Topic: Yay for not hashing your passwords and sending them via email! (Read 792 times)
The worst part is that it's far from being just Au DoD...
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
Just because they send you your password in plaintext doesn't mean it's stored in plaintext.
Wordpress does that. It sends the user a generated password when they register and it is mailed in plaintext, but stored hashed in the database.
It's only the DoD. It's not like they care about keeping secrets or anything. /s
No, it is NOT ok to do that!
There is a website dedicated to that problem http://plaintextoffenders.com/about/
I always though whether this is a problem. Never thought there was someone running such campaign. There is a website dedicated to that problem http://plaintextoffenders.com/about/
No, it is NOT ok to do that!
There is a website dedicated to that problem http://plaintextoffenders.com/about/
There is a website dedicated to that problem http://plaintextoffenders.com/about/
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. 
I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
LOL wow. I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
maybe they used sha2(pass.tolower())
They don't. Passwords are case sensitive when determining whether your login password is correct, but not case sensitive when determining whether a new password is the same as one of your old passwords. I'm pretty sure they're not storing two different hashes of each password solely to produce inconsistent case sensitivity, because there's just no real reason to do that and it runs the risk of people like me noticing the inconsistency and complaining about it unnecessarily. No, it's far more likely that they're storing passwords in plain text, and the inconsistent behaviour is the result of the two password comparison functions being written by two different people, neither of whom thought it was strange that they were comparing actual passwords instead of hashes, or if they did, their boss angrily reminded them that "they don't get paid to think". 
maybe they used sha2(pass.tolower())
The same with SEB bank latvian branch. It is unlikely that the passwords will be leaked by dumped database but saving unhashed passwords - retarded decision by those who made the system. This is a result of hiring oldfarts with 1990-ties security school versus new and smart boys who are hackers and know how to properly make secure system.
Post this info to AnonOps. Might be useful next time ausies are hit by Anons for revoking Julian Assange's passport.
Post this info to AnonOps. Might be useful next time ausies are hit by Anons for revoking Julian Assange's passport.
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed. 
What's the big deal? It's not like they've got something to hide.
lol 
In the same mail, even. 
Jump to: