Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Is this a safe way to deal with password resets?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is this a safe way to deal with password resets?

TaylorTaylor Member
edited July 2012 in General

Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

Looking at this tweet it looks like passwords are just being stored in plain text? Surely this is not a safe way to deal with password resets?

Comments

  • MrAndroidMrAndroid Member
    edited July 2012

    @Taylor said: Surely this is not a safe way to deal with password resets?

    No it is not, but every little helps.

    Even to hackers :)

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2012

    I just send out the database to the client on password resets. It's easier. Just look for yours. It's all in plain text anyway because who likes database entries that can't be read?

    Thanked by 1yomero
  • RandyRandy Member

    hackers will still find ways

  • ReeRee Member

    Based on the fact that they're saying "Passwords are stored in a secure way" I assume that means they're encrypting the passwords, which means they can then decrypt them for the purpose of the "forgot your password?" email.

    It's fine and good to encrypt all the other personal information, but encryption is not the recommended way to store passwords. Instead it's better to hash, and more importantly, to hash properly, which from what I've seen with some of the recent database leaks, not many people know how to do.

  • DamianDamian Member

    If you can convert encrypted text back to plain text, it's not secure.

    Thanked by 1Gary
  • gsxgsx Member

    Well if you provide the customer with a temporary password and have them change the password through your control panel/system, then the password would only be known to them and in a encrypted form.

  • This is stupid, and they should be firing someone over it. If a hacker can get to your customer database, they can get the script with your password key in it. This is much much less secure than hashing.

  • GaryGary Member

    There should never be password reminder emails. Hell, there should never be sign-up emails that contain your password, for that matter.

    Forgotten your email? Then we'll email you a link to visit, that'll allow you to change your password.

  • jarjar Patron Provider, Top Host, Veteran
    edited July 2012

    Oh come on...an email with a generated password is fine. It's up to the user to change it. Let's not act like we're storing military secrets here.

  • They're not sending you an email with a generated password (which I agree is fine, but only if you're forcing the user to change that password immediately upon logging in)d. They're sending you an email with YOUR password, but claiming they still store your password securely. This means they're probably using symmetric-key encryption to store passwords, and there's a script or something on their site that's going to have a copy of their encryption key in it.

  • gsrdgrdghdgsrdgrdghd Member
    edited July 2012

    @Soylent said: They're sending you an email with YOUR password, but claiming they still store your password securely.

    If someone explains a joke it isn't funny anymore :(

    Anyway i wonder how that Tweet hasn't been deleted yet?

  • TaylorTaylor Member

    Looks like they are running out dated software and could not give a monkeys about security.

    http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html

Sign In or Register to comment.