Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




3884 posts

Uber Geek
+1 received by user: 1274


Topic # 165645 16-Feb-2015 11:29
Send private message

Signed up for a warehouse stationery account the other day, and they emailed my user id and password in plain text after signup. 

I emailed them and pointed out that they should encrypt their passwords properly. 

Got a reply (which is really good)  that they will stop emailing passwords and that their passwords are encrypted. 

But, they should be using one way encryption.  

It is interesting how big companies get this stuff wrong, considering you would think they have the most resources.  



Create new topic
2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1239893 16-Feb-2015 12:04
One person supports this post
Send private message

From working in corporate IT - NOTHING will surprise you.

it is usually the result of organic growth - i.e. the cobbled together system that bob wrote - which then becomes department wide, then group wide etc etc.

Or people with no knowledge/experience given the task of creating something.

Security if often expensive and not that high on the priority list.

So yeah - not surprising.



1632 posts

Uber Geek
+1 received by user: 277

Subscriber

  Reply # 1239966 16-Feb-2015 12:52
Send private message

To be fair if the password is set at signup then it is obviously possible to see it at this point even though it is saved, salted and encrypted .  However this should be mitigated by either not emailing it , or enforcing password change on first login.  Obviously they have chosen to remove it from being emailed.  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.




 
 
 
 




3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1239978 16-Feb-2015 13:01
Send private message

itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 


21614 posts

Uber Geek
+1 received by user: 4430

Trusted
Subscriber

  Reply # 1239988 16-Feb-2015 13:12
One person supports this post
Send private message

Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.




Richard rich.ms



3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1240001 16-Feb-2015 13:24
Send private message

richms: Not obvious at all, the password is emailed at the time you create the account, so they have the plaintext password because it just came in over the https request.

It is stupid to put a copy of someones password into their permanant archives, but lets be realistic, its a password for a shopping site so no big deal.


Many people use the same email/password for many sites so in that view it is not just a 'shopping site' that would be compromised.


But, maybe there are few users anyway so the overall scope of the breach would not be many people. I guess in that view it is not much of a problem. 


21614 posts

Uber Geek
+1 received by user: 4430

Trusted
Subscriber

  Reply # 1240007 16-Feb-2015 13:29
Send private message

Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.




Richard rich.ms

2091 posts

Uber Geek
+1 received by user: 848


  Reply # 1240018 16-Feb-2015 13:56
Send private message

richms: Being hashed doesn't do much. When a site is compromised they will generally modify the login scripts to flick a request out to another compromised host posting what was entered.

Same password isn't the warehouses problem.


It does make it harder in the event of data theft.

To a point, salted + hashed is the minimum for half decent security.

1632 posts

Uber Geek
+1 received by user: 277

Subscriber

  Reply # 1240019 16-Feb-2015 13:59
One person supports this post
Send private message

surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



Not sure how familiar you are with programming but here is an example


<?php 

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>


This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.


BDFL - Memuneh
61784 posts

Uber Geek
+1 received by user: 12437

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1240052 16-Feb-2015 14:21
Send private message

surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.






3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1240053 16-Feb-2015 14:23
Send private message

itxtme:
surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



Not sure how familiar you are with programming but here is an example


<?php 

$password = 'abcd123'; //Randomly generated for arguments sake

$pass_salted = $password."Ks@1nd"; //Salt

$pass_encrypted = sha1($pass_salted); //Encrypt

$db->query("INSERT INTO user (password) VALUES ('{$pass_encrypted}')");//Insert to DB

$send->mail("email@example.com", "Your password is {$password}"

?>


This is an example of how you can know a plain text password at the time of creation, which is then irreversibly encrypted.



Yep, thanks, the person earlier pretty much said the same thing. I was thinking they are taking it out of the database but that cannot really be certain. 

Maybe it is time for sites to publish some kind of security rating compared against current best practice. Although, maybe overkill and people don't really care about security anyway (given the prevalence of password as a password).





3884 posts

Uber Geek
+1 received by user: 1274


  Reply # 1240054 16-Feb-2015 14:23
Send private message

freitasm:
surfisup1000:
itxtme:  I dont think its fair to conclude they havent encrypted it just because they sent it to you at signup.


Your words, not mine.

I said they are not encrypting properly which is different to not encrypting at all. 

They should be using one way encryption. Obviously they are not as they are able to email me the plaintext password. 



And what itxme said is that the password was copied into the email template BEFORE it was encrypted. You have no way to guarantee it's not encrypted just because you got it in the welcome email.

If you still get it on a password recovery email then yes, there's a point. But as it stands now your conclusion was premature.


Yes, I agree. 

gzt

10311 posts

Uber Geek
+1 received by user: 1583


  Reply # 1240951 17-Feb-2015 15:53
Send private message

surfisup1000: Got a reply (which is really good)  that they will stop emailing passwords and that their passwords are encrypted. 

But, they should be using one way encryption

The reply and change of behaviour is excellent. It shows tw has a procedure for evaluating security/technical feedback. Most times it does not get past CSR barrier.

one way enc should be mandatory.

893 posts

Ultimate Geek
+1 received by user: 32


  Reply # 1240958 17-Feb-2015 15:59
Send private message

The test will be if you use the forgot you password option, if they send you back an email saying this is your password then you know its in plane text.
If they send you a link to change it or pose security questions that you put in at the setup of your account might mean they can't tell what your password is.

ACC can tell what passwords you have used the last 6 times but I don't know if they are comparing a hash or have them in the clear.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.