TDWTF WTF2



  • Skybert,

    You have created a new account at The Daily WTF, and may login.

    Your username is:

    Username: Skybert
    Password: [deleted]

    Publishing encryption algorithms: good

    Publishing passwords: bad 




  • @Skybert said:

    Skybert,

    You have created a new account at The Daily WTF, and may login.

    Your username is:

    Username: Skybert
    Password: [deleted]

    Publishing encryption algorithms: good

    Publishing passwords: bad 


    So many sites do that, email passwords in plaintext. It's INCREDIBLY ANNOYING! If it's a password you entered, THERE'S NO NEED TO EMAIL IT TO YOU.

    It should only be possible to get a new, random password emailed in the event you forget yours too. Not your current one because that might be used elsewhere, and anyway, unhashed passwords shouldn't be stored anywhere for security reasons; only the hash, preferably salted.



  • I agree, i find it annoying when i sign up for a site and i get an email with my password in plain text.

    This can also indicate that the password is stored in plain text some where, which is not great for security.

     

    But people shouldnt have full trust in any site. So, its best to use a seperate password for forums and such that is different from the password you use to store personal data like emails.



  • I wrote a javascript that hashes the password I enter with the site name, making it possible to use the same password on all sites while keeping the password unique on each site.



  • @m0ffx said:

    ...

     
    So many sites do that, email passwords in plaintext. It's INCREDIBLY ANNOYING! If it's a password you entered, THERE'S NO NEED TO EMAIL IT TO YOU.

    It should only be possible to get a new, random password emailed in the event you forget yours too. Not your current one because that might be used elsewhere, and anyway, unhashed passwords shouldn't be stored anywhere for security reasons; only the hash, preferably salted.

     I personally find most hash to be too salty anyway.  Especially corned beef.  Don't you? :-)

     
    And if you use the same salt for every account / password, that doesn't count...
     



  • @poochner said:

    And if you use the same salt for every account / password, that doesn't count...

    Using unique salts for every password is better than 

    using the same salt for every password is better than

    not using salts at all.

     

    At least, if you use a single salt, that still breaks most pre-generated rainbow tables.  Any potential attacker would have to generate a whole rainbow table based on your salt.   Which takes *many* orders of magnitude more time than simply using a pre-generated rainbow table.

     

    Using unique salts just multiplies that time by the number of users you have. 



  • Skybert you're absolutely right. Every single website in the world should cater to your security expectations, regardless of whether or not you pay for their services. And God forbid someone should discover your coveted password to TheDailyWTF. Imagine the havoc that could ensue when someone posts a comment PRETENDING TO BE YOU!!

     

    Seriously dude, if your nit-picky problems were on the website for your bank or your company's homepage, then your complaints are warranted. But you're getting the privilege of visiting this site for free, and since there's no threat of having your identity stolen because of email password thieves then I say let it go. If I were Alex, I wouldn't give a second thought to these complaints considering he foots a hefty bill for our reading enjoyment.

    Don't like how the site is being run? Then go away and stop annoying us with these pointless sidebar posts.



  • @Manni said:

    Skybert you're absolutely right. Every single website in the world should cater to your security expectations, regardless of whether or not you pay for their services. And God forbid someone should discover your coveted password to TheDailyWTF. Imagine the havoc that could ensue when someone posts a comment PRETENDING TO BE YOU!!

    ???

    Skybert didn't insist on TDWTF storing passwords as quadruple-salted, twisted-five-times, MD5 hashed, bury-it-with-a-shovel-and-then-bury-the-shovel security... I think it's pretty reasonable to ask that passwords *not* be sent by email except when you ask for it to be reset.  It took effort by somebody to put that password in the email.  A rather misguided effort....



  • If he really thinks it presents a security issue, then email Alex about it. Posting it on the sidebar is just soapbox where he can point out problems rather than actually trying to fix anything. Notice he created his account and, with his only two posts so far, made two separate sidebar threads complaining about the very site he just signed up for.

    "Look at me look at me, I can find horrible atrocities EVEN ON THIS SITE LOLOL".

    The bigger the irritation, the stronger my response.



  • I side with Manni on this one...

    Maybe not as strongly... but this is a pretty non issue, and not the right way to express it...

    Not a wtf.. just another OP who thinks they are clever...



  • I agree with Manni. E-mailing out the password after registration is scripted, I'm sure, so there's no extra effort involved.

    I personally don't find this to be a problem on sites where security doesn't matter much (like this one). Getting the email actually can be a good thing for sites you visit infrequently, as you can go back to the email in case you forget the password. 



  • @KenW said:

    I agree with Manni. E-mailing out the password after registration is scripted, I'm sure, so there's no extra effort involved.

    [snip]

    I agree with Manni that security concerns about TDWTF ought to be addressed to Alex.  The "effort" I originally referred to was the effort to write the code to send the password, which is still a WTF in my opinion.  Not something I'm going to get rabid about (and the OP didn't either, quite frankly), but still a WTF.


Log in to reply