homepage Welcome to WebmasterWorld Guest from 54.225.24.227
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Local / WebmasterWorld Community Center
Forum Library, Charter, Moderators: lawman

WebmasterWorld Community Center Forum

This 44 message thread spans 2 pages: 44 ( [1] 2 > >     
Bad idea for WebmasterWorld to send plain text passwords in email?
pbreit




msg:4327017
 7:07 pm on Jun 16, 2011 (gmt 0)

It bugs me that WebmasterWorld emails my password to me in plain text. This is bad style and a not insignificant security issue.

 

wheel




msg:4327030
 7:40 pm on Jun 16, 2011 (gmt 0)

Someone in the route between WebmasterWorld and you could get your account and use it to.....what?

There's not much of a security issue IMO when the only thing they're really securing is your ability to post.

Plus, it is relatively insignificant. I'm pretty sure it's extremely difficult to actually intercept someone's email midstream.

Not everything is worth the effort to lock down and secure. Forum ID's are one of those. You should treat them as throwaways. Never mind someone between you and the forum owner getting your info, when you sign up for an account you're giving the forum owner your information. I've little doubt there's more bad stuff going on where forums are being used as traps than where emails are being intercepted.

pricetack pb




msg:4327055
 8:09 pm on Jun 16, 2011 (gmt 0)

That's kind of missing the point. It's a personal, private password that I use at other sites. Maybe that's a bad idea to re-use a password but if I had known WebmasterWorld would email it to me in the clear, I would have used a different one.

Not only is it sent on the wire in plain text, it's sitting in my easily searchable email account in plain text with the word "password' right next to it. Dumb, IMO.

koan




msg:4327093
 9:29 pm on Jun 16, 2011 (gmt 0)

Maybe that's a bad idea to re-use a password


Yeah it's really the worse habit if you're concerned. If you're going to keep doing that, at least do some variations based on the site name. Say your usual password is "pink_jimbo". Use "pink_forumname_jimbo" for this forum.

robzilla




msg:4327095
 9:37 pm on Jun 16, 2011 (gmt 0)

So delete the e-mail. You could've stuck to your old username, too. Your new one (brand included) might actually be in violation of the terms of service.

I prefer it when sites send me my (old) password via e-mail, rather than having to go through a whole process of resetting and activating. As for receiving your password by e-mail after registration, I think that's just a courtesy really -- and in this case, security-wise, a bit of a non-issue.

Consider creating a unique password for each site that is of any value to you, then store these securely with a password manager. If you've enabled cookies, you'll hardly ever have to enter them anyway.

pbreit




msg:4327101
 10:18 pm on Jun 16, 2011 (gmt 0)

I'm a little surprised WW and the folks here don't see this is a bad practice. I am the only person who should determine when and how my password is revealed.

And being able to recover an old password is even more problematic. Passwords are supposed to be stored one-way hashed.

lucy24




msg:4327121
 11:24 pm on Jun 16, 2011 (gmt 0)

It depends on the age of the user. When I see my password written out in plain text-- without some prior warning* that this will happen-- my heart skips a beat.

The older you get, the more perilous this is.


* If I've asked someone to re-send my password, I will obviously get what I asked for. But otherwise I don't expect it.

wheel




msg:4327124
 11:41 pm on Jun 16, 2011 (gmt 0)

I am the only person who should determine when and how my password is revealed.

You are. You said you asked for it. Otherwise, it wouldn't have been sent to you.
And being able to recover an old password is even more problematic. Passwords are supposed to be stored one-way hashed.

Says who?

Frankly, I routinely ask my developer to store passwords in plain text. Because I'm not storing anything sensitive (it's merely an identifier to use the system), and when a user asks me for their password, I can email it (in plain text) to them.

Everyone here understands the need for security and protection, nobody's belittling that. What I'm suggesting is that there's simply nothing to protect. If you care that much, use a throwaway password. And if someone cracks it (again, I think that's virtually impossible) worst case someone's going to increase your post count a bit. Passowrds on a forum are not protecting anything other than your ability to log in and maintain a session - they're not fronting any personally sensitive information. That's why your concern is a bit misplaced. If they were maintaining records from me, I'd be as concerned as you are.

