CodeProject.com and Plain Text Passwords!

I fully agree with you that in all of the provided examples the end-user is ultimately responsible for their own security. That doesn't mean the websites should not go through a reasonable amount of effort to assist in the process. The issue is with the real worl, not the best case world (where end-users follow best practices). In the real world users do use the same password for multiple sites and users don't know what the difference is between a secure site and an insecure one. Users don't understand that their e-mail cache is accessible after they walk away from their computer and they don't realize that the guy sitting next to them could do a lot of harm by reading their password over their shoulder. Because users are not very security conscious website administrators should be. While it's not their responsibility by any means, it helps retain customers because ultimately, the customer will blame the company (erroneously) when their account is hacked. I worked at a company who had problems with lots of their users getting hacked and most of the time the users would blame the company, even though they are the one who downloaded the keylogger trojan or fell for a phishing attack. The company has since started issuing digital OTP tokens to help curb user stupidity. Though the cost of the tokens is offset onto the end-user, the company still had to pay for development time but in the end the number of support calls decreased and customer satisfaction increased.

Rocky Moore wrote:

I guess it is all a moot point anyway as Chris has already said it is on the schedule to change the emailing of passwords.

Agreed, though I do find the discussion stimulating none the less. :)

Rocky Moore wrote:

It really does not matter, if the cookie allows you to be automatically logged in, anyone who obtains that cookie would be automatically logged in to your account

This is true, but they would only be auto-logged into my codeproject account, not any of my other accounts for which I use the same (or similar) credentials.

Rocky Moore wrote:

It would be the same to intercept your email to obtain your login information. Every time you sign in to CP, you expose your account to being hacked and your email and password to be found out. For this reason, anyone should never use the same password you would use for any serious security on a site like CP which does not provide a secure login. Anyone who does are asking to be hacked. It would make as much sense as using email to send your credit card information to someone, it is just something you would not do, you would expect the security risk just as you should on any site without a secure login.

I fully agree that in the end security responsibility is up to the end-user. However, it is in the best interest of the websites to "help" end-users be secure by participating in best practices regarding authentication security. While intercepting a plain-text password in transit is possible, it is still harder than gaining access to an e-mail cache on someone's computer. If I use a web-based e-mail client on a public computer it's entirely possible that my e-mail cache will be left behind, even if the mail service used https (I do acknowledge that it's my responsibility as a user to ensure my mail cache isn't left behind, but in practice this is rarely done). Assuming my password was never e-mailed to me in plain-text, at worst the hacker would gain access to my personal mail with which they could do relatively little damage aside from blackmail perhaps. However, if a site e-mails me my password in plain-text to me, the hacker now knows my password and my e-mail address, without any targeted attacks, just by looking through the browser cache. They can now access any online accounts of mine that I use that password with (for the average user this is going to be all of their accounts). Without the plain-text e-mail password the hacker will have to do some kind of targeted attack such as a keylogger, man-in-the-middle, or fishing. Yet another issue is even less troublesome for the hacker. Say I'm using a public computer or kiosk t

Oops, sorry. I mean that a 1-hour show has about 20 minutes of commercials and 40 minutes of show. The percentages are right, the math was wrong. :)

My concern is that many people use the same password for everything (or at least a small set of passwords that they can remember). While I acknowledge that this is a security hole created by the end-user, it is not uncommon and therefor should be taken into consideration by companies wishing to keep their users safe. In the example of a stolen cookie, hopefully the cookie wouldn't actually store the password in plain text in which case the cookie could be used to gain access to this site but not gain access to other sites that the user subscribes to (as a stolen password would). In the example of plain text login, I agree that a secure login system is preferable, though I am of the opinion that the man-in-the-middle attack required to intercept the password in transit is quite difficult and therefor of lesser issue than some of the other security problems with various authentication systems. With a password in e-mail form the 'hacker' needs only to gain access to the victim's e-mail long enough to get a password reset e-mail sent to it. They then have the victim's password which likely gets them access to *many* accounts across the internet to which that user subscribes. If a password reset link was sent or a temporary password was sent then the hacker only gains access to the account(s) which a password reset is initiated on. It's also possible that the hacker only has access to already retrieved e-mails (perhaps they got a hold of the users local e-mail file but are unable to fetch more) and if the user's password is stored somewhere in their local e-mail the hacker now has access to everything. Again, I won't claim that switching to a hash solves *all* security problems but it improves the system which is a step in the right direction.

ghle wrote:

Hopefully, not because of this jerk?!?

No, I read through the links provided earlier and it appears that this concern was brought up a while back (in the correct forum even) and a poll was opened asking the user-base if they wanted their passwords hashed or encrypted (more or less). It appears that the poll resulted in people wanting hashes instead and I think that is what caused them to add the ticket to their list.

