Be careful when changing your password



  • I just started a new job as a developer. I swear I think I've seen the system I am tasked with maintaining on this site. The time tracking system was developed in house.  I go to log in one day only to be prompted to change my password. Aright, no big deal. 3 text fields labeled old password, new password, confirm new password. When I went to type my old password it comes out as plain text. I figured this was a simple overlooked mistake and would be a quick fix by changing a property from true to false. I send an IM to the developer who maintains the system

     

    Me: the change your password page has the old

    password field as clear text

    Him: yes

    Me: shouldn't it be ****

    Him: thats how they want

    Me: .....  why

    Him: they don't want the user to use the same password

    Me: but the user is typing both old and new in....

    Him: yes. when they type the new one the old one is just a reference
    showing that not to use the same one. You are thinking at our level of mind.
    You have to think that most of the users need baby steps.

    Me: ... our users cant remember what they just typed in 3 seconds
    ago? I mean if thats how they want it...fine. I'm just saying seems kinda insecure

    Him: how is it insecure

    Me: since most users use the same password for many things....
    lets say someone looking over my shoulder sees the password i used... other systems may be compromised

    Him: I would say don't change your password when someone is looking

     

    I was in complete awe after this conversation.  

     



  • Sounds like your mentor there has been in that job long enough to just not care.

    /me could totally see some user saying "oh noes! my old password was *******, and my new password is also *******.  And why does every key on my keyboard make a *?"
     





  • @Cap'n Steve said:

    [url]http://bash.org/?244321[/url]

     

     

    I Confused a co-worker of mine for a day...

     

    We got a DB from a client with unobfuscated data in it. With all fields intact.All Custumer informations there etc... Also the Password where stored as plain text...

    I found this bad, since I see passwords as some realy personal information... So i went ahead and "secured" the DB... Later my co-worker asked me how i managed to secure the password field in the DB. He wanted to look the password for some use up and he was only getting '******' for all users he querried. He tried to figure out how this was done (On SQL Server 7 or 2000 i think... At least not SQL2005 which supports field Level Data encryption)

    When I got back to the office next day, he quizzed me how i managed to do it...

     I showed him the script, and we both had a good laugh 😉

     Update users set password = '******'

     😃



  • install black curtains around all PC's and require users to close them when dealing with sensitive information...


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.