Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4369 posts

Uber Geek


# 165645 16-Feb-2015 11:29
Send private message

Signed up for a warehouse stationery account the other day, and they emailed my user id and password in plain text after signup. 

I emailed them and pointed out that they should encrypt their passwords properly. 

Got a reply (which is really good)  that they will stop emailing passwords and that their passwords are encrypted. 

But, they should be using one way encryption.  

It is interesting how big companies get this stuff wrong, considering you would think they have the most resources.  



Create new topic
2091 posts

Uber Geek


  # 1239893 16-Feb-2015 12:04
One person supports this post
Send private message

From working in corporate IT - NOTHING will surprise you.

it is usually the result of organic growth - i.e. the cobbled together system that bob wrote - which then becomes department wide, then group wide etc etc.

Or people with no knowledge/experience given the task of creating something.

Security if often expensive and not that high on the priority list.

So yeah - not surprising.



1689 posts

Uber Geek

Subscriber

  # 1239966 16-Feb-2015 12:52
Send private message

To be fair if the password is set at signup then it is obviously possible to see it at this point even though it is saved, salted and encrypted .  However this should be mitigated by either not emailing it , or enforcing password change on first login.  Obviously they have chosen to remove it from being emailed.  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.




 
 
 
 




4369 posts

Uber Geek


  # 1239978 16-Feb-2015 13:01
Send private message

itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 


22524 posts

Uber Geek

Trusted
Subscriber

  # 1239988 16-Feb-2015 13:12
One person supports this post
Send private message

Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.




Richard rich.ms



4369 posts

Uber Geek


  # 1240001 16-Feb-2015 13:24
Send private message

richms: Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.


Many people use the same email/password for many sites so in that view it is not just a 'shopping site' that would be compromised.


But, maybe there are few users anyway so the overall scope of the breach would not be many people. I guess in that view it is not much of a problem. 


22524 posts

Uber Geek

Trusted
Subscriber

  # 1240007 16-Feb-2015 13:29
Send private message

Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.




Richard rich.ms

2091 posts

Uber Geek


  # 1240018 16-Feb-2015 13:56
Send private message

richms: Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.


It does make it harder in the event of data theft.

To a point, salted + hashed is the minimum for half decent security.

 
 
 
 


1689 posts

Uber Geek

Subscriber

  # 1240019 16-Feb-2015 13:59
One person supports this post
Send private message

surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



Not sure how familiar you are with programming but here is an example


<?php 

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>


This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.


BDFL - Memuneh
64673 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1240052 16-Feb-2015 14:21
Send private message

surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.






4369 posts

Uber Geek


  # 1240053 16-Feb-2015 14:23
Send private message

itxtme:
surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



Not sure how familiar you are with programming but here is an example


<?php 

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>


This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.



Yep, thanks, the person earlier pretty much said the same thing. I was thinking they are taking it out of the database but that cannot really be certain. 

Maybe it is time for sites to publish some kind of security rating compared against current best practice. Although, maybe overkill and people don't really care about security anyway (given the prevalence of password as a password).





4369 posts

Uber Geek


  # 1240054 16-Feb-2015 14:23
Send private message

freitasm:
surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.


Yes, I agree. 

gzt

10909 posts

Uber Geek


  # 1240951 17-Feb-2015 15:53
Send private message

surfisup1000: Got a reply (which is really good)  that they will stop emailing passwords and that their passwords are encrypted. 

But, they should be using one way encryption

The reply and change of behaviour is excellent. It shows tw has a procedure for evaluating security/technical feedback. Most times it does not get past CSR barrier.

one way enc should be mandatory.

895 posts

Ultimate Geek


  # 1240958 17-Feb-2015 15:59
Send private message

The test will be if you use the forgot you password option, if they send you back an email saying this is your password then you know its in plane text.
If they send you a link to change it or pose security questions that you put in at the setup of your account might mean they can't tell what your password is.

ACC can tell what passwords you have used the last 6 times but I don't know if they are comparing a hash or have them in the clear.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.