account, health details etc directly. If the company is lax about passwords, it's pretty unlikely that the rest of the data is encrypted! The only reason password encryption is any more important than any other data is that people tend to re-use passwords, so a hacker of one database can often then access others; or actually impersonate someone else rather than just steal their money / reputation.
