Author

Topic: Yay for not hashing your passwords and sending them via email! (Read 800 times)

legendary
Activity: 1176
Merit: 1280
May Bitcoin be touched by his Noodly Appendage
The worst part is that it's far from being just Au DoD...
legendary
Activity: 1358
Merit: 1002
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.

Just because they send you your password in plaintext doesn't mean it's stored in plaintext.
Wordpress does that. It sends the user a generated password when they register and it is mailed in plaintext, but stored hashed in the database.
legendary
Activity: 826
Merit: 1002
amarha
It's only the DoD. It's not like they care about keeping secrets or anything. /s
global moderator
Activity: 3794
Merit: 2612
In a world of peaches, don't ask for apple sauce
No, it is NOT ok to do that!


There is a website dedicated to that problem http://plaintextoffenders.com/about/
I always though whether this is a problem. Never thought there was someone running such campaign.
legendary
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
No, it is NOT ok to do that!


There is a website dedicated to that problem http://plaintextoffenders.com/about/
legendary
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
vip
Activity: 1316
Merit: 1043
👻
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. Shocked I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
LOL wow.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
maybe they used sha2(pass.tolower())
They don't. Passwords are case sensitive when determining whether your login password is correct, but not case sensitive when determining whether a new password is the same as one of your old passwords. I'm pretty sure they're not storing two different hashes of each password solely to produce inconsistent case sensitivity, because there's just no real reason to do that and it runs the risk of people like me noticing the inconsistency and complaining about it unnecessarily. No, it's far more likely that they're storing passwords in plain text, and the inconsistent behaviour is the result of the two password comparison functions being written by two different people, neither of whom thought it was strange that they were comparing actual passwords instead of hashes, or if they did, their boss angrily reminded them that "they don't get paid to think". Roll Eyes
sr. member
Activity: 306
Merit: 257
maybe they used sha2(pass.tolower())
legendary
Activity: 1512
Merit: 1049
Death to enemies!
The same with SEB bank latvian branch. It is unlikely that the passwords will be leaked by dumped database but saving unhashed passwords - retarded decision by those who made the system. This is a result of hiring oldfarts with 1990-ties security school versus new and smart boys who are hackers and know how to properly make secure system.

Post this info to AnonOps. Might be useful next time ausies are hit by Anons for revoking Julian Assange's passport.
legendary
Activity: 4542
Merit: 3393
Vile Vixen and Miss Bitcointalk 2021-2023
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. Shocked I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
hero member
Activity: 756
Merit: 501
There is more to Bitcoin than bitcoins.
What's the big deal? It's not like they've got something to hide.
lch
newbie
Activity: 28
Merit: 0
hero member
Activity: 952
Merit: 1009
In the same mail, even.  Cheesy
vip
Activity: 1316
Merit: 1043
👻
Jump to: