Warehouse stationery user password security

Forums › Off topic › Warehouse stationery user password security

surfisup1000

5288 posts

Uber Geek

#165645 16-Feb-2015 11:29

Signed up for a warehouse stationery account the other day, and they emailed my user id and password in plain text after signup.

I emailed them and pointed out that they should encrypt their passwords properly.

Got a reply (which is really good) that they will stop emailing passwords and that their passwords are encrypted.

But, they should be using one way encryption.

It is interesting how big companies get this stuff wrong, considering you would think they have the most resources.

wasabi2k

2096 posts

Uber Geek

#1239893 16-Feb-2015 12:04

From working in corporate IT - NOTHING will surprise you.

it is usually the result of organic growth - i.e. the cobbled together system that bob wrote - which then becomes department wide, then group wide etc etc.

Or people with no knowledge/experience given the task of creating something.

Security if often expensive and not that high on the priority list.

So yeah - not surprising.

itxtme

2102 posts

Uber Geek

#1239966 16-Feb-2015 12:52

To be fair if the password is set at signup then it is obviously possible to see it at this point even though it is saved, salted and encrypted . However this should be mitigated by either not emailing it , or enforcing password change on first login. Obviously they have chosen to remove it from being emailed. I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

surfisup1000

5288 posts

Uber Geek

#1239978 16-Feb-2015 13:01

itxtme: I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all.

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password.

richms

28173 posts

Uber Geek

Trusted

Lifetime subscriber

#1239988 16-Feb-2015 13:12

Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.

Richard rich.ms

surfisup1000

5288 posts

Uber Geek

#1240001 16-Feb-2015 13:24

richms: Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.

Many people use the same email/password for many sites so in that view it is not just a 'shopping site' that would be compromised.

But, maybe there are few users anyway so the overall scope of the breach would not be many people. I guess in that view it is not much of a problem.

richms

28173 posts

Uber Geek

Trusted

Lifetime subscriber

#1240007 16-Feb-2015 13:29

Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.

Richard rich.ms

wasabi2k

2096 posts

Uber Geek

#1240018 16-Feb-2015 13:56

richms: Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.

It does make it harder in the event of data theft.

To a point, salted + hashed is the minimum for half decent security.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

itxtme

2102 posts

Uber Geek

#1240019 16-Feb-2015 13:59

surfisup1000:
itxtme: I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all.

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password.

Not sure how familiar you are with programming but here is an example

<?php

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>

This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1240052 16-Feb-2015 14:21

surfisup1000:
itxtme: I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all.

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password.

And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.

surfisup1000

5288 posts

Uber Geek

#1240053 16-Feb-2015 14:23

itxtme:
surfisup1000:
itxtme: I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all.

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password.

Not sure how familiar you are with programming but here is an example

<?php

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>

This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.

Yep, thanks, the person earlier pretty much said the same thing. I was thinking they are taking it out of the database but that cannot really be certain.

Maybe it is time for sites to publish some kind of security rating compared against current best practice. Although, maybe overkill and people don't really care about security anyway (given the prevalence of password as a password).

surfisup1000

5288 posts

Uber Geek

#1240054 16-Feb-2015 14:23

freitasm:
surfisup1000:
itxtme: I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.

Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all.

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password.

And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.

Yes, I agree.

gzt

17120 posts

Uber Geek

Lifetime subscriber

#1240951 17-Feb-2015 15:53

surfisup1000: Got a reply (which is really good) that they will stop emailing passwords and that their passwords are encrypted.

But, they should be using one way encryption

The reply and change of behaviour is excellent. It shows tw has a procedure for evaluating security/technical feedback. Most times it does not get past CSR barrier.

one way enc should be mandatory.

mckenndk

911 posts

Ultimate Geek

#1240958 17-Feb-2015 15:59

The test will be if you use the forgot you password option, if they send you back an email saying this is your password then you know its in plane text.
If they send you a link to change it or pose security questions that you put in at the setup of your account might mean they can't tell what your password is.

ACC can tell what passwords you have used the last 6 times but I don't know if they are comparing a hash or have them in the clear.