GoHastings has a very interesting username/password system.



  • The other day I bought Ace combat Zero on from GoHastings through Amazon.com. I did not recall what type of shipping I had choosen (or if I was even given the option), so I went to their website at http://www.hastingsentertainment.com/catalog/ . Gamestop/EB Games allows you to check your order with just your order number, but on GoHastings you need an account. So I go about settings up my account and it claims my email address is in use. This is odd, as I've never been to their website. I go through the "forgot password" stuff and I get the password in my email, which is the same as the first part of my email address! Apparently GoHastings decided that it would do me a favor of creating an account without telling me and keeping my billing information (luckily they don't save the credit card number) in it. I tried to see if it's possible for somebody to order something and have it billed directly to my address, but pretty much every click gave a nice error message so I guess I'll never know.



  • Yeah, that sounds like a pretty good failure in security, but at least it doesn't appear that easily exploitable without some social engineering or outside information... because that makes it okay.



  • Odd... Most sites these days don't actually mail you your forgotten password... you know... security and all. Instead, they mail you a temporary replacement password. But not here, apparently. Security indeed.



  • @durnurd said:

    Odd... Most sites these days don't actually mail you your forgotten password... you know... security and all.

    That's because most sites encrypt your password when they store it, and there's no way to retrieve it.





    Or were you being sarcastic? It's hard to tell on a forum :P.


Log in to reply