Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Mad Scientist
18909 posts

Uber Geek
+1 received by user: 2455

Trusted
Lifetime subscriber

Topic # 151670 1-Sep-2014 18:25
Send private message

I have had a few of these shockers in the past but the latest one was mindboggling. Registered at the ODT website and they emailed me this


Thank you for registering at Otago Daily Times Online News. You may now log in to http://www.odt.co.nz/user using the following username and password:
username: xxx
password: yyy

You may also log in by clicking on this link or copying and pasting it in your browser:  This is a one-time login, so it can be used only once. After logging in, you will be redirected to  so you can change your password. Kind Regards,
The ODT Online Team


ok ... this was obvious, as they don't have a delete account button I changed my password to yourpasswordiss#it and to an email that doesn't exist and never log in again

but is there a way to tell if they don't do this to warn you?

Create new topic
What does this tag do
962 posts

Ultimate Geek
+1 received by user: 197

Subscriber

  Reply # 1119832 1-Sep-2014 18:48
Send private message

I can't think of any way you could tell no, even if they were encrypting it unless they are salting it correctly etc it would mean nothing anyway.
Did they email you the password you registered with, or a temporary password? (I'm guessing the password you put in).

Only way is to use LastPass/similar to generate a random per-site password.
Or, if it is an account of absolutely no importance, just use a password that you only share with equally unimportant accounts.

597 posts

Ultimate Geek
+1 received by user: 132


  Reply # 1120045 1-Sep-2014 22:14
Send private message

Well just a few of things to point out here:
1) when you type the password into your browser and click update or whatever, it's not encrypted.
2) the password encryption happens on the server unless otherwise specified.
3) there are multiple types of encryption, 1 way and 2 way. 1 way means you can't retrieve the information while 2 way means you can.
4) going on from 1, since the server receives the password in plain text it can do whatever it wants with it, including sending it to you via email


unless you use a managed system, don't bother trying to have a password for each site, have a few different passwords with different security levels.
For example I have 4 passwords I spread across the websites I use, then I have a separate password for bank accounts and such.




Regards
Stefan Andres Charsley

1508 posts

Uber Geek
+1 received by user: 213


  Reply # 1120057 1-Sep-2014 22:19
Send private message

Stay away from small local sites that are unlikely to know or care about being overly secure? Unless something happens, I am guessing most sites rely on good enough and security by obscurity. 




Try Vultr using this link and get us both some credit:

 

http://www.vultr.com/?ref=7033587-3B


3286 posts

Uber Geek
+1 received by user: 1789

Trusted
Lifetime subscriber

  Reply # 1120210 2-Sep-2014 08:17
2 people support this post
Send private message

1. Register your own domain, sign up for every site with sitename@yourdomain.com, so the same email address is not used across multiple accounts.
2. Use Lastpass, create long, strong, random passwords for every site.
3. ??
4. Profit




Information wants to be free. The Net interprets censorship as damage and routes around it.


11825 posts

Uber Geek
+1 received by user: 3831

Trusted
Lifetime subscriber

  Reply # 1120351 2-Sep-2014 11:07
One person supports this post
Send private message

It seems very true that we will all end up with a bazillion passwords to remember, none of which are anything but random strings of letters and numbers, if we follow the standard advice.

From a human POV that is untenable - no one will comply, no one will remember.

Biometric scanners or something where you can scan fingerprints or iris as a log on to a site seems inevitable.

Also, creating a legal liability where you can sue site operators who get hacked might encourage more investment in security at that end...!





3174 posts

Uber Geek
+1 received by user: 892

Trusted

  Reply # 1120362 2-Sep-2014 11:17
One person supports this post
Send private message

Lias:
2. Use Lastpass, create long, strong, random passwords for every site.


+1 though I use keepass, synced through something like dropbox, to do similar.  It has a bunch of implementations and ports:

http://keepass.info/download.html

3282 posts

Uber Geek
+1 received by user: 208

Trusted

  Reply # 1122022 4-Sep-2014 17:27
Send private message

Lias: 1. Register your own domain, sign up for every site with sitename@yourdomain.com, so the same email address is not used across multiple accounts.
2. Use Lastpass, create long, strong, random passwords for every site.
3. ??
4. Profit

You can do something similar with gmail, just add "+sitename" to your email address, e.g. email+sitename@gmail.com. Some websites don't like the + though.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.