The Ethical Hacker Network - Plaintext passwords emailed? For shame

labrat

Newbie

Offline

Posts: 3

Plaintext passwords emailed? For shame

« on: July 03, 2012, 01:31:52 PM »

I had created an account here many years ago, but couldn't recall either the email address or username I had set it up under. I decided to create a new account and, it's great that you have minimum password specifications.

Then I get my confirmation email... including my password in plain text (to my great shock). I'm very disappointed to see such a boneheaded security move by a website devoted to the security profession. There is a lot of great content here and the monthly contests are a great encouragement for participation, however I'd expect leaders in the community to practice what they preach.


	Logged

GPEN, CISSP, other letters put together in semi coherent order

ziggy_567

Sr. Member

Offline

Posts: 361

Re: Plaintext passwords emailed? For shame

« Reply #1 on: July 03, 2012, 08:30:12 PM »

We're not storing our gold bars here.

I agree that it's not security best practice to store passwords in plain text and send them through email, but I think it's perfectly acceptable for an Internet forum to do so. If my bank was doing it, I'd take my business elsewhere without blinking.


	Logged

--
Ziggy

eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+

DragonGorge

Jr. Member

Offline

Posts: 83

Re: Plaintext passwords emailed? For shame

« Reply #2 on: July 05, 2012, 10:25:43 AM »

I gotta agree with labrat:

http://jamesmckay.net/2011/04/eight-wrong-reasons-why-you-are-storing-passwords-for-clear-text-recovery/

I was similarly surprised when CEH sent me my password in plaintext.


	Logged

CrazyTalk

Newbie

Offline

Posts: 4

It's not paranoia if they're really out there!

Re: Plaintext passwords emailed? For shame

« Reply #3 on: July 05, 2012, 06:47:47 PM »

I'm going to have to jump on board with Ziggy on this one. When you're putting together a security plan, one of the first things you do is determine how critical what you're protecting is, and the risk/reward involved in protecting it.

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.


	Logged

ajohnson

Recruiters
Hero Member

Offline

Posts: 1057

aka dynamik

Re: Plaintext passwords emailed? For shame

« Reply #4 on: July 05, 2012, 07:02:05 PM »

This site is actually an elaborate hoax that exists solely to determine which security professionals will submit credentials over HTTP. Anyone who does will lose their CISSP.


	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

shadowzero

Full Member

Offline

Posts: 120

It's a UNIX system, I know this!

Re: Plaintext passwords emailed? For shame

« Reply #5 on: July 05, 2012, 07:22:09 PM »

Well I suppose we should all be using different passwords for each account anyway to begin with


	Logged

ajohnson

Recruiters
Hero Member

Offline

Posts: 1057

aka dynamik

Re: Plaintext passwords emailed? For shame

« Reply #6 on: July 05, 2012, 09:33:44 PM »

Quote from: shadowzero on July 05, 2012, 07:22:09 PM

Well I suppose we should all be using different passwords for each account anyway to begin with

Yea, that was the joke. If your EH account gets compromised and that causes problems for you elsewhere, you only have yourself to blame. Like Ziggy alluded to, what's the worst-case scenario of your EH account getting compromised?

Stuff like this should really be sent to Don in a PM or email. He's always been great about responding to these types of things, and there may be legitimate reasons why it can't be done now, or why the forums can't be migrated to a "more secure" solution.


	Logged

WIP: GCFA | www.infosiege.net | @infosiege

The day you stop learning is the day you start becoming obsolete.

hayabusa

Hero Member

Offline

Posts: 1632

Re: Plaintext passwords emailed? For shame

« Reply #7 on: July 05, 2012, 09:40:20 PM »

^ ++1


	Logged

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

OSCE, OSCP , GPEN, C|EH

3xban

Hero Member

Offline

Posts: 608

Re: Plaintext passwords emailed? For shame

« Reply #8 on: July 05, 2012, 10:40:32 PM »

Oh noooesss I need to change my gmail password now Cheesy

let me thing... I shall make it poptarts1 oh wait used that already... poptartS2 there complexity and I can remember it Cheesy

but yeah definitely shoot it to Don in a PM before posting. This is a fairly open forum. Much of what is posted here is public. In fact much of it comes right up in google searches. So high end security is sort of a waste of time here. If you are smart you are not reusing the password on any other site.


