Security in a website

Forums › IT Pro and developers › Security in a website

hatchi

65 posts

Master Geek
+1 received by user: 1

#116721 7-May-2013 20:33

Just been browsing websites, like ones does. I came across a company that records login details, including passwords, and uses the details to book taxis for you.

Digging a little I found that the company has a 'feature' that allows the user to retrieve the password of the account. All you have to supply is the users email address and you get sent your password. Now if you happen to have taken over a persons email, even for five minutes, for example, you could get their password from this site and chances are they use that same password in loads of different websites too.

But this also means that anyone working in the company will be able to look up the password as well.

Should not happen

I'm not going to name, but will contact the company. They should have a system with encrypted passwords and a reset password option not retrieval...

Signed by Robbie,

* @hatchinz

* FaceTime at hatchinz@me.com

* iMessage at hatchnz@me.com

Computer Sales | Apple Sales

Dick Smith Riccarton, Westfield shopping town, Christchurch

Phone 03 343 0742

hairy1

3352 posts

Uber Geek
+1 received by user: 644

ID Verified

Trusted

Lifetime subscriber

#813244 7-May-2013 20:35

They must have been using the wheedle developers..

My views (except when I am looking out their windows) are not those of my employer.

SaltyNZ

8869 posts

Uber Geek
+1 received by user: 9554

Trusted

2degrees

Lifetime subscriber

#813289 7-May-2013 21:24

Except, most 'reset my password' systems fail too, if you have control of the target's email account. So it's bad, yes, having control of someone else's email is bad.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#813306 7-May-2013 21:47

Yes, absolutely terrible. But very common. Good luck getting a sensible response. Rule of thumb for users - expect all passwords to be retrievable and do not use the same password for more than one service.

hatchi

65 posts

Master Geek
+1 received by user: 1

#813382 7-May-2013 23:23

gzt: Yes, absolutely terrible. But very common. Good luck getting a sensible response. Rule of thumb for users - expect all passwords to be retrievable and do not use the same password for more than one service.

And how many 'end users' do you know that will use the same password for everything.

It's been suggested to use a system called 'last pass', for things

Signed by Robbie,

* @hatchinz

* FaceTime at hatchinz@me.com

* iMessage at hatchnz@me.com

Computer Sales | Apple Sales

Dick Smith Riccarton, Westfield shopping town, Christchurch

Phone 03 343 0742

mattwnz

20520 posts

Uber Geek
+1 received by user: 4797

#813386 7-May-2013 23:29

But how can you get access to someones email? The password feature is only as secure as that persons email address password. Many password retrival systems work this way.

SaltyNZ

8869 posts

Uber Geek
+1 received by user: 9554

Trusted

2degrees

Lifetime subscriber

#813422 8-May-2013 06:50

mattwnz: But how can you get access to someones email? The password feature is only as secure as that persons email address password. Many password retrival systems work this way.

Hey, can I use your computer for a sec to check my email?

Sure.

Checks the 'always log me in' box and logs into GMail.

TADA.

That's just one way. There are some very smart social engineers out there too.

iPad Pro 11" + iPhone 15 Pro Max + 2degrees 4tw!

These comments are my own and do not represent the opinions of 2degrees.

New World

Shop on-line at New World now for your groceries (affiliate link).

gzt

18689 posts

Uber Geek
+1 received by user: 7827

Lifetime subscriber

#813427 8-May-2013 07:16

mattwnz: But how can you get access to someones email? The password feature is only as secure as that persons email address password.

No. The password is only one vector for access... the mail server... the communications channel... the list can on...

Many password retrival systems work this way.

Yes, many systems are less than optimal. But this does not mean it is good practice.

jarledb

Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator

ID Verified

Trusted

Lifetime subscriber

#813562 8-May-2013 10:42

One way to secure email is to use two factor authentication. Google has that available for Gmail (and Google Mail for business), Facebook has it, Dropbox etc. Its not typically turned on by default, but anyone caring about their security should turn it on.

Read more about how Google does it here http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#813580 8-May-2013 11:01

Commonsense Organics used to do this. I asked them to remove all my information from their systems and pointed out the problem, hopefully they fixed it.

1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user

#813601 8-May-2013 11:49

No one should be storing unencrypted passwords in this day and age. Literally no one. Even the worst CMS software encrypts passwords (often poorly, but still)

reven

3748 posts

Uber Geek
+1 received by user: 874

Trusted

#813604 8-May-2013 11:53

what about the number of places that will just give you your password if you call up their help line and answer a simple question like your dob?

vodafone gave me my pin number the other day after I answered my DOB. couldnt believe it.

regarding stored passwords, just bcrypt everything.