Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Tel69
251 posts

Ultimate Geek
+1 received by user: 4

Trusted
Subscriber

Topic # 111429 3-Nov-2012 09:18
Send private message

In my job we have dealings with lots of companies.
For one (EMC), I had the need to sign onto their site to get some information.
I've not been on their site for over a year, so my password was not forthcoming.
Asked for a password reset, and all was fine, I got my temporary password in an e-mail.

Imagine my surprise when I went to a second EMC site, my new password didn't work. OK, I'll use their "password finder" function. And that is exaclt what it did. It found my password and e-mailed it to me in plain text.

You would think by now companies this big would have learnt from Sony's very public mistake.
It seems not in this instance.

Create new topic
2882 posts

Uber Geek
+1 received by user: 809

Trusted
Subscriber

  Reply # 711284 3-Nov-2012 11:29
Send private message

Numerous companies seem to email original passwords in plain text. Gives the perception that security isn't something that's given a lot of thought, either by the organisation or the website developers.

One company I deal with would email out my username and password with every order I placed. I emailed them several times pointing out a lot of reasons for the stupidity of this and the practice seems to have now stopped. I have a feeling though that all they've done is suppressed the sending of this field in their automated emails rather than actually fixing the real problem...

gzt

9009 posts

Uber Geek
+1 received by user: 1230


  Reply # 711300 3-Nov-2012 11:50
Send private message

Surprising from EMC. Emailing stored passwords opens up so many vectors for account compromise.

EMC may consider the information protected does not merit a secure reset procedure. Big mistake.

The password itself is worthy of protection to say the least.

It was not unusual in the past for large companies to manage their internal infrastructure and procedures ok but run web as a separate operation aligned to marketing and practically ignore it from an IT perspective. Maybe EMC has some catching up to do.

 
 
 
 




Tel69
251 posts

Ultimate Geek
+1 received by user: 4

Trusted
Subscriber

  Reply # 711439 3-Nov-2012 17:23
Send private message

Actually I'll stand corrected on this after some more investigation, perhaps it's not EMC themselves doing this, but a third party EMC have outsourced to.
The domain is not owned by EMC themselves. It seems going by the domain name for the base URL the domain is run by "Flexera Software LLC".
Worrying the list of companies they have listed as clients. (But I'd not say every customer is using them the same way EMC does).

gzt

9009 posts

Uber Geek
+1 received by user: 1230


  Reply # 711442 3-Nov-2012 17:28
Send private message

What is the http address for the service you use?

2915 posts

Uber Geek
+1 received by user: 414

Trusted
Subscriber

  Reply # 711546 3-Nov-2012 22:45
Send private message

Ah, Flexera. The people behind InstallShield. I'd say they are running the licensing for whatever EMC product you're trying to manage, as software license management is one of their outsourcing services.

435 posts

Ultimate Geek
+1 received by user: 135


  Reply # 711557 3-Nov-2012 23:05
Send private message

I've seen a bit of "double-MD5" encryption appearing seen as there are large databases of MD5 string available (MD5 decryption tools). I would at least expect normal MD5 encryption with any new website these days.

Which incident are you referring to exactly about Sony?

The one I'm thinking of is the Playstation one last year?

-Aidan



Tel69
251 posts

Ultimate Geek
+1 received by user: 4

Trusted
Subscriber

  Reply # 711611 4-Nov-2012 08:56
Send private message

CoolAs101: I've seen a bit of "double-MD5" encryption appearing seen as there are large databases of MD5 string available (MD5 decryption tools). I would at least expect normal MD5 encryption with any new website these days.

Which incident are you referring to exactly about Sony?

The one I'm thinking of is the Playstation one last year?

-Aidan


Yes, Sony's was a bit worse as there was also the SQL injection problem as well.
I'm just comparing the 2 because of the complete lack of common security measures and/or it would seem encryption.
There should never be a way a website can send you your password. Reset it to a temporary one, yes.

Even if it is encrypted and stored encrypted them being able to decrypt it and send it in plain text doesn't sit well with me.
So many vectors are opened up if an original password can be obtained. (disgrunteled employee doing a DB dump, etc..., etc...)





Tel69
251 posts

Ultimate Geek
+1 received by user: 4

Trusted
Subscriber

  Reply # 711613 4-Nov-2012 09:00
Send private message

gzt: What is the http address for the service you use?


It's a subscribenet.com addy.

gzt

9009 posts

Uber Geek
+1 received by user: 1230


  Reply # 711656 4-Nov-2012 10:39
Send private message

Kyanar: Ah, Flexera. The people behind InstallShield. I'd say they are running the licensing for whatever EMC product you're trying to manage, as software license management is one of their outsourcing services.


Yeah, Flexera do a lot for EMC. Why EMC would outsource without even a basic audit is beyond me. EMC has the leverage to force a change there easily. As always with something like that users, fairly or not, have reduced expectations about the quality of service and expect other issues are present.



Tel69
251 posts

Ultimate Geek
+1 received by user: 4

Trusted
Subscriber

  Reply # 711858 4-Nov-2012 18:25
Send private message

gzt: Yeah, Flexera do a lot for EMC. Why EMC would outsource without even a basic audit is beyond me. EMC has the leverage to force a change there easily. As always with something like that users, fairly or not, have reduced expectations about the quality of service and expect other issues are present.


I agree, I'm surprised EMC would want to be associated with a site that has passwords this way.
Think I'll open a powerlink question asking about the security of my password considering they can e-mail it back to me and also in plain text. Any network sniffer on the route it travels via e-mail to get to me could pick that up.


BDFL - Memuneh
58749 posts

Uber Geek
+1 received by user: 10147

Administrator
Trusted
Geekzone
Subscriber

  Reply # 711860 4-Nov-2012 18:56
Send private message

CoolAs101: I've seen a bit of "double-MD5" encryption appearing seen as there are large databases of MD5 string available (MD5 decryption tools). I would at least expect normal MD5 encryption with any new website these days.


The only problem is that MD5 is not encryption but hash. Different things.





4025 posts

Uber Geek
+1 received by user: 1076

Trusted

  Reply # 711874 4-Nov-2012 19:31
Send private message

CoolAs101: I've seen a bit of "double-MD5" encryption appearing seen as there are large databases of MD5 string available (MD5 decryption tools). I would at least expect normal MD5 encryption with any new website these days.

Which incident are you referring to exactly about Sony?

The one I'm thinking of is the Playstation one last year?

-Aidan

There is no excuse to use MD5 hashing for passwords these days when SHA256 and bcrypt are so simple to implement.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33


FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53


Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51


Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39


If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54


Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07


OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56


Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48


Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37


Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45


Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40


Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27


NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16


Windows 10 Fall Creators Update coming Oct. 17
Posted 4-Sep-2017 14:10


Garmin introduce Garmin vivoactive 3
Posted 1-Sep-2017 18:38



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.