Seriously? Clear text passwords?
Seriously? Clear text passwords?
To the Forum admins,
I couldn't believe my eyes what I saw just now. The registration mail contained my password in clear text form.
Since even that basic practice of password security isn't fulfilled, how should I trust you to keep your database safe from attacks?
I couldn't believe my eyes what I saw just now. The registration mail contained my password in clear text form.
Since even that basic practice of password security isn't fulfilled, how should I trust you to keep your database safe from attacks?
Why are you concerned? Do you use your credit card number as your password? Or are you using the same password everywhere? Which kind of sensitive data do you enter on this forum that you fear might fall into whose hands?
Life is NOT like a box of chocolates, it's more like a jar of jalapeños: What you do today might burn your a** tomorrow.
~Garfield
~Garfield
-
- level3
- Posts: 486
- Joined: Thu Dec 15, 2005 4:57 pm
- Location: Netherlands
Jelco, you seem to miss a major point there: the plain text passwords are stored. How else could it be sent to you when you use the "forgot password" link. Try it yourself if you don't believe me.
Now I don't care much myself, but you'll have to agree it's extremely bad form. (In reality not much worse security than a simple hash, but way worse form all the same.)
(I realized it just now because I just typed my password for the first time in a while, and it's a password I thought up a very long time ago and had resent to me when I had forgotten it over the years.)
Now I don't care much myself, but you'll have to agree it's extremely bad form. (In reality not much worse security than a simple hash, but way worse form all the same.)
(I realized it just now because I just typed my password for the first time in a while, and it's a password I thought up a very long time ago and had resent to me when I had forgotten it over the years.)
Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.Great Magical Hat wrote:Jelco, you seem to miss a major point there: the plain text passwords are stored. How else could it be sent to you when you use the "forgot password" link. Try it yourself if you don't believe me.
Now I don't care much myself, but you'll have to agree it's extremely bad form. (In reality not much worse security than a simple hash, but way worse form all the same.)
(I realized it just now because I just typed my password for the first time in a while, and it's a password I thought up a very long time ago and had resent to me when I had forgotten it over the years.)
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.
What a nonsense!
Specially this:
Can anybody tell me a case when this ever made sense?
Also,
what one computing engine can, another can also, therefore the word software. How is that different from plain passwords?
Specially this:
NeatNit wrote:We have no proof that it does this, but we also have no proof that it doesn't.
Can anybody tell me a case when this ever made sense?
Also,
The server can decrypt the password
what one computing engine can, another can also, therefore the word software. How is that different from plain passwords?
-
- level3
- Posts: 486
- Joined: Thu Dec 15, 2005 4:57 pm
- Location: Netherlands
NeatNit wrote:Encryption.
Fair enough, that's an option I didn't think about. I'll disagree with you on that it's likely it's used, though.
As for the rest you say, yes I know what we are talking about. To make a much needed improvement to the hashing system, you'll need personalized salts. However, even then your passwords aren't secure, really. The problem is that hashing algorithms are designed to be fast, whereas you need a slow algorithm to make brute forcing impractical. You're best off leaving the handling of passwords to a dedicated library.
NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.
Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).
xander
“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list. One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”xander wrote:NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.
Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).
xander
http://onehitpixel.com/2011/05/03/passw ... sony/11876
I didn't make any of that up. There's encrypted passwords (which can be decrypted) and there's hashes (which cannot, this is what you were talking about).
NeatNit wrote:“We want to state this again given the increase in speculation about credit card information being used fraudulently. One report indicated that a group tried to sell millions of credit card numbers back to Sony. To my knowledge there is no truth to this report of a list, or that Sony was offered an opportunity to purchase the list. One other point to clarify is from this weekend’s press conference. While the passwords that were stored were not “encrypted,” they were transformed using a cryptographic hash function. There is a difference between these two types of security measures which is why we said the passwords had not been encrypted. But I want to be very clear that the passwords were not stored in our database in cleartext form.”xander wrote:NeatNit wrote:Encryption. The server can decrypt the password, send it in your email, and then remove all traces of the decrypted password from itself. We have no proof that it does this, but we also have no proof that it doesn't.
Still not great security though, either way. Most systems use one-way hashing, this way the server doesn't know the actual password, it only knows the result you would get when you input that password in a complex set of algorithms which cannot be reversed. If that hash is stolen by hackers, their only form of action would be to input every possible password into the algorithms until one is found with the correct result. With encrypted passwords (which this forum probably has), the algorithms can be reversed and if the hackers know this reversed algorithm, they can easily generate the passwords from the stored encrypted passwords.
Um... no. Just no. In a properly encrypted authentication system, the password is hashed immediately and the hash is stored, not the plaintext password. In such a system, the password is never ever decrypted. The server has no way of retrieving the original password. Instead, when a password is entered, the input is hashed and compared to the hash that has been stored on the server. If passwords are being sent out in plaintext via the "Forgotten Password" system, then the passwords are being stored in plaintext, which is a major no-no (though, as has been pointed out before, forum passwords should be considered insecure and low priority, anyway---worst case scenario, someone pretends to be you and posts BS on the forums under your name---could this be the new Ace Rimmer?).
xander
http://onehitpixel.com/2011/05/03/passw ... sony/11876
I didn't make any of that up. There's encrypted passwords (which can be decrypted) and there's hashes (which cannot, this is what you were talking about).
That in no way contradicts what I posted above.
xander
-
- level5
- Posts: 2414
- Joined: Fri Nov 18, 2005 10:09 pm
-
- level3
- Posts: 486
- Joined: Thu Dec 15, 2005 4:57 pm
- Location: Netherlands
jelco wrote:They just aren't. You can set up your own phpBB install and look in the DB yourself. They aren't.
I've run many phpbb installs over the years and know they do not store passwords normally. (They used some of the poorest hashing back in the days this forum is from, though - I don't know what the current situation is). My idea was that these forums are modded and it was very possible it didn't do things the same way as a plain install.
However, I was wrong and I apologize for any allegations I made. I succinctly remembered my current password being from long ago as well as I remembered retrieving my password after not logging in for years. What I didn't remember was that I retrieved the password by finding that original mail, rather than clicking the "forgot password" link.
Once again, I'm sorry.
- NeoThermic
- Introversion Staff
- Posts: 6256
- Joined: Sat Mar 02, 2002 10:55 am
- Location: ::1
- Contact:
Great Magical Hat wrote:jelco wrote:They just aren't. You can set up your own phpBB install and look in the DB yourself. They aren't.
I've run many phpbb installs over the years and know they do not store passwords normally. (They used some of the poorest hashing back in the days this forum is from, though - I don't know what the current situation is). My idea was that these forums are modded and it was very possible it didn't do things the same way as a plain install.
I can say, for certainty, that we would NEVER edit the forum to store plain-text passwords. That would be absurd.
As for phpBB2, it uses unsalted MD5. Granted, in this day and age that's terrible, but I'll note two things: 1) this is what all forum software of this age use (some salted, but it was all MD5), and 2) this is only a concern if the database is somehow exposed.
As for phpBB3, it uses a slightly modified version of phpass; modified to always use the portable hashes; MD5-based salted and variable iteration count password hashes.
Your initial registration email will contain the plain-text password, but this is sent before the password is then hashed. Password forget feature will generate a unique link for you to click which will allow you to reset the password in question.
NeoThermic
Who is online
Users browsing this forum: No registered users and 21 guests