Plaintext passwords emailed? For shame

[labrat]

I had created an account here many years ago, but couldn't recall either the email address or username I had set it up under. I decided to create a new account and, it's great that you have minimum password specifications.

Then I get my confirmation email... including my password in plain text (to my great shock). I'm very disappointed to see such a boneheaded security move by a website devoted to the security profession. There is a lot of great content here and the monthly contests are a great encouragement for participation, however I'd expect leaders in the community to practice what they preach.

[ziggy_567]

We're not storing our gold bars here.

I agree that it's not security best practice to store passwords in plain text and send them through email, but I think it's perfectly acceptable for an Internet forum to do so. If my bank was doing it, I'd take my business elsewhere without blinking.

[DragonGorge]

I gotta agree with labrat:

http://jamesmckay.net/2011/04/eight-wrong-reasons-why-you-are-storing-passwords-for-clear-text-recovery/

I was similarly surprised when CEH sent me my password in plaintext.

[CrazyTalk]

I'm  going to have to jump on board with Ziggy on this one.  When you're putting together a security plan, one of the first things you do is determine how critical what you're protecting is, and the risk/reward involved in protecting it.

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.

[ajohnson]

This site is actually an elaborate hoax that exists solely to determine which security professionals will submit credentials over HTTP. Anyone who does will lose their CISSP.

[shadowzero]

Well I suppose we should all be using different passwords for each account anyway to begin with

[ajohnson]

Well I suppose we should all be using different passwords for each account anyway to begin with

Yea, that was the joke. If your EH account gets compromised and that causes problems for you elsewhere, you only have yourself to blame. Like Ziggy alluded to, what's the worst-case scenario of your EH account getting compromised?

Stuff like this should really be sent to Don in a PM or email. He's always been great about responding to these types of things, and there may be legitimate reasons why it can't be done now, or why the forums can't be migrated to a "more secure" solution.

[hayabusa]

^ ++1

[3xban]

Oh noooesss I need to change my gmail password now let me thing...  I shall make it poptarts1 oh wait used that already...  poptartS2 there complexity and I can remember it   but yeah definitely shoot it to Don in a PM before posting.  This is a fairly open forum.  Much of what is posted here is public.  In fact much of it comes right up in google searches.  So high end security is sort of a waste of time here.  If you are smart you are not reusing the password on any other site. 

[fred]

i agree it was better to write the password in other way not plain text. But its not insecure as long as u protect ur mail by changing ur password from time to time and avoiding key loggers (using a good av. However all AVs are sucks ) and many of other methods. But if ur email is not protected then an attacker can reset ur password using it (without knowing the plain text pass if u didnt choose security question)

CyberSprite

[DragonGorge]

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.

Headline: "hacking-ethically.org Hacked - Usernames & Passwords Posted On Pastebin"

Real damage? Minimal. Sniggering in the security community? Probably a bit more. When it happened to Reddit was it a catastrophe? No, more of a "Whoopsie" but still something I'll bet they wish they didn't have to deal with.

It's definitely not on the level of say an evangelical preacher being caught with a prostitute...maybe more like a politician who forgot to check if her housekeeper is in the country legally.

I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.

[apollo]

I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.

Agreed.  The real question is, with Don's limited time, what is the level of importance. Between trying to make sure that the site stays up and dealing with getting contest rewards, publishing articles, deleting spam, updating the site, and everything else, what would it be best if it slipped so that some serious time could be spent re-vamping the site to use hashed passwords.

I mean as such, if we're going to do it right, using something simple and salted would be bad, so like SHA1 with a salt would be less optimal than something more sophisticated than that with time built into cracking passwords as well as generating them such as bcrypt.

There's tons of other things that should probably be done, ensure that the linkages between the two systems are using SSL for instance.  With that said, I think that if this is important to people, that they write up a synopsis of things that they think should be done to improve the security of the site, research what it would take, and propose doing a project with Don to get it done.

In the end, good resume builder, Don will owe you one, and people who help out with stuff on the site tend to get rewarded.

Just a thought.

[tmcalain]

Just signed up and saw the clear text Password.  Hmmmmm how do I pass this onto my companies users.  We preach never sending passwords or any other information like this through unencrypted email even when it is for non-sensitive information like this site.  Basically I am going to hope that my users are actually listening to what I say and this was a good reminder to change my password immediately! 

Don't take this post as anything more than the ramblings of an internet monkey dancing on the keyboard :-)

[Jamie.R]

This is not as uncommon as it sounds many sites are storing password in plain text or a non encrypted format.

Last week a really big uk company were found to using plain text protocol. What is really shocking!