Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




5 posts

Wannabe Geek


#272091 9-Jun-2020 11:06
Send private message quote this post

Hi Everyone

 

I was trying to login to my Xtra webmail account and noticed the password field is not case sensitive.

 

Is this intentional or a bug?


Create new topic
9718 posts

Uber Geek

Lifetime subscriber

  #2501291 9-Jun-2020 11:26
Send private message quote this post

Just tried with mine

 

not good

 

@hio77 this needs looked at ASAP


1286 posts

Uber Geek


  #2501302 9-Jun-2020 11:42
Send private message quote this post

While perhaps not best practice, I wouldn't consider this a security flaw per se. I'm sure there is a good reason why it is configured this way.


 
 
 
 


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2501331 9-Jun-2020 12:17
Send private message quote this post

Jase2985:

 

hio77 this needs looked at ASAP

 

 

Heya,

 

 

 

I've passed this onto the relevant team to investigate.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


231 posts

Master Geek


  #2501451 9-Jun-2020 12:32
Send private message quote this post

This presumably means that they are not hashing passwords which is not a good sign.


1286 posts

Uber Geek


  #2501459 9-Jun-2020 12:48
Send private message quote this post

boosacnoodle:

 

This presumably means that they are not hashing passwords which is not a good sign.

 

 

Normalisation may be occurring before hashing.


1466 posts

Uber Geek


  #2501484 9-Jun-2020 13:24
Send private message quote this post

It's not case sensitive on Yahoo either.


24 posts

Geek


  #2506692 17-Jun-2020 14:42
quote this post

Yesterday I checked and sure enough my xtra mail will log in using 

 

my password in just lower case. Sooo I contacted spark by typing

 

to the robot and after about 15 minutes playing ring a ring a rosie

 

I was typing to a human and 3o  minutes later and much hair pulling

 

the penny dropped and I was told it should not do that and that the

 

problem would be escalated to the great unwashed.

 

I wait with no expectation of an outcome as it would appear that such

 

a security flaw is nothing to really worry about


 
 
 
 


'That VDSL Cat'
12331 posts

Uber Geek

Trusted
Spark
Subscriber

  #2506717 17-Jun-2020 14:56
Send private message quote this post

Since this thread came across my desk, this has been actively been worked on.

 

 

 

I don't have an update i can provide here at this stage, but I'll simply confirm Yes it has already been esclated and is with the right folk.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


17 posts

Geek


  #2506769 17-Jun-2020 15:49
Send private message quote this post

The ASB fastnet classic login webpage has the same issue.


1162 posts

Uber Geek

Lifetime subscriber

  #2506860 17-Jun-2020 17:09
Send private message quote this post

TheMaskedOnion:

 

The ASB fastnet classic login webpage has the same issue.

 

 

Had, don't you mean?

Pretty sure they changed that a few years ago when it was last bought up here in GZ.

 

I just tried with an old login, and changed one character from upper to lower case and the login failed as expected. Worked fine with the proper case.


17 posts

Geek


  #2506865 17-Jun-2020 17:19
Send private message quote this post

Mine isn't case sensitive, maybe i just need to change it.

 

 

 

EDIT: yup, just needed to change my password and now it's case sensitive.


80 posts

Master Geek

Lifetime subscriber

  #2506868 17-Jun-2020 17:23
Send private message quote this post

On its own, is this actually much of an issue?

 

While case insensitive passwords certainly aren't best practice, if other techniques are used such as salting, hashing, and stretching, and forced password resets following multiple incorrect attempts within a given timeframe, then the increased risk by having case-insensitive passwords probably isn't that great.

 

What I'd be more concerned about is given that they use case insensitive passwords, what's the likelihood they also don't implement the other techniques for keeping my password safe, or that it's stored in plain text? That we will likely never know.

 

I would have thought that there's a better return on effort spent encouraging friends and family to use a password of sufficient length that includes special characters; ideally using a password manager to generate a random password, and not reusing your email password anywhere else than there is worrying about case sensitivity.

 

 

 

 


1162 posts

Uber Geek

Lifetime subscriber

  #2506886 17-Jun-2020 18:04
Send private message quote this post

TheMaskedOnion:

 

Mine isn't case sensitive, maybe i just need to change it.

 

 

 

EDIT: yup, just needed to change my password and now it's case sensitive.

 

 

Ah yep, I did change my password when it was announced they were now case sensitive and longer than whatever the old limit was

 

Was awhile ago, I'm with a different bank now


Create new topic





Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

National Institute for Health Innovation develops treatment app for gambling
Posted 6-Jul-2020 16:25


Nokia 2.3 to be available in New Zealand
Posted 6-Jul-2020 12:30


Menulog change colours as parent company merges with Dutch food delivery service
Posted 2-Jul-2020 07:53


Techweek2020 goes digital to make it easier for Kiwis to connect and learn
Posted 2-Jul-2020 07:48


Catalyst Cloud launches new Solutions Hub to support their kiwi Partners and Customers
Posted 2-Jul-2020 07:44


Microsoft to help New Zealand job seekers acquire new digital skills needed for the COVID-19 economy
Posted 2-Jul-2020 07:41


Hewlett Packard Enterprise introduces new HPE GreenLake cloud services
Posted 24-Jun-2020 08:07


New cloud data protection services from Hewlett Packard Enterprise
Posted 24-Jun-2020 07:58


Hewlett Packard Enterprise unveils HPE Ezmeral, new software portfolio and brand
Posted 24-Jun-2020 07:10


Apple reveals new developer technologies to foster the next generation of apps
Posted 23-Jun-2020 15:30


Poly introduces solutions for Microsoft Teams Rooms
Posted 23-Jun-2020 15:14


Lenovo launches new ThinkPad P Series mobile workstations
Posted 23-Jun-2020 09:17


Lenovo brings Linux certification to ThinkPad and ThinkStation Workstation portfolio
Posted 23-Jun-2020 08:56


Apple introduces new features for iPhone iOS14 and iPadOS 14
Posted 23-Jun-2020 08:28


Apple announces Mac transition to Apple silicon
Posted 23-Jun-2020 08:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.