Be careful when changing your password
I just started a new job as a developer. I swear I think I've seen the system I am tasked with maintaining on this site. The time tracking system was developed in house. I go to log in one day only to be prompted to change my password. Aright, no big deal. 3 text fields labeled old password, new password, confirm new password. When I went to type my old password it comes out as plain text. I figured this was a simple overlooked mistake and would be a quick fix by changing a property from true to false. I send an IM to the developer who maintains the system
password field as clear text
Me: shouldn't it be ****
Him: thats how they want
Me: ..... why
Him: they don't want the user to use the same password
Me: but the user is typing both old and new in....
Him: yes. when they type the new one the old one is just a reference
showing that not to use the same one. You are thinking at our level of mind.
You have to think that most of the users need baby steps.
Me: ... our users cant remember what they just typed in 3 seconds
ago? I mean if thats how they want it...fine. I'm just saying seems kinda insecure
Him: how is it insecure
Me: since most users use the same password for many things....
lets say someone looking over my shoulder sees the password i used... other systems may be compromised
Him: I would say don't change your password when someone is looking
I was in complete awe after this conversation.
Sounds like your mentor there has been in that job long enough to just not care.
/me could totally see some user saying "oh noes! my old password was *******, and my new password is also *******. And why does every key on my keyboard make a *?"
@Cap'n Steve said:
I Confused a co-worker of mine for a day...
We got a DB from a client with unobfuscated data in it. With all fields intact.All Custumer informations there etc... Also the Password where stored as plain text...
I found this bad, since I see passwords as some realy personal information... So i went ahead and "secured" the DB... Later my co-worker asked me how i managed to secure the password field in the DB. He wanted to look the password for some use up and he was only getting '******' for all users he querried. He tried to figure out how this was done (On SQL Server 7 or 2000 i think... At least not SQL2005 which supports field Level Data encryption)
When I got back to the office next day, he quizzed me how i managed to do it...
I showed him the script, and we both had a good laugh
Update users set password = '******'
install black curtains around all PC's and require users to close them when dealing with sensitive information...