Home – New Forums Tech talk User entered password security question

  • This topic is empty.
Viewing 15 posts - 1 through 15 (of 18 total)
  • Author
    Posts
  • #991800
    Zava Design
    Participant
    • Total posts: 1,463
    Up
    0
    ::

    Something occurred when signing up for a new online account, which I’m a little perturbed about but wondering if it’s just me or I am right to be so…?

    I entered in the usual personal details, username …etc, and then there’s a password field. Now in my experience, there are two processes for passwords:

    1) Auto generated, some random password is sent in the confirmation email, which you can then log in with and change to your own, secure password. This is stored encrypted of course.

    2) User entered, which is stored encrypted, and certainly never sent via email. Account email simply makes mention of “Your chosen password” or something similar.

    But in this instance of #2, my entered password was sent to me in the account email, meaning of course the security of that password is now compromised, on this account and any others I may use it on.

    So am I wrong to be upset that my entered password was sent back to me via email?

    #1183378
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::

    Doesn’t sound a very good solution to me.

    It would also make me wonder how well it was stored by them as well … plenty of stories about some big businesses out there, that have stuffed this up.

    Securing “Users” is a big subject and getting more important almost daily.

    For small scale stuff the approach I like doesn’t actually store any password-the user entered password is converted to an encrypted hash and used as a “reference” only.

    The password itself is never stored anywhere.

    If the user logs in the “hash” associated with that account is compared. If they change a password, a new hash is generated.

    #1183379
    Zava Design
    Participant
    • Total posts: 1,463
    Up
    0
    ::

    That’s basically how I assumed/expected all sites did it nowadays.

    #1183380
    Craig.Smith
    Member
    • Total posts: 167
    Up
    0
    ::

    The best thing to do about this is a name and shame.

    There’s a site out there just for this exact problem –> http://plaintextoffenders.com/

    #1183381
    Byron Trzeciak
    Participant
    • Total posts: 423
    Up
    0
    ::

    There are quite a number of scenarios they could have used to either
    – store in plain text
    – email on signup and then store encrypted
    – email on signup and then store plain text

    I’m sure there are more.

    At the end of the day people would be more likely to use the forgotten password option rather than search through old emails to find the initial signup password. It seems poor practice to email it simply to cater for this.

    Best practice would be to store in an encrypted format only and each time your put your password to log in it then encrypts it and checks with both encrypted forms if they are the same.

    Password resets should send a one time password or link that forces a new password to be entered on first login. The fact that you’ve received the email with your password doesn’t automatically make it compromised but certainly could be a reason for it being compromised in the future.

    #1183382
    Zava Design
    Participant
    • Total posts: 1,463
    Up
    0
    ::

    After some discussion across a few forums, the security issue has been identified, and thought it valuable to create a thread highlighting the software concerned to make members here that use web hosting aware: http://www.flyingsolo.com.au/forums/index.php?threads/warning-major-security-issue-with-some-web-hosts.34699/

    #1183383
    TehCamel
    Member
    • Total posts: 873
    Up
    0
    ::

    If the host can send you via email, your actual password, then they are doing it wrong.
    As soon as your signup form is submitted, they should be crypting your password. As it’s a one-way trap, you can’t actuall decrypt what a password is, if it’s done properly.

    (Techbabble: When your password is stored in a database with your username, it’s stored as an encrypted/hashed/salted object. When you go to log on to the website next time, it takes the plaintext password you keyed in, encrypt/hash/salts it, and compares it to the encrypted saved version. If it matches, you’re good to go.
    So the only way to actually retreive your password in plaintext, is to run crackers which are trying to match the hash..)

    #1183384
    teckyhead
    Member
    • Total posts: 3
    Up
    0
    ::

    “my entered password was sent to me in the account email, meaning of course the security of that password is now compromised, on this account and any others I may use it on.”

    Rule #1 – never re-use a password on multiple websites. I have over 2000 passwords – some are mine and some are to access client websites etc. I use Roboform and have done for maybe 10 years now.

    I also have developed many systems that require a user login and all passwords are stored encrypted/salted. However, when a person signs up they are sent that password in plain text just prior to it being encrypted and stored in the database. I think there’s a much greater chance of compromise due to people using weak passwords than email being intercepted.

    It does raise another point though and that’s the storage of email. If you use IMAP instead of POP3 then your emails are being stored on a server somewhere which is more likely to be compromised than someone logging into your computer and reading your email.

    Gary

    #1183385
    Advantech Software
    Member
    • Total posts: 8
    Up
    0
    ::

    I don’t like it if a site sends me my password as plain text in an email. Makes me want to back out of that app.

    In all the software applications that we write, passwords are stored encrypted.

    My 2c :)

    #1183386
    bb1
    Participant
    • Total posts: 4,485
    Up
    0
    ::
    teckyhead, post: 214165, member: 67321 wrote:
    “.
    . However, when a person signs up they are sent that password in plain text just prior to it being encrypted and stored in the database. I think there’s a much greater chance of compromise due to people using weak passwords than email being intercepted.
    Gary

    I would ask why you see the need to send the password to someone in plain text, it just leaves things open to security issues, Why create a potential issue, when there is no need to.

    #1183387
    teckyhead
    Member
    • Total posts: 3
    Up
    0
    ::

    I think it depends in part on the type of website. I’ve done websites which were primarily for delivering content and didn’t store personal info or financial info – in this case the login details were sent to the new member. In some cases just the username was sent. You would be surprised at how many people register and immediately forget what they entered.

    I’ve done other websites where (for example) confidential business info was stored – in this case login information wasn’t sent as all users had to be added by the site admin.

    If a website that wanted to store my credit card info sent me login details in plain text I’d be pretty angry.

    Gary

    #1183388
    Hatching_It
    Member
    • Total posts: 414
    Up
    0
    ::

    How is this any different to signing in to Flying Solo and watching your username/password being POSTed in plaintext over HTTP?

    (by the way, Flying Solo admin, please fix this)

    #1183389
    bb1
    Participant
    • Total posts: 4,485
    Up
    0
    ::
    teckyhead, post: 214257, member: 67321 wrote:
    I think it depends in part on the type of website. I’ve done websites which were primarily for delivering content and didn’t store personal info or financial info – in this case the login details were sent to the new member. In some cases just the username was sent. You would be surprised at how many people register and immediately forget what they entered.

    But knowing that rightly or wrongly that most people use the same password for everything, why would you send that in an email.

    If people forget what they typed, they can use the lost password options.

    #1183390
    Greg_M
    Member
    • Total posts: 1,691
    Up
    0
    ::
    Hatching_It, post: 214305, member: 53049 wrote:
    How is this any different to signing in to Flying Solo and watching your username/password being POSTed in plaintext over HTTP?

    (by the way, Flying Solo admin, please fix this)

    Not a lot …

    #1183391
    Peter – FS Administrator
    Member
    • Total posts: 1,889
    Up
    0
    ::
    Hatching_It, post: 214305, member: 53049 wrote:
    How is this any different to signing in to Flying Solo and watching your username/password being POSTed in plaintext over HTTP? (by the way, Flying Solo admin, please fix this)

    Very very good point Hatching_IT, it’s on our dev list with our hosting company and thanks to your nudge it’s just been escalated!!

Viewing 15 posts - 1 through 15 (of 18 total)
  • You must be logged in to reply to this topic.