Though I guess maybe there's a point. Somebody could hack in and pretend to be me for a day. How awesome would that be for them? Until somebody realized, hey wheel isn't posting like an ### today. Somebody must've hacked his account! :)

pbreit




msg:4327125
 11:50 pm on Jun 16, 2011 (gmt 0)

I did not ask for it. WW automatically sends it to new users. That's my whole point.

I'm guessing but I suspect 9 out of 10 engineers would say storing passwords in plain text is a bad practice. The issue goes beyond being able to access one WW account. It's that a stolen database with hashed passwords is way less valuable to fraudster. There's also the rogue employee problem.

I really didn't think my initial observation was too controversial. I'm sure it's mostly because WW was programmed a long time ago when security standards were much lower and their isn't much incentive to change it.

wheel




msg:4327130
 12:36 am on Jun 17, 2011 (gmt 0)

I really didn't think my initial observation was too controversial. I'm sure it's mostly because WW was programmed a long time ago when security standards were much lower and their isn't much incentive to change it.

That'd be my guess too. I'm just observing why I don't think it's a big deal to change it.
I'm guessing but I suspect 9 out of 10 engineers would say storing passwords in plain text is a bad practice.

I could go on about how much time and money tech people are prone to spending developing correct solutions to nonexistent problems. You're right that technically securing something takes a bit of time. THe reality is, there's nothing to secure.

koan




msg:4327160
 3:14 am on Jun 17, 2011 (gmt 0)

I disagree with wheel on the hashing, I think is a minimal required practice. The issue is not someone hacking your account and impersonating you on a forum. The bigger issue is fraudulent access to the database, and people using the login information on other more important web sites like gmail, facebook, amazon, ebay, banks, etc. It's not that hard to set up a page where people can reset their password and get a new one by email if they forget it. That is why I also think using the same password on different sites is a terrible idea. Generate something random and manage it all locally with a secure password manager.

Password Safe is free and open source:
[passwordsafe.sourceforge.net...]

robzilla




msg:4327190
 6:12 am on Jun 17, 2011 (gmt 0)

Or KeepAss, my personal favorite: [sourceforge.net...]

jecasc




msg:4327193
 7:13 am on Jun 17, 2011 (gmt 0)


I'm a little surprised WW and the folks here don't see this is a bad practice.

I see it as bad practice.

The reality is:
1. People use passwords on multiple websites for various reasons: they are not aware of the risk, they are lazy, they forgot they already used the password somewhere else.
2. As a webmaster I have to know this and act accordingly. Salted hash is the minimum security level a website should provide for passwords.

I do it not only for my users, but also for myself. I know that no website is 100% secure. And when some day my website should be hacked, or an employee with access to the database goes nuts - who will be blamed if someone can use a stored password on a users email account, or on Payal or Ebay? The lazy user who used his password multiple times? No. The lazy webmaster who did not provide minimum security.

The question for me is - when something happens what email do I want to send to my users:

Hello, my website was hacked but I have stored your passwords encrypted and the likelyhood is slim that someone can use the information to log in somewhere else.

Or:

Hello, my website was hacked and since I stored the password in plain text there is a great likelyhood that if you used the password elsewhere, for example for ebay, paypal or your email account that these accounts have already been compromised and you can kiss your money and reputation goodbye. Also don't be surprised if the police should show up in the next few days with a search warrant for your house and will seize your computers because your accounts have been used for illegal purposes. Sorry for the inconvinience. But see the positve. At least you have learned a valuable lesson: don't use your password twice on the internet, because - you know - there are not only lazy users, but also lazy webmasters. You can thank me later.

[edited by: jecasc at 7:37 am (utc) on Jun 17, 2011]

incrediBILL




msg:4327195
 7:15 am on Jun 17, 2011 (gmt 0)

I see forgetting your password as a bad practice.

lucy24




msg:4327203
 7:53 am on Jun 17, 2011 (gmt 0)

I see forgetting your password as a bad practice.

