Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




5 posts

Wannabe Geek


#272091 9-Jun-2020 11:06
Send private message quote this post

Hi Everyone

 

I was trying to login to my Xtra webmail account and noticed the password field is not case sensitive.

 

Is this intentional or a bug?


Create new topic
9795 posts

Uber Geek

Lifetime subscriber

  #2501291 9-Jun-2020 11:26
Send private message quote this post

Just tried with mine

 

not good

 

@hio77 this needs looked at ASAP


1331 posts

Uber Geek


  #2501302 9-Jun-2020 11:42
Send private message quote this post

While perhaps not best practice, I wouldn't consider this a security flaw per se. I'm sure there is a good reason why it is configured this way.


 
 
 
 


'That VDSL Cat'
12453 posts

Uber Geek

Trusted
Spark
Subscriber

  #2501331 9-Jun-2020 12:17
Send private message quote this post

Jase2985:

 

hio77 this needs looked at ASAP

 

 

Heya,

 

 

 

I've passed this onto the relevant team to investigate.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


234 posts

Master Geek


  #2501451 9-Jun-2020 12:32
Send private message quote this post

This presumably means that they are not hashing passwords which is not a good sign.


1331 posts

Uber Geek


  #2501459 9-Jun-2020 12:48
Send private message quote this post

boosacnoodle:

 

This presumably means that they are not hashing passwords which is not a good sign.

 

 

Normalisation may be occurring before hashing.


1468 posts

Uber Geek


  #2501484 9-Jun-2020 13:24
Send private message quote this post

It's not case sensitive on Yahoo either.


24 posts

Geek


  #2506692 17-Jun-2020 14:42
quote this post

Yesterday I checked and sure enough my xtra mail will log in using 

 

my password in just lower case. Sooo I contacted spark by typing

 

to the robot and after about 15 minutes playing ring a ring a rosie

 

I was typing to a human and 3o  minutes later and much hair pulling

 

the penny dropped and I was told it should not do that and that the

 

problem would be escalated to the great unwashed.

 

I wait with no expectation of an outcome as it would appear that such

 

a security flaw is nothing to really worry about


 
 
 
 


'That VDSL Cat'
12453 posts

Uber Geek

Trusted
Spark
Subscriber

  #2506717 17-Jun-2020 14:56
Send private message quote this post

Since this thread came across my desk, this has been actively been worked on.

 

 

 

I don't have an update i can provide here at this stage, but I'll simply confirm Yes it has already been esclated and is with the right folk.





#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

 


20 posts

Geek


  #2506769 17-Jun-2020 15:49
Send private message quote this post

The ASB fastnet classic login webpage has the same issue.


1177 posts

Uber Geek

Lifetime subscriber

  #2506860 17-Jun-2020 17:09
Send private message quote this post

TheMaskedOnion:

 

The ASB fastnet classic login webpage has the same issue.

 

 

Had, don't you mean?

Pretty sure they changed that a few years ago when it was last bought up here in GZ.

 

I just tried with an old login, and changed one character from upper to lower case and the login failed as expected. Worked fine with the proper case.


20 posts

Geek


  #2506865 17-Jun-2020 17:19
Send private message quote this post

Mine isn't case sensitive, maybe i just need to change it.

 

 

 

EDIT: yup, just needed to change my password and now it's case sensitive.


80 posts

Master Geek

Lifetime subscriber

  #2506868 17-Jun-2020 17:23
Send private message quote this post

On its own, is this actually much of an issue?

 

While case insensitive passwords certainly aren't best practice, if other techniques are used such as salting, hashing, and stretching, and forced password resets following multiple incorrect attempts within a given timeframe, then the increased risk by having case-insensitive passwords probably isn't that great.

 

What I'd be more concerned about is given that they use case insensitive passwords, what's the likelihood they also don't implement the other techniques for keeping my password safe, or that it's stored in plain text? That we will likely never know.

 

I would have thought that there's a better return on effort spent encouraging friends and family to use a password of sufficient length that includes special characters; ideally using a password manager to generate a random password, and not reusing your email password anywhere else than there is worrying about case sensitivity.

 

 

 

 


1177 posts

Uber Geek

Lifetime subscriber

  #2506886 17-Jun-2020 18:04
Send private message quote this post

TheMaskedOnion:

 

Mine isn't case sensitive, maybe i just need to change it.

 

 

 

EDIT: yup, just needed to change my password and now it's case sensitive.

 

 

Ah yep, I did change my password when it was announced they were now case sensitive and longer than whatever the old limit was

 

Was awhile ago, I'm with a different bank now


Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.