.

Plaintext passwords emailed? For shame

<<

labrat

User avatar

Newbie
Newbie

Posts: 4

Joined: Tue Jul 03, 2012 1:14 pm

Post Tue Jul 03, 2012 1:31 pm

Plaintext passwords emailed? For shame

I had created an account here many years ago, but couldn't recall either the email address or username I had set it up under. I decided to create a new account and, it's great that you have minimum password specifications.

Then I get my confirmation email... including my password in plain text (to my great shock). I'm very disappointed to see such a boneheaded security move by a website devoted to the security profession. There is a lot of great content here and the monthly contests are a great encouragement for participation, however I'd expect leaders in the community to practice what they preach.
GPEN, CISSP, other letters put together in semi coherent order
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Tue Jul 03, 2012 8:30 pm

Re: Plaintext passwords emailed? For shame

We're not storing our gold bars here.

I agree that it's not security best practice to store passwords in plain text and send them through email, but I think it's perfectly acceptable for an Internet forum to do so. If my bank was doing it, I'd take my business elsewhere without blinking.
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Thu Jul 05, 2012 10:25 am

Re: Plaintext passwords emailed? For shame

I gotta agree with labrat:

http://jamesmckay.net/2011/04/eight-wro ... -recovery/

I was similarly surprised when CEH sent me my password in plaintext.
<<

CrazyTalk

User avatar

Newbie
Newbie

Posts: 4

Joined: Thu Jun 07, 2012 12:43 pm

Location: Shreveport

Post Thu Jul 05, 2012 6:47 pm

Re: Plaintext passwords emailed? For shame

I'm  going to have to jump on board with Ziggy on this one.  When you're putting together a security plan, one of the first things you do is determine how critical what you're protecting is, and the risk/reward involved in protecting it.

If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Jul 05, 2012 7:02 pm

Re: Plaintext passwords emailed? For shame

This site is actually an elaborate hoax that exists solely to determine which security professionals will submit credentials over HTTP. Anyone who does will lose their CISSP.
The day you stop learning is the day you start becoming obsolete.
<<

shadowzero

User avatar

Full Member
Full Member

Posts: 120

Joined: Sat Jun 02, 2012 10:03 pm

Post Thu Jul 05, 2012 7:22 pm

Re: Plaintext passwords emailed? For shame

Well I suppose we should all be using different passwords for each account anyway to begin with :)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Jul 05, 2012 9:33 pm

Re: Plaintext passwords emailed? For shame

shadowzero wrote:Well I suppose we should all be using different passwords for each account anyway to begin with :)


Yea, that was the joke. If your EH account gets compromised and that causes problems for you elsewhere, you only have yourself to blame. Like Ziggy alluded to, what's the worst-case scenario of your EH account getting compromised?

Stuff like this should really be sent to Don in a PM or email. He's always been great about responding to these types of things, and there may be legitimate reasons why it can't be done now, or why the forums can't be migrated to a "more secure" solution.
The day you stop learning is the day you start becoming obsolete.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Jul 05, 2012 9:40 pm

Re: Plaintext passwords emailed? For shame

^ ++1
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Jul 05, 2012 10:40 pm

Re: Plaintext passwords emailed? For shame

Oh noooesss I need to change my gmail password now :D let me thing...  I shall make it poptarts1 oh wait used that already...  poptartS2 there complexity and I can remember it :D  but yeah definitely shoot it to Don in a PM before posting.  This is a fairly open forum.  Much of what is posted here is public.  In fact much of it comes right up in google searches.  So high end security is sort of a waste of time here.  If you are smart you are not reusing the password on any other site. 
Certs: GCWN
(@)Dewser
<<

cyber.spirit

User avatar

Sr. Member
Sr. Member

Posts: 356

Joined: Sun Feb 26, 2012 8:07 am

Location: in your heart!

Post Fri Jul 06, 2012 2:57 am

Re: Plaintext passwords emailed? For shame

i agree it was better to write the password in other way not plain text. But its not insecure as long as u protect ur mail by changing ur password from time to time and avoiding key loggers (using a good av. However all AVs are sucks ;) ) and many of other methods. But if ur email is not protected then an attacker can reset ur password using it (without knowing the plain text pass if u didnt choose security question)

CyberSprite
ICS Academy Network Security Certified
<<

DragonGorge

User avatar

Jr. Member
Jr. Member

Posts: 86

Joined: Wed Feb 08, 2012 6:30 pm

Post Mon Jul 09, 2012 4:02 pm

Re: Plaintext passwords emailed? For shame

CrazyTalk wrote:If the information we store here won't ruin our careers, reputations, or financial lives, then I don't need strong encryption and elaborate retrieval processes.


Headline: "hacking-ethically.org Hacked - Usernames & Passwords Posted On Pastebin"

Real damage? Minimal. Sniggering in the security community? Probably a bit more. When it happened to Reddit was it a catastrophe? No, more of a "Whoopsie" but still something I'll bet they wish they didn't have to deal with.

It's definitely not on the level of say an evangelical preacher being caught with a prostitute...maybe more like a politician who forgot to check if her housekeeper is in the country legally.

I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.
<<

apollo

Full Member
Full Member

Posts: 146

Joined: Fri Apr 04, 2008 7:44 pm

Post Mon Jul 09, 2012 5:24 pm

Re: Plaintext passwords emailed? For shame

DragonGorge wrote:I think we all agree that plain text passwords are not a good idea. And while this is "just a forum", to me it's a matter of practicing what you preach. However, in saying that, I don't really know how much extra effort is required to go from plain text to hashed/encrypted so maybe this is a case where the cost isn't worth the benefit.


Agreed.  The real question is, with Don's limited time, what is the level of importance. Between trying to make sure that the site stays up and dealing with getting contest rewards, publishing articles, deleting spam, updating the site, and everything else, what would it be best if it slipped so that some serious time could be spent re-vamping the site to use hashed passwords.

I mean as such, if we're going to do it right, using something simple and salted would be bad, so like SHA1 with a salt would be less optimal than something more sophisticated than that with time built into cracking passwords as well as generating them such as bcrypt.

There's tons of other things that should probably be done, ensure that the linkages between the two systems are using SSL for instance.  With that said, I think that if this is important to people, that they write up a synopsis of things that they think should be done to improve the security of the site, research what it would take, and propose doing a project with Don to get it done.

In the end, good resume builder, Don will owe you one, and people who help out with stuff on the site tend to get rewarded.

Just a thought.
CISSP, CSSLP, MCSE+Security, MCTS, CCSP, GPEN, GWAPT, GCWN, NOP, OSCP, Security+
<<

tmcalain

Newbie
Newbie

Posts: 2

Joined: Mon Aug 06, 2012 3:26 pm

Post Mon Aug 06, 2012 3:35 pm

Re: Plaintext passwords emailed? For shame

Just signed up and saw the clear text Password.  Hmmmmm how do I pass this onto my companies users.  We preach never sending passwords or any other information like this through unencrypted email even when it is for non-sensitive information like this site.  Basically I am going to hope that my users are actually listening to what I say and this was a good reminder to change my password immediately!  :)

Don't take this post as anything more than the ramblings of an internet monkey dancing on the keyboard :-)
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Tue Aug 07, 2012 3:17 am

Re: Plaintext passwords emailed? For shame

This is not as uncommon as it sounds many sites are storing password in plain text or a non encrypted format.

Last week a really big uk company were found to using plain text protocol. What is really shocking!
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er

Return to News Items and General Discussion About EH-Net

Who is online

Users browsing this forum: No registered users and 3 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software