Be careful when changing your password



  • I just started a new job as a developer. I swear I think I've seen the system I am tasked with maintaining on this site. The time tracking system was developed in house.  I go to log in one day only to be prompted to change my password. Aright, no big deal. 3 text fields labeled old password, new password, confirm new password. When I went to type my old password it comes out as plain text. I figured this was a simple overlooked mistake and would be a quick fix by changing a property from true to false. I send an IM to the developer who maintains the system

     

    Me: the change your password page has the old

    password field as clear text

    Him: yes

    Me: shouldn't it be ****

    Him: thats how they want

    Me: .....  why

    Him: they don't want the user to use the same password

    Me: but the user is typing both old and new in....

    Him: yes. when they type the new one the old one is just a reference
    showing that not to use the same one. You are thinking at our level of mind.
    You have to think that most of the users need baby steps.

    Me: ... our users cant remember what they just typed in 3 seconds
    ago? I mean if thats how they want it...fine. I'm just saying seems kinda insecure

    Him: how is it insecure

    Me: since most users use the same password for many things....
    lets say someone looking over my shoulder sees the password i used... other systems may be compromised

    Him: I would say don't change your password when someone is looking

     

    I was in complete awe after this conversation.  

     



  • Sounds like your mentor there has been in that job long enough to just not care.

    /me could totally see some user saying "oh noes! my old password was *******, and my new password is also *******.  And why does every key on my keyboard make a *?"
     





  • @Cap'n Steve said:

    [url]http://bash.org/?244321[/url]

     

     

    I Confused a co-worker of mine for a day...

     

    We got a DB from a client with unobfuscated data in it. With all fields intact.All Custumer informations there etc... Also the Password where stored as plain text...

    I found this bad, since I see passwords as some realy personal information... So i went ahead and "secured" the DB... Later my co-worker asked me how i managed to secure the password field in the DB. He wanted to look the password for some use up and he was only getting '******' for all users he querried. He tried to figure out how this was done (On SQL Server 7 or 2000 i think... At least not SQL2005 which supports field Level Data encryption)

    When I got back to the office next day, he quizzed me how i managed to do it...

     I showed him the script, and we both had a good laugh ;)

     Update users set password = '******'

     :D



  • install black curtains around all PC's and require users to close them when dealing with sensitive information...


Log in to reply