Question about passwords...
-
I just had to login to a website and my password expired (password expiry is bad practice, according to the pros). When I tried to reset my password I got an error that my new password looked too much like the previous. To my knowledge, they can't possibly know that unless they store it as plain text as even a single letter difference should generate a completely different hash. Am I right to not trust these guys with my password? Not that I really have a choice in the matter, but I'd at least give them a call about their (mal)practices... <Realization> I'm giving these guys my old password as part of the password renewing process... Must be a Monday :doh: </Realization>
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
-
I just had to login to a website and my password expired (password expiry is bad practice, according to the pros). When I tried to reset my password I got an error that my new password looked too much like the previous. To my knowledge, they can't possibly know that unless they store it as plain text as even a single letter difference should generate a completely different hash. Am I right to not trust these guys with my password? Not that I really have a choice in the matter, but I'd at least give them a call about their (mal)practices... <Realization> I'm giving these guys my old password as part of the password renewing process... Must be a Monday :doh: </Realization>
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
Did they not ask you to enter the previous password before setting the new password? If you're entering the old and new password at the same time, then it's trivial to check. If you've entered the old one and been told that it has expired, they may be storing the old password that you entered in memory to compare to the new one. It wouldn't be great, but it doesn't necessarily mean they're storing your password insecurely. Alternatively, they may store the salt and hash for one or more previous passwords, apply simple variations to your new password, and see if the modified password produces the same hash as a previous password. Without seeing their code, you can't be certain that they're not doing the wrong thing; but you can't be certain that they are doing the wrong thing either. :)
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
I just had to login to a website and my password expired (password expiry is bad practice, according to the pros). When I tried to reset my password I got an error that my new password looked too much like the previous. To my knowledge, they can't possibly know that unless they store it as plain text as even a single letter difference should generate a completely different hash. Am I right to not trust these guys with my password? Not that I really have a choice in the matter, but I'd at least give them a call about their (mal)practices... <Realization> I'm giving these guys my old password as part of the password renewing process... Must be a Monday :doh: </Realization>
Best, Sander Azure DevOps Succinctly (free eBook) Azure Serverless Succinctly (free eBook) Migrating Apps to the Cloud with Azure arrgh.js - Bringing LINQ to JavaScript
Have +5 for Monday! :laugh: For the kind of lob apps I write, it is mandatory that the system is able to recall passwords for end users. The passwords are simply encrypted in the database. I don't believe this practice to be a security risk...besides, we aren't protecting sensitive data.
"Go forth into the source" - Neal Morse "Hope is contagious"
-
Have +5 for Monday! :laugh: For the kind of lob apps I write, it is mandatory that the system is able to recall passwords for end users. The passwords are simply encrypted in the database. I don't believe this practice to be a security risk...besides, we aren't protecting sensitive data.
"Go forth into the source" - Neal Morse "Hope is contagious"
-
Have +5 for Monday! :laugh: For the kind of lob apps I write, it is mandatory that the system is able to recall passwords for end users. The passwords are simply encrypted in the database. I don't believe this practice to be a security risk...besides, we aren't protecting sensitive data.
"Go forth into the source" - Neal Morse "Hope is contagious"
kmoorevs wrote:
I don't believe this practice to be a security risk
Well, maybe not in terms of your app, but considering people aren't always careful about using different passwords across different platforms, it might be an external security risk. i.e. if user jdoe42 has password "hello world" in your app, chances are its "hello world" for his gmail, facebook, twitter, bank, yadda yadda yadda ...
Keep Calm and Carry On
-
Have +5 for Monday! :laugh: For the kind of lob apps I write, it is mandatory that the system is able to recall passwords for end users. The passwords are simply encrypted in the database. I don't believe this practice to be a security risk...besides, we aren't protecting sensitive data.
"Go forth into the source" - Neal Morse "Hope is contagious"
I think recalling passwords for users is simply wrong. It exposes a vector of attack, and if attacked, their passwords are then known. I cannot think of a good reason to store someone's password. If they need a new one, let them generate it via an email link, etc. But the number of times a site has emailed me "Thanks for signing up... Remember your password is: abc123", and I am thinking to myself...WHY? I usually go and delete the account... Super Long passwords, and a password manager. Done.
