Mouse
Level: Master Delver

Rank Points: 246
Registered: 04-21-2005
IP: Logged

Two things:
1. When you change you password, if the new one doesn't meet the requirements (which are not stated on the form), you are presented with an error message and nothing else. You have to use your browser's back button or equivalent to go back and have another go. I suggest either adding a clickable back link or, better yet, displaying the error at the top of the form.
2. If you ask for your password to be emailed to you, it is sent as plain text. Given there are fairly strict requirements for the password this seems illogical. Maybe a user should be given a "Reset your password" link with a limited availability instead?

---

[Last edited by Mouse at 04-27-2012 07:04 PM]

Schik
Level: Legendary Smitemaster

Rank Points: 5381
Registered: 02-04-2003
IP: Logged

I agree on both counts. I've wanted for ages to stop storing the plaintext password at ALL. Just never got around to it. I'll mark this as todo so I remember it.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi

Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged

You store passwords in plain text?
If anyone is ever offended by anything I post then I was hacked.

Dischorran
Level: Smitemaster

Rank Points: 3408
Registered: 09-10-2005
IP: Logged

Wait, but my password is "plaintext". Will I have to change it?

____________________________

Schik
Level: Legendary Smitemaster

Rank Points: 5381
Registered: 02-04-2003
IP: Logged

Don't you worry, I'll change it for you.

____________________________
The greatness of a nation and its moral progress can be judged by the way it treats its animals.
--Mahatma Gandhi

Briareos
Level: Smitemaster

Rank Points: 3516
Registered: 08-07-2005
IP: Logged

Schik wrote:
Don't you worry, I'll someone - like, anyone - will change it for you soon.

Fixed.

____________________________
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
R.I.P. Robert Feldhoff (1962-2009)

Kwakstur
Level: Smiter

Rank Points: 385
Registered: 05-05-2006
IP: Logged

I've shopped at a site that not only stores passwords in plain text, but:

- Treats passwords as case insensitive
- Produced a 500 Error when I tried to register with a password that had a hyphen, and again when I tried a password that was 34 characters long.
- When confirming the data you've entered before finishing registration, it uses the column names directly from the site's database as the name of each field
- Sends out an "Automatic mail for order check" when you order something. Your password can be found conveniently under "Member Information" in this email.

And let me repeat: I shopped there. S'all good though. The site's sole proprietor* does all his business through PayPal, so my credit information never came within an inch of his database.


I guess the moral of the story is: There's always somebody who can - and has - does it worse.


*suddenly things make sense

____________________________
Also known as ExpHP everywhere else.

---

[Last edited by Kwakstur at 05-05-2012 10:48 PM]

Banjooie
Level: Smitemaster

Rank Points: 1645
Registered: 12-12-2004
IP: Logged

I can think of a company with 10 million regular customers on just one of their products where the password is case insensitive.

Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged

I'm just baffled as to how he knows it's stored in plain text unless he wrote the software.

My anecdote in any case, is that a previous company expected passwords to be unique.

Jatopian
Level: Smitemaster
Rank Points: 1842
Registered: 07-31-2005
IP: Logged

How unique are we talking here, Syntax?

____________________________
DROD has some really great music.
Make your pressure plates 3.0 style!
DROD architecture idea generator

Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged

Jatopian wrote:
How unique are we talking here, Syntax?

Ultra unique... Very secure. No-one could have the same password

Jatopian
Level: Smitemaster
Rank Points: 1842
Registered: 07-31-2005
IP: Logged

Well now I can see a potential security flaw there. Be informed your password isn't unique, then try to log into every other account with that password.

____________________________
DROD has some really great music.
Make your pressure plates 3.0 style!
DROD architecture idea generator

Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged

Jatopian wrote:
Well now I can see a potential security flaw there. Be informed your password isn't unique, then try to log into every other account with that password.

The message would say "Invalid password - it is already in use by <insert username>"

Thank gosh all we did was store bank details

asmussen
Level: Master Delver
Rank Points: 188
Registered: 04-02-2004
IP: Logged

Syntax wrote:
I'm just baffled as to how he knows it's stored in plain text unless he wrote the software.

My anecdote in any case, is that a previous company expected passwords to be unique.

I think he knows that it's stored in plain text because the password reminder email actually sends the password instead of a link to reset it or something else along those lines. Technically this doesn't mean that the password HAS to be stored in plain text. It could be obfuscated in some way, but in a way that still allows the original password to be obtained. That's nearly as bad, though. Passwords should be stored as some sort of hash so that even with a list of the password database it would be impossible to get the original passwords without using a brute force dictionary attack or something similar.

____________________________
Shawn Asmussen

Keiya
Level: Delver
Rank Points: 73
Registered: 03-25-2012
IP: Logged

Ideally a salted hash, which makes lookup tables not work.

____________________________
636th Trapdoor Replacer

Official Hold Progress:

skell
Level: Legendary Smitemaster

Rank Points: 3734
Registered: 12-28-2004
IP: Logged

Keiya wrote:
Ideally a salted hash, which makes lookup tables not work.

Even more ideally, a salt that is different for each user using a modern hash algorithm (so md5 < sha1 < ?). Something like:

sha1(jenkins(USER_NAME) . password)

____________________________
My website | Facebook | Twitter

Syntax
Level: Smitemaster
Rank Points: 1218
Registered: 05-12-2005
IP: Logged

asmussen wrote:

Syntax wrote:
I'm just baffled as to how he knows it's stored in plain text unless he wrote the software.

My anecdote in any case, is that a previous company expected passwords to be unique.

I think he knows that it's stored in plain text because the password reminder email actually sends the password instead of a link to reset it or something else along those lines.

Point taken... I was presuming the password in the email was a temporary one though but agree with your suggestions.

We (not Caravel but personal job) use salted sha-512 but still need to store the temp passwords in plain text which are invalidated upon initial login (and password reset) or within 6 hours.

asmussen
Level: Master Delver
Rank Points: 188
Registered: 04-02-2004
IP: Logged

Syntax wrote:

asmussen wrote:

Syntax wrote:
I'm just baffled as to how he knows it's stored in plain text unless he wrote the software.

My anecdote in any case, is that a previous company expected passwords to be unique.

I think he knows that it's stored in plain text because the password reminder email actually sends the password instead of a link to reset it or something else along those lines.

Point taken... I was presuming the password in the email was a temporary one though but agree with your suggestions.

We (not Caravel but personal job) use salted sha-512 but still need to store the temp passwords in plain text which are invalidated upon initial login (and password reset) or within 6 hours.

Nope, no temporary password. It just emails your current password to the email on file for the account.

____________________________
Shawn Asmussen