1. Home
  2. Categories
  3. Side Bar WTF
  4. Error'd
  5. Password in the mail

Password in the mail

  • BernieTheBernie

    Some parts of the internetz are old. Very old. Really old.
    E.g. there are still "mailing lists" while there could be fora.
    Just subscribed to such a mailing list. I had to give them my email address (OK, that's appropriate) and a password.

    Then I received an email with a link for confirming my subscription, and eventually a confirmation mail.
    password.png

    Yes, they included my password in clear ASCII encryption in the email message!

    14 error Vixen _ 3 Replies
  • error
    Considered Harmful

    @BernieTheBernie said in Password in the mail:

    clear ASCII encryption

    :doing_it_wrong: We always use secure ROT-26 encryption!

    13
  • Vixen

    @BernieTheBernie said in Password in the mail:

    Some parts of the internetz are old. Very old. Really old.
    E.g. there are still "mailing lists" while there could be fora.
    Just subscribed to such a mailing list. I had to give them my email address (OK, that's appropriate) and a password.

    Then I received an email with a link for confirming my subscription, and eventually a confirmation mail.
    password.png

    Yes, they included my password in clear ASCII encryption in the email message!

    hmm..... anyone feel like signing up and trying to set the entire text of the Encyclopaedia Brittanica as their password? see if they have any limits to their password length? because if they're that old they might not and it would be hilarious to see what that did to their flat file database storing that in plain text.

    8 Luhmann frillunflop Gurth 3 Replies
  • Luhmann
    BINNED

    @Vixen
    Sounds like you have done this before ...

    12 Vixen 1 Reply
  • frillunflop

    @Vixen

    Hrm, I'll start with setting the 'Special Delivery' Classic WTF as my password on such a mailing list. 😈

    And see how far I can go from there...

    Also:
    KeePass just quietly truncates long passwords.

    1
  • Vixen

    @Luhmann said in Password in the mail:

    @Vixen
    Sounds like you have done this before ...

    not with the Encyclopaedia Brittanica, no, I used the OED last time i did that.

    10 hungrier 1 Reply
  • hungrier

    @Vixen said in Password in the mail:

    @Luhmann said in Password in the mail:

    @Vixen
    Sounds like you have done this before ...

    not with the Encyclopaedia Brittanica, no, I used the OED last time i did that.

    That's good, it's important to avoid reusing passwords.

    17 JBert 1 Reply
  • Gurth

    @Vixen said in Password in the mail:

    hmm..... anyone feel like signing up and trying to set the entire text of the Encyclopaedia Brittanica as their password? see if they have any limits to their password length? because if they're that old they might not and it would be hilarious to see what that did to their flat file database storing that in plain text.

    It runs on GNU Mailman 2.1.26, released 2018-02-04. Though I didn’t check, that sounds recent enough that it’ll probably have a maximum password length.

    3
  • _

    @BernieTheBernie That's not news or surprising at all:

    Plain Text Offenders

    Plain Text Offenders

    Did you just email me back my own password?!

    7
  • JBert
    Fake News

    @hungrier said in Password in the mail:

    @Vixen said in Password in the mail:

    @Luhmann said in Password in the mail:

    @Vixen
    Sounds like you have done this before ...

    not with the Encyclopaedia Brittanica, no, I used the OED last time i did that.

    That's good, it's important to avoid reusing passwords.

    Trouble is, I always forget what site I used War and Peace on...

    7
  • CarrieVS

    My mum asked my opinion on the website for her yoga classes. A friend of hers had forgotten her password and on requesting a reset had received an email from the yoga teacher with her password -apparently not even an automated email.

    Said friend was sufficiently educated to know that this was wrong, and complained.

    The yoga teacher's response was, reportedly, "well the password has to be stored somewhere and I'm the admin of the website so of course I can see it." I of course confirmed my mum and her friend's suspicions that that is in fact complete male bovine excrement, though I don't know whether the friend bothered to take it any further.

    (I'm certain that the yoga teacher believed what they were saying, probably having been told so by the idiot they engaged to build their website.)

    4 topspin 1 Reply
  • topspin
    BINNED

    @CarrieVS said in Password in the mail:

    The yoga teacher's response was, reportedly, "well the password has to be stored somewhere and I'm the admin of the website so of course I can see it." I of course confirmed my mum and her friend's suspicions that that is in fact complete male bovine excrement, though I don't know whether the friend bothered to take it any further.

    This is actually surprisingly logical if you have no clue about how security works. It's based on wrong assumptions / ignorance of the existence of hash functions, but a more thought through response than simply :mlp_shrug:.

    5 Mason_Wheeler 1 Reply
  • Mason_Wheeler

    @topspin The problem is, it's an "unknown unknowns" thing. People who don't know about hashing passwords also don't know that they need to know about it. It's one of those "just enough knowledge to be dangerous" situations that make experienced developers cringe a little when they see marketing for products proclaiming that they will make it easier than ever to build a $software_product with no knowledge of coding required!

    4
Log in to reply