Wors Than Failure WTF #999



  • When you register to these forums, the system sends you an email with your password in plain text.



  • Really?

    I got mine in that email, and it was all ******.

    Totally secure. 



  • @dhromed said:

    Really?

    I got mine in that email, and it was all ******.

    Totally secure. 

    Did you choose hunter2 as a password?



  • @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.



  • @PJH said:

    Did you choose hunter2 as a password?

     

    you can go hunter2 my hunter2-ing hunter2 


  • @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

     

    But in the spirit of Worse Than Failure, you try and post a side bar wtf, and you leave a typo in the subject.

     

    YOU_AM_FAIL



  • @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    Well, some people are stupid enough to use the same password for "just a message board account" and "just a remote access to launch nuclear missiles". Such people should be banned from the internet, though. Anyway, such people would expose the secret password (to launch the nukes) by the mail, while the password reset link just allows the attackers to access the message board.



  • @ammoQ said:

    Well, some people are stupid enough to use the same password for "just a message board account" and "just a remote access to launch nuclear missiles". Such people should be banned from the internet, though. Anyway, such people would expose the secret password (to launch the nukes) by the mail, while the password reset link just allows the attackers to access the message board.

    It's a good habit, until you get 10 emails, 100 bugzilla- and 1000 forum-accounts. I've tried using md5(my password salted with login url) until someone has changed the login url and I've lost account. There's seriously no way to remember all of them / make them unique - that's just waste of time / life...

    So please, please! use openid logins, when you create a new portal/forum/bug-whatever. PLEASE!!!



  • @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    But you don't need access to the email account; sniffing the network is enough.



  • @purge said:

    @PJH said:

    Did you choose hunter2 as a password?

     

    you can go hunter2 my hunter2-ing hunter2 

    That show up as "you can go ******* my *******-ing *******" here :D


    @viraptor said:

    @ammoQ said:

    Well, some people are stupid enough to use the same password for "just a message board account" and "just a remote access to launch nuclear missiles". Such people should be banned from the internet, though. Anyway, such people would expose the secret password (to launch the nukes) by the mail, while the password reset link just allows the attackers to access the message board.

    It's a good habit, until you get 10 emails, 100 bugzilla- and 1000 forum-accounts. I've tried using md5(my password salted with login url) until someone has changed the login url and I've lost account. There's seriously no way to remember all of them / make them unique - that's just waste of time / life...

    So please, please! use openid logins, when you create a new portal/forum/bug-whatever. PLEASE!!!

    What's openid?


    @luke727 said:

    @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    But you don't need access to the email account; sniffing the network is enough.

    But then you could just as easily sniff the network when the person is logging in, since the password is sent in plain text through an unencrypted HTTP connection.



  • @viraptor said:

    @ammoQ said:

    Well, some people are stupid enough to use the same password for "just a message board account" and "just a remote access to launch nuclear missiles". Such people should be banned from the internet, though. Anyway, such people would expose the secret password (to launch the nukes) by the mail, while the password reset link just allows the attackers to access the message board.

    It's a good habit, until you get 10 emails, 100 bugzilla- and 1000 forum-accounts. I've tried using md5(my password salted with login url) until someone has changed the login url and I've lost account. There's seriously no way to remember all of them / make them unique - that's just waste of time / life...

    So please, please! use openid logins, when you create a new portal/forum/bug-whatever. PLEASE!!!

    True, but you can at least have a forum for all the less-important forums etc., and different password(s) for more important stuff.



  • But then you'll sign up for websites with various password requirements (must contain a number, certain number of characters, etc.) and mess up the system.  I try to use the same password for everything, but for sites I don't use regularly it usually takes me 2-3 tries to figure out my password.



  • I just write them down. I have bigger problems if they have access to my files on my computer.



  • @viraptor said:

    It's a good habit, until you get 10 emails, 100 bugzilla- and 1000 forum-accounts. I've tried using md5(my password salted with login url) until someone has changed the login url and I've lost account. There's seriously no way to remember all of them / make them unique - that's just waste of time / life...

    Why haven't you made a script to keep track of them for you (and optionally generate them as well) yet? Really now.



  • I agree completely with what you said about the "too many accounts" mess. After a hundred passwords and throwaway email addresses, it just doesn't seem worth bothering with registering on forums.

    @viraptor said:

    So please, please! use openid logins, when you create a new portal/forum/bug-whatever. PLEASE!!!


    If I remember correctly, it either didn't work for me, or felt too enterprisey. (too many redirections back and forth, broken unless you enable everything in the browser, etc) But I could be wrong.

    Which is why I prefer anonymous Futaba channel / 2channel style forums nowadays. Everyone with half a reason seem to have a pointless phpBB install though.



  • On this subject, does anybody know of a password storage/generation program that meets the following requirements:

    • Must sync with a central server (with client-side encryption, so the server admin can't read my passwords)
      • Even better if it could use an FTP server of my choice
    • Must be cross-platform (Win, Linux, Mac), preferably available as both a Firefox extension and a stand-alone app
    • Must be runnable without installation (i.e. from USB), without admin rights (at least on Windows and Mac)
    • Must have a version runnable from a cellphone (Java/Symbian S60)
    • Must be able to generate passwords to site-specific requirements (length, allowable characters, etc)

    At the moment, I use the same password for everything (except the really important things). But if there is an app that meets all of those specs then I would be glad to change my ways. Anyone heard of anything? Maybe I'll end up writing something...
     