Some of us can do it spontaneously without any practice at all :P One time the PIN number for my ATM card (which I do not recycle for any other purpose, duh) quietly packed up and disappeared from my brain as I was about to make a purchase. It came back two days later, after I had changed it. (There is no mechanism for retrieving numbers. You can only make a new one.)

Once upon a time, people were advised to:
#1 Use a different password for each different entity that requires one
#2 Never write the password down anywhere
#3 Change all passwords every two weeks.

Yup. And I read every word of every Software License Agreement, too. You betcha.

robzilla




msg:4327264
 10:45 am on Jun 17, 2011 (gmt 0)

Just now I received a plain-text e-mail from a hosting company I'm trying out with all info pertaining to the server, root password included ^_^ I don't mind, though, because it's the first thing I'll change, but there's another tip: use a dummy password during registration, then log on and change it to something more secure.

pbreit




msg:4327389
 3:10 pm on Jun 17, 2011 (gmt 0)

It's completely different if the service provider sends you a password that *they* generated. The whole point is that the service (WW in this case) exposed *my* password (and may be storing it in plain text or two-way encrypted).

And like others have said, the risk goes beyond impersonating someone on WW. It's the risk that the WW database is compromised by a hacker or rogue employee. Or someone searches my Gmail account for "password".

This is one of the few security measures that has become standardized amongst reputable services.

wheel




msg:4327400
 3:30 pm on Jun 17, 2011 (gmt 0)

You've absolutely no idea what security procedures are in place on WebmasterWorld. If you're actually concerned about security, you shouldn't even be posting here.

I've gotten information about who the employers are of other posters off of forum software before. I'm a regular user, they're a regular user, and I've been able to determine who they work for. No hacking involved. Did you look into that security hole that's still in vbulletin? And you're worried about hypotheticals. You're barking up the wrong tree, worrying about something that's never going to happen.

Go ask your engineers about your practice of using the same password on anonymous forums as you do on your gmail account. Pretty sure gmail gets hacked regularly, whereas WebmasterWorld doesn't. Why anyone security conscious would admit to even owning a gmail account is beyond me.

You've also not shown that they 'exposed' your password to anyone. Grabbing emails in passing on the internet isn't a standard hacking practice.

[edited by: wheel at 3:32 pm (utc) on Jun 17, 2011]

rebelde




msg:4327401
 3:31 pm on Jun 17, 2011 (gmt 0)

I wonder what percentage of people used the same password at their banks:
1%?
5%?

I wouldn't want to be responsible for somebody losing their savings, would you?

wheel




msg:4327405
 3:35 pm on Jun 17, 2011 (gmt 0)

Oh for crying out loud. Rhetorical questions. Won't someone please think about the children?

If you're simple enough to use the same password on an anonymous forum that you do on your bank and then sit here and complain about security, then there's no protecting you from yourself. And no, I don't see that if you did that, that the responsibility lands on anyone other than the user.

Basic security on financial information is one thing. Anonymous logins on an internet forum are something else entirely. Get a grip, nobody's hacking your password here, and even if they did, nobody's got any useful information about you.

pbreit




msg:4327406
 3:39 pm on Jun 17, 2011 (gmt 0)

I never suggested that I knew what procedures were in place beyond that, without asking, WW emails me my password in plain text. I don't consider WW a random anonymous forum. In fact, since it covers topics of interest to webmasters, I was surprised it made such a novice security error. This is one of the few security issues that is actually real, not theoretical. I thought I was pointing out something obvious and non-controversial and so am shocked by some of the responses.

jecasc




msg:4327427
 4:55 pm on Jun 17, 2011 (gmt 0)

There are several golden rules in programming. The first three are:

1. Never trust user input.
2. Never trust user input.
3. Never trust user input.

This applys to the password a user enters as well. Expect it to be short and easy to remember, not unique and used multiple times. Act accordingly.

Which means:
- require a minimum length
- require letters and numbers/special characters
- only store it encrypted.

robzilla




msg:4327438
 5:27 pm on Jun 17, 2011 (gmt 0)

In fact, since it covers topics of interest to webmasters, I was surprised it made such a novice security error

You could also turn that around and argue that the WebmasterWorld audience ought to know better than to register with a password they also use to protect sensitive information elsewhere.