	Logged

Certs: GCWN
(@)Dewser

Cyber.spirit

Sr. Member

Offline

Posts: 351

The World is sick, Save your mind...

Re: Plaintext passwords emailed? For shame

« Reply #9 on: July 06, 2012, 02:57:37 AM »

i agree it was better to write the password in other way not plain text. But its not insecure as long as u protect ur mail by changing ur password from time to time and avoiding key loggers (using a good av. However all AVs are sucks Wink

) and many of other methods. But if ur email is not protected then an attacker can reset ur password using it (without knowing the plain text pass if u didnt choose security question)

CyberSprite


	Logged

ICS Academy Network Security Certified

DragonGorge

Jr. Member

Offline

Posts: 83

Re: Plaintext passwords emailed? For shame

« Reply #10 on: July 09, 2012, 04:02:06 PM »

Quote from: CrazyTalk on July 05, 2012, 06:47:47 PM

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.

Headline: "hacking-ethically.org Hacked - Usernames & Passwords Posted On Pastebin"

Real damage? Minimal. Sniggering in the security community? Probably a bit more. When it happened to Reddit was it a catastrophe? No, more of a "Whoopsie" but still something I'll bet they wish they didn't have to deal with.

It's definitely not on the level of say an evangelical preacher being caught with a prostitute...maybe more like a politician who forgot to check if her housekeeper is in the country legally.

I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.


	Logged

apollo

Full Member

Offline

Posts: 146

Re: Plaintext passwords emailed? For shame

« Reply #11 on: July 09, 2012, 05:24:09 PM »

Quote from: DragonGorge on July 09, 2012, 04:02:06 PM

I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.

Agreed. The real question is, with Don's limited time, what is the level of importance. Between trying to make sure that the site stays up and dealing with getting contest rewards, publishing articles, deleting spam, updating the site, and everything else, what would it be best if it slipped so that some serious time could be spent re-vamping the site to use hashed passwords.

I mean as such, if we're going to do it right, using something simple and salted would be bad, so like SHA1 with a salt would be less optimal than something more sophisticated than that with time built into cracking passwords as well as generating them such as bcrypt.

There's tons of other things that should probably be done, ensure that the linkages between the two systems are using SSL for instance. With that said, I think that if this is important to people, that they write up a synopsis of things that they think should be done to improve the security of the site, research what it would take, and propose doing a project with Don to get it done.

In the end, good resume builder, Don will owe you one, and people who help out with stuff on the site tend to get rewarded.

Just a thought.


	Logged

CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+

tmcalain

Newbie

Offline

Posts: 2

Re: Plaintext passwords emailed? For shame

« Reply #12 on: August 06, 2012, 03:35:47 PM »

Just signed up and saw the clear text Password. Hmmmmm how do I pass this onto my companies users. We preach never sending passwords or any other information like this through unencrypted email even when it is for non-sensitive information like this site. Basically I am going to hope that my users are actually listening to what I say and this was a good reminder to change my password immediately!

Don't take this post as anything more than the ramblings of an internet monkey dancing on the keyboard :-)


	Logged

Jamie.R

Sr. Member

Offline

Posts: 429

Re: Plaintext passwords emailed? For shame

« Reply #13 on: August 07, 2012, 03:17:13 AM »

This is not as uncommon as it sounds many sites are storing password in plain text or a non encrypted format.

Last week a really big uk company were found to using plain text protocol. What is really shocking!


	Logged

OSWP | Hackingdojo Nidan | eCPPT

Pages: [1] Go Up

« previous next »