A complete lack of security

Jul. 26th, 2010 12:53 pm
andrewducker: (Default)
[personal profile] andrewducker
I just registered with the website for the Scotsman newspaper.

And they emailed me to confirm my email address. Including my password, in plain text.

How on earth do people get away with that kind of thing nowadays?
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2010-07-26 12:12 pm (UTC)
zz: (Default)
From: [personal profile] zz
by assuming people will use throwaway passwords, and/or have users who expect to be able to be told their password over the phone or in person in some cases.

Date: 2010-07-26 01:01 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
You never tell someone their password. Because you should never be able to access it. It should be stored in an encrypted fashion, and then you encrypt whatever the user enters and compare _that_ with what you stored. Anything else is a massive security hole.

Date: 2010-07-26 01:11 pm (UTC)
zz: (Default)
From: [personal profile] zz
ideally, yes. but security is a set of decisions, and sometimes you('re forced to) choose lower security by circumstance.
Edited Date: 2010-07-26 01:28 pm (UTC)

Date: 2010-07-26 02:01 pm (UTC)
simont: A picture of me in 2016 (Default)
From: [personal profile] simont
If you'd only just registered with them, the fact that they knew your password to email to you need not mean that it's permanently stored unencrypted. They could have immediately bounced a confirming email back to you before it was encrypted for storage.

Date: 2010-07-26 02:16 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
I suppose that's possible. I'm not inclined to give them the benefit of the doubt though.

Although they don't email you out your password if you've forgotten it, they generate a new one and email that to you. Which is still stupid, but slightly less stupid.

Date: 2010-07-26 02:22 pm (UTC)
simont: A picture of me in 2016 (Default)
From: [personal profile] simont
That does seem to me to imply that they can't in general retrieve plaintext passwords, so it supports the idea that the only time they can get hold of them is when they've only just invented or been told them.

I'm not sure what they should do for password resets other than emailing you a password. I mean, obviously PGP-encrypted email would be great, but nobody supports that!

Date: 2010-07-26 02:26 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
Never, ever, ever email passwords.

You send out a one-use password reset link that takes the user back to the web page and allows them to set the password to whatever they want.

Date: 2010-07-26 02:32 pm (UTC)
simont: A picture of me in 2016 (Default)
From: [personal profile] simont
Since that's a single piece of text which is all that's needed to take over the account, isn't it security-equivalent to a password anyway? You could just as well mail out a temporary password and then enforce a password change at the first subsequent login, and it would make no difference either way.

I suppose your point is that that's better than emailing out a password and not enforcing an immediate change, but ... on the other hand, the password the site generated is probably stronger than the ones a lot of users would pick if left to themselves, and the people savvy enough to pick good passwords are also the people savvy enough to change their password manually after a reset even without enforcement by the website. It certainly isn't clear to me that allocating a less savvy user a good password and exposing it to the risk of one cleartext email transfer is obviously worse than having them pick their own crappy one on short notice. (Particularly since in the latter case there's probably a good chance they'll just forget it again immediately and go round the whole process again next time.)
Edited Date: 2010-07-26 02:32 pm (UTC)

Date: 2010-07-26 02:47 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
Since that's a single piece of text which is all that's needed to take over the account, isn't it security-equivalent to a password anyway?

Notice the bit where I said "one-use" :->

It is equivalent to sending out a password and mandating a password change.

I don't approve of forcing passwords on people. If they can't remember it then they'll write it down. Doing so for a short period of time (until they log in and pick their own password) is fine, but a lot of people won't do that unless forced to - they'll store it somewhere and thn it's insecure again. It's more secure to have a single (or few) good passwords that are never written anywhere than a complex one stuck to your monitor (or in your "passwords" file/folder).

Date: 2010-07-26 02:53 pm (UTC)
simont: A picture of me in 2016 (Default)
From: [personal profile] simont
Though it depends on where you write it down. A good password stuck to your monitor is pretty bad, no argument there, but a good one in your wallet is quite possibly better than a crappy one you can remember.

Date: 2010-07-26 04:04 pm (UTC)
From: [identity profile] pete stevens (from livejournal.com)
If you let people choose their own password they use the same password on every site. Helpfully this password is usually 'password'.

Date: 2010-07-26 04:12 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
And if you don't then they write it down somewhere easily found.

Mandating password standards that allow them to reuse their password but not have it be instantly guessable is usually best practice.
(deleted comment)

Re: Rant-plaination

Date: 2010-07-26 01:00 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
It's just plain ridiculous to send my password via plain text. I haven't seen a site do that in about five years, and it was considered a massive security flaw even then!

Date: 2010-07-26 03:10 pm (UTC)
ext_58972: Mad! (Default)
From: [identity profile] autopope.livejournal.com
I just had exactly the same experience ... from an e-tailer I'd just spent fifty quid with, and not requested a password or account for future visits.

* Rolls eyes *

Date: 2010-07-26 04:12 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
I'd love to know what they're thinking, I really would.

Date: 2010-07-26 09:05 pm (UTC)
From: [identity profile] robhu.livejournal.com
They were thinking they developed their website on the cheap and a) the programmer was fairly incompetent and b) they didn't spend any time/money on testing what was written for them.

Date: 2010-07-26 07:13 pm (UTC)
From: [identity profile] momentsmusicaux.livejournal.com
If you were sent a system-created password, that's standard. You get that and a magic link and you have to change your password once you log in.

In fact, it's what Drupal does even if it's your own password.

Date: 2010-07-26 07:14 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
A brain-dead, security flaw of a design.

(The latter, not the former)
Edited Date: 2010-07-26 07:15 pm (UTC)

Date: 2010-07-26 07:21 pm (UTC)
From: [identity profile] momentsmusicaux.livejournal.com
I do wonder.

But then security in Drupal is extremely tight. There's probably a very good reason for doing this but I'm too tired to go search the issue queue.

Date: 2010-07-26 07:22 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
If you ever run into it I'd love to know :->

Date: 2010-07-26 07:41 pm (UTC)
From: [identity profile] momentsmusicaux.livejournal.com
Try searching the Core issue queue for it :)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

andrewducker: (Default)
andrewducker
My NotZen Website

March 2026

S M T W T F S
1 2 3 4 56 7
8 9 10 11 12 13 14
15161718192021
22232425262728
293031    

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Mar. 14th, 2026 11:56 pm
Powered by Dreamwidth Studios