Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


hatchi

62 posts

Master Geek


#116721 7-May-2013 20:33
Send private message

Just been browsing websites, like ones does. I came across a company that records login details, including passwords, and uses the details to book taxis for you.

Digging a little I found that the company has a 'feature' that allows the user to retrieve the password of the account. All you have to supply is the users email address and you get sent your password. Now if you happen to have taken over a persons email, even for five minutes, for example, you could get their password from this site and chances are they use that same password in loads of different websites too.

But this also means that anyone working in the company will be able to look up the password as well.


Should not happen

I'm not going to name, but will contact the company. They should have a system with encrypted passwords and a reset password option not retrieval...

Create new topic
hairy1
2983 posts

Uber Geek

Trusted
Lifetime subscriber

  #813244 7-May-2013 20:35
Send private message

They must have been using the wheedle developers..




My views (except when I am looking out their windows) are not those of my employer.


SaltyNZ
5473 posts

Uber Geek

Trusted
Lifetime subscriber

  #813289 7-May-2013 21:24
Send private message

Except, most 'reset my password' systems fail too, if you have control of the target's email account. So it's bad, yes, having control of someone else's email is bad.




iPad Pro 11" + iPhone XS + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.


 
 
 
 


gzt

gzt
11670 posts

Uber Geek

Lifetime subscriber

  #813306 7-May-2013 21:47
Send private message

Yes, absolutely terrible. But very common. Good luck getting a sensible response. Rule of thumb for users - expect all passwords to be retrievable and do not use the same password for more than one service.

hatchi

62 posts

Master Geek


#813382 7-May-2013 23:23
Send private message

gzt: Yes, absolutely terrible. But very common. Good luck getting a sensible response. Rule of thumb for users - expect all passwords to be retrievable and do not use the same password for more than one service.


And how many 'end users' do you know that will use the same password for everything.

It's been suggested to use a system called 'last pass', for things

mattwnz
16824 posts

Uber Geek


  #813386 7-May-2013 23:29
Send private message

But how can you get access to someones email? The password feature is only as secure as that persons email address password. Many password retrival systems work this way.

SaltyNZ
5473 posts

Uber Geek

Trusted
Lifetime subscriber

  #813422 8-May-2013 06:50
Send private message

mattwnz: But how can you get access to someones email? The password feature is only as secure as that persons email address password. Many password retrival systems work this way.


Hey, can I use your computer for a sec to check my email?

Sure.

Checks the 'always log me in' box and logs into GMail.

TADA.

That's just one way. There are some very smart social engineers out there too.




iPad Pro 11" + iPhone XS + 2degrees 4tw!

 

These comments are my own and do not represent the opinions of 2degrees.


gzt

gzt
11670 posts

Uber Geek

Lifetime subscriber

  #813427 8-May-2013 07:16
Send private message

mattwnz: But how can you get access to someones email? The password feature is only as secure as that persons email address password.

No. The password is only one vector for access... the mail server... the communications channel... the list can on...

Many password retrival systems work this way.

Yes, many systems are less than optimal. But this does not mean it is good practice.

 
 
 
 


jarledb
Webhead
2554 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  #813562 8-May-2013 10:42
Send private message

One way to secure email is to use two factor authentication. Google has that available for Gmail (and Google Mail for business), Facebook has it, Dropbox etc. Its not typically turned on by default, but anyone caring about their security should turn it on.

Read more about how Google does it here http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

timmmay
16497 posts

Uber Geek

Trusted
Subscriber

  #813580 8-May-2013 11:01
Send private message

Commonsense Organics used to do this. I asked them to remove all my information from their systems and pointed out the problem, hopefully they fixed it.

1080p
1332 posts

Uber Geek
Inactive user


  #813601 8-May-2013 11:49
Send private message

No one should be storing unencrypted passwords in this day and age. Literally no one. Even the worst CMS software encrypts passwords (often poorly, but still)

reven
3469 posts

Uber Geek

Trusted

  #813604 8-May-2013 11:53
Send private message

what about the number of places that will just give you your password if you call up their help line and answer a simple question like your dob?

vodafone gave me my pin number the other day after I answered my DOB. couldnt believe it.


regarding stored passwords, just bcrypt everything.

Create new topic





News »

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18


Synology unveils DS1621+ 
Posted 17-Oct-2020 20:12


Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06


Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47


OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52


Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34


Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29


AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13


Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57


Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32


NordVPN starts deploying colocated servers
Posted 7-Oct-2020 09:00


Google introduces Nest Wifi routers in New Zealand
Posted 7-Oct-2020 05:00


Orcon to bundle Google Nest Wifi router with new accounts
Posted 7-Oct-2020 05:00


Epay and Centrapay partner to create digital gift cards
Posted 2-Oct-2020 17:34


Inseego launches 5G MiFi M2000 mobile hotspot
Posted 2-Oct-2020 14:53









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.