As mentioned in another branch of this thread, I should have posted in the suggestion forum. It sounds like you misinterpreted my meaning when I referred to posting security concerns in a public forum. What I meant by that is a location that is viewable to the public, rather than in a private e-mail to an administrator or support personnel. The suggestion forum is a publicly viewable forum and that would have been the correct place to post my original message.

I was saying that posting what I see as a security flaw in a public forum is the way to get such security flaws resolved. I fully admit though that I chose the wrong public forum (I really did look for the proper one and I honestly missed it in the forum list, though I'm not sure how since it isn't exactly hidden). You are not the first person to mention that my original wording came across as offensive and after reading it through again I can see where this interpretation comes from, which is my fault. The reason for the tone of the post is that it's a pet peeve of mine mainly because it's so common for websites to neglect security when asking users for a password and since most users use the same password for everything this is quite bothersome. I was surprised that a site for developers had what I saw as a very basic flaw in their authentication system. This is the first time I've ever heard of someone encrypting passwords and storing them rather than hashing them or just storing them as plain text and even then, the password is e-mailed in plain-text (though this is not as big of a security concern in my eyes as storing them in plain-text). Again, my goal was not to try and trash the website or it's administrators but instead to bring up a security concern publicly, which has since been alleviated by the helpful administrators and members. :)

John C wrote:

Honestly what difference does it make? This isn't a bank.

Curiosity at this point. The method I mentioned is the only "secure" way that I know of to store secret data in an encrypted format that the data-host can't get to. If the method is different I'm curious to know about it is all.

Colin Angus Mackay wrote:

You have a password history which you can look up? That sounds most secure.

In my head, yes. If someone can acquire that then either they hold something more valuable to me than my password (ie: my life) or they have developed the ability to read minds and at this time I would gladly give up my password to someone who can read my mind. :D

Out of curiosity, is the system setup like is done with credit cards where the DBAs have one part of the salt and the programmers have the other part of the salt so no single person can decrypt the password? If I'm not mistaken the idea is that you would need root level DB access *AND* source code access (or solid disassembly/reverse engineering skills) to encrypt/decrypt the data, though I've never built a system like this myself. Or does someone have access to the decryption key and could (theoretically) decrypt the contents of the password field in the database, given the knowhow and that key?

It's because you didn't use the "Joke" Message Type icon. :P

In an attempt to prove you wrong I just lit myself on fire. Unfortunately, it appears you were correct... I must be a troll, now a very warm one.

And I apologize if I came across as offended to your comments. I took your response as one from a normal forum troll which is why I responded in kind. I was not offended at your response, just continuing the banter. :D My intentions weren't to slander code project (I do like the site and what it has to offer), it was to both alert the community (in case they didn't know already, though it appears my searching failed me since I searched for "plain text" instead of "clear text") and to hopefully get a change.

I learned long ago that web-masters don't change their websites because of e-mails (especially security related things) but they do change them (sometimes) when it's posted on a public forum (especially security related things). I think this started occurring in web 1.1, when it became more than a handful of guys that all knew each other.

Both my insecure and secure passwords have variations to them (ie, they rotate regularly) and I hadn't logged into this site for some time and didn't particularly feel like going through my entire password history to figure out which one it was. Tell you what senior. Take your bashing somewhere else okay? You may wish to examine your attempts to make others look stupid before you submit and prove that in fact you are indeed where the problem lies.

Thanks. :) I looked at the forum list but I somehow glazed right over the site/suggestion forum (the one I was looking for!).

Doesn't that defeat the purpose of a hash (both cryptographic and indexing)...

If I'm not mistaken shows in the United States generally are 33% commercials + credits and 66% show leaving a 1-hour show having about 40 minutes worth of commercials. So the fact that you got 3:20 out of 4:00 is pretty good considering most shows you'll only get 2:40 out of 4:00.

I Didn't see any other place to post this so I figured I would go with the lounge to spark up some discussion and hopefully a change. :) I forgot my project for this website (www.codeproject.com) so I clicked the reset password button. I figured being a website for programmers, IT professionals, IT/development security people, etc. it would do something reasonable. Much to my surprise, I was e-mailed my old password in plain text! This means that not only is my password being transmitted in plain text over the internet (something that is all too common unfortunately) it is also being stored in a database somewhere in plain text along with my e-mail address. Luckily for me I have one password I use for "insecure" sites who like to store/display plain text passwords and another password for sites that I have a little more faith in doing the right thing and luckily I used the "insecure" password for this one. :P Anyway, I did a search in the forums for anyone mentioning this previously and I found several posts talking about how annoying it was when sites did this but no one mentioned that this site does it too.