Wherever you register, I think you should err on the side of caution, especially because websites rarely let you know how your chosen password is handled -- you should not assume anything in that regard.

pbreit




msg:4327447
 5:44 pm on Jun 17, 2011 (gmt 0)

I do use caution. It's WW that doesn't.

Brett_Tabke




msg:4327459
 5:57 pm on Jun 17, 2011 (gmt 0)

There are alot of issues at bay here. The biggest being management and security. Before we went to plain text passwords in 1999, one of the biggest issues was people forgetting passwords. Sure they could use the 'lost password' option, but about 1% of people have bogus emails associated with their account the first time after verification.

This lead to all sorts of social engineering support hacks. A smaller forum is no issue, but one with 100k users a day - huge program of management and support. What happens when a senior member forgets his password and doesn't know what email is associated with his account? It turns out to be a bad email address that expired. This is the only time we have ever been 'engineered' into giving out access to someone other than the act holder. That was the decision that lead to going with plain text pws.

We also saw support for pw's drop off almost to zero when we stopped the absurd obfuscation of passwords in the password field of login. Once we did that - support emails all but stopped for login issues.

We regularly expire logins about once a year (even if users have opted for long term cookie length).


That said, we are slated for some changes in this area yet this year. We will probably move to https login at some point...

jecasc




msg:4327463
 6:00 pm on Jun 17, 2011 (gmt 0)


You could also turn that around and argue that the WebmasterWorld audience ought to know better than to register with a password they also use to protect sensitive information elsewhere.


Whose fault was it when the lady dropped the coffee into her lap at the McDonalds drive through and got herself burned?

Well the court thought it was 80% McDonalds fault, and 20% the ladys fault.

And a court might very well find it was only x% fault of the user using a password multiple times and 100-x% the fault of the webmaster if something happens.

If you have enough money you can take your chances. I don't so I encrypt my users passwords.

And don't forget that many users sign on as webmastering novices on webmasterworld.

[edited by: jecasc at 6:04 pm (utc) on Jun 17, 2011]

wheel




msg:4327464
 6:00 pm on Jun 17, 2011 (gmt 0)

. This is one of the few security issues that is actually real, not theoretical. I thought I was pointing out something obvious and non-controversial and so am shocked by some of the responses.
Some people don't care. You're making a mountain out of a molehill, and can fix any security issues here that you're concerned about yourself anyway.

Nobody's disagreeing that passwords should be one way hashed as 'good form'. We're suggesting in this case it doesn't matter, and may actually not be ideal. Way easier to get your password back this way than if it's hashed. Sometimes it's about getting the job done rather than 'good form'. This is one such case.

If we were talking your banking password, then everything you've said is correct X10.

And P.S. Don't use the same password here as you do on your banking site. And someone's who's really concerned might set up a virtual machine running linux that they use exclusively to do their banking from. that'd be good form. But yet nobody does it. Your talking to the king of the tin foil hats, if I'm not concerned then there's probably not a lot of risk :).

pbreit




msg:4327494
 6:34 pm on Jun 17, 2011 (gmt 0)

I didn't really mean for this to get out of hand. It was just a little mini rant when I unexpectedly saw my password in my inbox. Brett's post was much more what I expected to hear. Certainly not wheel's.

ChanandlerBong




msg:4327508
 6:51 pm on Jun 17, 2011 (gmt 0)

If you're actually concerned about security, you shouldn't even be posting here.


and there we have it. From the horse's mouth.

Example #3434 of WebmasterWorld living in the 90s still and abusing their members who are a little more up to date with things. Great!

"It'll never happen"...said by every large website in the days and weeks before they were hacked to bits. Hiding behind the good old "well, you shouldn't use the same pw on other sites" is hand washing of the most premium variety. Or should be extended to:

"well, you shouldn't use the same pw on other sites because we're simply not up to the task of protecting your data. Have a nice day!"

pbreit




msg:4327553
 8:40 pm on Jun 17, 2011 (gmt 0)

I don't know who wheel, is but Brett, an admin, provided a reasonable response.

This 44 message thread spans 2 pages: 44 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / WebmasterWorld Community Center
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved