What is Digg?89 Comments
- Dan1, on 02/12/2008, -1/+39If a website has the ability to send you your password, in plain text, then your password isn't hashed before being stored in their database. Once a password is hashed, there is no coming back (theoretically). That's why when you forget your password, for security conscious sites, you are emailed a link to a page that allows you to change your password. Basically, they couldn't send you your password if they wanted to.
- GemStar38, on 02/12/2008, -1/+29There aren't very many sites out there that use the temporary password system. I would have to say 95% of sites I have signed up with just email you your password in plain text.
- trghpy, on 02/12/2008, -0/+21It bothers me when password complexity is forced to be less than "standard"
It bothers me when password reset links work for more than an hour... day... WEEKS??!!
It bothers me when banks believe personal greeting messages are some form of security.
Someone needs to set a standards for security... Google? Can you do some sort of stamp of approval? - rob3purdue, on 02/12/2008, -0/+16Dealing with something such as this, it comes down to a convenience factor. Will the average user (majority of users) sacrifice convenience for security? Sadly, the answer is no.
- shifty2, on 02/12/2008, -0/+15As an exercise for my company employees (I'm a net admin), I had them do a search in Outlook for "password" in the subject and body...
you wouldn't believe how many emails come up... - kazzyD, on 02/12/2008, -0/+11Wow, if that statistic is anywhere close to true... that's just pathetic. In one sense, it's true that consumers should protect themselves. But in another sense, it'd be nice if companies did their part too.
- Vodka2389, on 02/12/2008, -2/+10Carrier pidgins is the way to go.
- haski, on 02/12/2008, -2/+8I don't mind receiving new password on my email. You can always change it right away if you are concerned about your security. Usually services that send you password on your email are not very important anyway, so why bother.
- inactive, on 02/12/2008, -0/+5damn you're such a stickler! everybody already knows that your main password is: "password", so why complain?
- fkr3, on 02/12/2008, -0/+4Anywhere you see a sign in or registration form without https you're sending your password across the tubes in plain text anyway. Which is almost everywhere non-critical (and by non-critical I mean doesn't involve your bank accounts or credit cards).
- Ottergoose, on 02/12/2008, -1/+5I recently worked on a system that allows admins to setup new user accounts. When a new account is created, a random, temporary password is emailed to the user, after sending the email, the password is hashed and stored in a DB. So, getting an email with a password doesn't mean the password isn't hashed. If you request a new password and they send you your old password weeks later, then you've got hash troubles... unless of course you're encrypting the data...
- dvsbastard, on 02/12/2008, -1/+5If it is a generated password, then I am not fussed... If I just chose and confirmed my password during the registration process and it is still emailed out to me, that is a different story... Grrrrrrrrr...
- EXreaction, on 02/12/2008, -0/+4Any legit site will not allow anyone to get your credit card number off after signing in. They all replace the first 3/4 of the number with *.
- ehudokai, on 02/12/2008, -0/+4From the sound of everyone's comments its no wonder we have so many web sites out there that don't treat passwords as carefully as they ought to. Here are a few things I think all sites should do.
1. Store a hash, not the password. The very fact that they can send you your password means they have your password stored in a viewable manner somewhere in their database.
2. If someone loses their password, make them change it. Some might ask if I don't save their password how can I give it to them when they forget it.
3. Require alternate identification to change password. This in addition to using an individuals email to send a verfiable link is good practice.
ducking - jaredvolkl, on 02/12/2008, -0/+3I made my comment on the blog before I found the story through Digg, but you've basically echoed what I was saying. People should protect themselves, but there are a whole lot of ignorant people out there. Normally, I'd say ***** em and move on, but it's just too big of a group to ignore.
- megaton, on 02/12/2008, -0/+3The stupid thing is, the site he's complaining about (Mahalo) doesn't even use HTTPS to create the account or login, so it's getting transmitted in plaintext any time he uses it, anyway.
- binaryloop, on 02/12/2008, -0/+3It's not about you -- it's about them! The reason they mail it to you is to make sure your email is correct so they can spam you. It's a carrot that they can dangle in front of you. If it didn't matter they would simply give it you on the screen after you sign up and tell you to write it down. But, if they did that, they wouldn't have your valid email address and they couldn't spam you.
- thtroyer, on 02/12/2008, -1/+4pigeons*
- kenplaysviola, on 02/12/2008, -0/+3This is why there are security standards out there that get feedback from I.T.'s and companies. Two of them that pop in my mind are the CompTIA Security+ and CISSP. Many jobs, especially federal, research, financial, and medical jobs, require you to have these certifications. These standards are out there, it's just that people choose not to learn about them and enforce it, or are ignorant about them. I know a few I.T. guys at my work who just kick back and relax because they feel that they don't need to keep up on security or certifications. Hey, if the systems are running fine, then they must be doing something right. RIGHT?!??
- kazzyD, on 02/12/2008, -0/+2Good point. But I think there are some solutions that aren't that much less convenient but way more secure. It's not a 1:1 ratio.
- ckSubs, on 02/12/2008, -0/+2Myspace, which should already be a red-flag security wise, sends out plain-text passwords if you click the "I forgot my password" link. You don't even need a secret question or anything. Just type in an email address, and they send the password of the Myspace page signed up with that email to it. That, combined with automatic logins for email accounts and multi-site passwords by most users, probably leads to many, many of the hacked accounts Myspace is known for. Or, if you have access to an email and want the password... give Myspace a try.
- Myztry, on 02/12/2008, -0/+2It bothers me when banks call me from anonymous numbers (Call Centers) and expect me to give them identifying information over the phone in order to prove my identity.
There is absolutely nothing distinguishing them from identity criminals. They know who's phone number they've rang yet I've got absolutely no way to verify who they are before I give away verification information. Hell, anyone who answers my phone likely knows my full name, Date of Birth and Address.
And they've got the nerve to get all snarky in pseudo English when I refuse to give them identifying information... Wankers... Not to mention my country's privacy/protection laws don't apply in India, or whatever God Forsaken country they are calling from.
The pathetic thing is they've always ended up being legit... That's nothing but luck. Corporate stupidity causes me no end of hassle. - thealliedhacker, on 02/12/2008, -1/+3"Bad Form"? I feel like I'm watching "Hook"
- rot13ubercrypto, on 02/12/2008, -1/+3That's almost as cool as my French bank (yes, this is in the country that pioneered smart card-based payments) having a fixed PIN code for my ATM card. Not only that, but ATMs here don't let you change your code. Even better, the cards themselves don't even have a PIN management applet -- to change the code you need to, get this, request a new card and TELL THEM THE PIN WHEN YOU APPLY.
Facepalm. - DiggieDarko, on 02/12/2008, -0/+2"Enter new password here. A confirmation will be sent via US Mail" (My bank's website).
- EXreaction, on 02/12/2008, -0/+2This is nothing. I have a few older clients I worked for who, whenever they need some quick help, send me their username/password for their hosting control panel. Just think if godaddy screwed something up and sold my domain to somebody, or if my host screwed something up and redirected that email somewhere else?
- charlietuna, on 02/12/2008, -1/+3http://en.wikipedia.org/wiki/IP_over_Avian_Carrier ...
- surfing, on 02/12/2008, -0/+2So, yonis point is how did you login to Digg?
- battybattybatt, on 03/29/2008, -0/+1pidgin.com is the worst! they send you your UN/PW EVERY TIME THEY RSVP your emails! Even when you don't ask for it! Their whole website is bot.
- battybattybatt, on 03/29/2008, -0/+1Touche, douche! Acutally, the digg sign on is SSL. Open it in it's own frame, and you will see I am correct.
- battybattybatt, on 03/29/2008, -0/+1that's a lie - they fixed that before the merger over a year ago.
- battybattybatt, on 03/29/2008, -0/+1Dude you just ***** nailed that to the WALL! Yes!
- battybattybatt, on 03/29/2008, -0/+1That isn't the best part - try an awfully run company called Image-line (the makers of FL Studio), they send you your regkey zipped as an ATTACHMENT that you are - in their email to you - warned about NOT EVER GIVING OUT YOUR REGKEY TO ANYONE! That is BULL *****. (and their software isn't cheap!)
- battybattybatt, on 03/29/2008, -0/+1Not anymore, try it again, what you still can;t change it once you get it, but they give you a keypad to enter your pin, they do NOT ask you what it is, all they see on their screen after your entry is a challenge code the is used, you then re-enter your new PIN to verify the match (in case you mistyped). They use the challenge code to let yiou start over. The card is created from the machine UNTIL you have a new PIN match (and it usually cannot be any of your previous PINs) - this prevents the old false fire alarm fraud trick (probably not used in banks).
- thredden, on 02/12/2008, -1/+2I don't get it, aren't you supposed to save a passwords as a one way hash?
(for those that don't know, you run a math equation on a given worded phrase, that makes it impossible to go in reverse. then to check for a correct password, you run the equation on what was entered in from the website and see if it matches whats was saved.)
(for those that do know, sorry for the horrible explanation)
for more insight... http://en.wikipedia.org/wiki/One-way_function - podgey22, on 02/12/2008, -0/+1> If a website has the ability to send you your password, in plain text, then your password isn't hashed before being stored in their database
Not true. Follow this:
1. Generate Random Password.
2. Email password.
3. Hash and store hashed password
4. ???
5. Profit!
Though, I agree that if they can *remind* you of your password by sending it out later on, they're storing it as plaintext. - battybattybatt, on 03/29/2008, -0/+1But this article was put here to show the concern of the ABOVE average user, the CONCERNED user. The solution needs to console 100% of CONCERNED users - who gives a crap about sheeple that don't care? OK, we should care somewhat for each other, feel my luv.
- battybattybatt, on 03/29/2008, -0/+1Google? You have got to be really ***** kidding!!! Really ***** KIDDING! The BIGGEST complaint BY FAR is Google's DOCUMENTED INABILITY to encrypt or digitally sign gmail accounts. What a joke.
- battybattybatt, on 03/29/2008, -0/+1No, actually in this case he could be correct in the usage of your IF he hyphenated the "signing up" two words together, thus creating a vernacular usage which should be acceptable to Grammar nazis everywhere - even the one's in Berlin and New Jersey!
- MajorHertz, on 02/12/2008, -0/+1I think its much easier to not frequent a site any longer (or use a more secure competitor) than it is to to walk or drive across the United States rather than fly. They put up with the intrusiveness because the other option is more intrusive than airport security.
- dbr_onix, on 02/16/2008, -0/+1Erm, password collisions are pretty rare - even with many thousands of users, the chances are of hashes being the same is small. A much bigger problem is two users use the same password, or using crappy passwords.. Fix those (sa yby having dynamically-generated salts, sensible minimum-password-lengths, and a limit to how many times a user can try to login per hour)
I'd be very very cautious with encryption vs hashing. If Mr Evilhacker gets your decryption keys/passphrases (if they can get your password hashes, they could probably get those keys) they can get the plain-text version of every single password, where as with hashing, they'd be stuck brute-forcing a huge list of hashed-passwords for months/years/centuries/etc
The fact the website can encrypt/decrypt the passwords implies if you get into the web-application somehow (Code or SQL injections for example) it's possible to decrypt any users password? - askthequestion, on 03/12/2008, -0/+1"The reason I have a password in the first place is so that it doesn’t flow back and forth openly in cyberspace only to reside peacefully on multiple mail servers."
somebody should stop bitchin' about Security.
create a better password for your email.
change it monthly or weekly.
quit worrying about stuff that hasn't even happened yet. - battybattybatt, on 03/29/2008, -0/+1YEs, but that revelation has absolutely nothing to do with the topic. Generally MOST web companies send you - in plain text - a TEMPORARY password for RESETTING, which (if you're really really fast) you should go ASAP and RESET as SOON as you get your email. The real problem crappy web companies that take for ***** EVER to send you the Temporary password.
Actuallu, statistically , very FEW GOOD web companies actually send you your first SIGNUP password - if they do, then drop them, you don't need their service that bad.
The ONLY way you are going to get your passcodes returned to you encrypted or secure is if you give them an email account on a server that YOU control, and make sure that server is set up with SSL with SHTTP (or send them your Public key and use an SHA-1 convertor or a PGP setup for yourself). Yoiu will also need a Digital ID of some sort, probably. - battybattybatt, on 03/29/2008, -0/+1Yes, that is the point and the concern - and the point of the concern.
- aduzik, on 02/13/2008, -0/+1Even though, as others have said, a site that sends your password in email doesn't necessarily store it in plaintext or reversible encryption, it certainly doesn't inspire confidence. If these are people who think it's perfectly acceptable to send your password in plaintext, they probably don't think it's necessary to keep it secure in their database, too.
- battybattybatt, on 03/29/2008, -0/+1Using SHA is one-way.. thredden is correct, just bad English usage.
- battybattybatt, on 03/29/2008, -0/+1No legitimate bank (in the US) does this. Here, we assume they are just phishing.
- battybattybatt, on 03/29/2008, -0/+1A confirmation only re-affirms that it was her/you that a password was reset, if you respond in the negative to the affirmation, the reset is canceled usually, as if it never was changed.
- grawity, on 02/12/2008, -0/+1SSH
- battybattybatt, on 03/29/2008, -0/+1Go daddy wouldn't as they set it up for you to do certain things in a clients control panel WITHOUT ever needing your clients personal UN/PW.
-
Show 51 - 89 of 89 discussions
Browsing Digg on your phone just got easier with our enhancements to the 
© Digg Inc. 2009
— Content created and posted by Digg users is