  • Mmm ... doesn't meet some (or even most) of your requirements, but I use KeePass Password Safe. Does a good job for my personal passwords, though it's more a storage app than anything else.

     



  • @mallard said:

    On this subject, does anybody know of a password storage/generation program that meets the following requirements:

    I've started using RoboForm (normal and 2Go variants), but it only meets some of your requirements. It's for Windows only (with cut-down versions available for Palm/Symbian/Windows Mobile), not Mac/Linux.

    - All versions can generate passwords to site-specific requirements. 

    - RoboForm 2Go (portable version) runs from a USB drive without installation.

    - Integrates with IE and has Firefox plugin (works well on both).

    - All information is encrypted (your choice of AES, Blowfish, RC6, 3DES or DES)
     

    Login information is stored as individual files, each encrypted. You could probably set it up to look for the data files on a network share but I haven't tried it; don't think it would handle UNC names though and definitely can't pull from an FTP site.

    It doesn't have inbuilt synchronisation, but you could find other programs to do that (I found a free app to synchronise between my desktop and USB versions) or pull from FTP. The same vendor has a synchronisation app but I haven't looked at it.

    I've now switched to using different unguessable passwords for nearly everything, including this forum - and it's no harder than when I was using one or two simple passwords for all the non-financial stuff.

    Whether Roboform or Keepass is better for you probably depends on which of your stated requirements are most important. There are some other similar apps around, but I don't remember their names.
     



  • @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    It's a problem because most people re-use passwords over and over again.  Your forum password has a high probability of being identical to your password at your bank's web site or your domain login at work.


  • @luke727 said:

    @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    But you don't need access to the email account; sniffing the network is enough.

    Well, yes, you could do that, if you knew exactly when the email was going to be sent, and then sent the information back in time to yourself a couple of years earlier, went and applied for a job at the target's ISP, worked your way up through the ranks long enough until you were trusted to be left on your own in the data center with their core routers, hacked the root password, and installed a sniffer.

    Of course if you can do that, you're probably Galactus, so we're all screwed anyway.  Regardless of passwords.

     



  • @DaveK said:

    @luke727 said:
    @Alex Papadimoulis said:

    @Latexxx said:

    When you register to these forums, the system sends you an email with your password in plain text.

    I don't understand why people consider this insecure. Setting aside the fact that it's a just a message board account, if some one has access to your email account, then they can just as easily request a "password reset" link.

    But you don't need access to the email account; sniffing the network is enough.

    Well, yes, you could do that, if you knew exactly when the email was going to be sent, and then sent the information back in time to yourself a couple of years earlier, went and applied for a job at the target's ISP, worked your way up through the ranks long enough until you were trusted to be left on your own in the data center with their core routers, hacked the root password, and installed a sniffer.

    Or you could just use the standard cache poisoning tricks, because your target (like pretty damn near everybody else in the world) is using an ISP who doesn't bother to secure their systems against them. 



  • @PJH said:

    @dhromed said:

    Really?

    I got mine in that email, and it was all ******.

    Totally secure. 

    Did you choose hunter2 as a password?

     

    yeah, and now its hunter3 



  • I agree that this is just a message board and it is not important.  I mean you are signing in and doing all your traffic over an insecure connection anyway.  I would argue it would be easier to steal your password by sniffing traffic when you log in than it would be to steal from your email.

     

    On that note, a couple years ago I signed up for online payment with verizon.  Two weeks later I got a letter in the mail (snail mail) from them with the password I used for my new online account.  Not only did they MAIL me my password in plain text, but next time I logged in I noticed it had saved my credit card info.  I was mad.  I called customer service and bitched at them and asked to speak to their CIO or whoever would be in charge of information security.  They forwarded me to someone where I got voicemail.  I left a reasonable message stating I was concerned that they might not be taking security very seriously.  I never got a response.  This is an instance where sending someone their password could cause problems. 



  • @roto said:

    I agree that this is just a message board and it is not important.  I mean you are signing in and doing all your traffic over an insecure connection anyway.  I would argue it would be easier to steal your password by sniffing traffic when you log in than it would be to steal from your email.

     

    On that note, a couple years ago I signed up for online payment with verizon.  Two weeks later I got a letter in the mail (snail mail) from them with the password I used for my new online account.  Not only did they MAIL me my password in plain text, but next time I logged in I noticed it had saved my credit card info.  I was mad.  I called customer service and bitched at them and asked to speak to their CIO or whoever would be in charge of information security.  They forwarded me to someone where I got voicemail.  I left a reasonable message stating I was concerned that they might not be taking security very seriously.  I never got a response.  This is an instance where sending someone their password could cause problems. 

    Only a WTF if the letter also included the online username. When I signed up for online banking, my username was emailed to me, while my initial password was snail mailed. That way any crook trying to sign up for someone else's online banking has to be able to intercept the snail mail, but someone intercepting the snail mail anyway merely gets a password without a username.



  • @mallard said:

    On this subject, does anybody know of a password storage/generation program that meets the following requirements:

    • Must sync with a central server (with client-side encryption, so the server admin can't read my passwords)
      • Even better if it could use an FTP server of my choice
    • Must be cross-platform (Win, Linux, Mac), preferably available as both a Firefox extension and a stand-alone app
    • Must be runnable without installation (i.e. from USB), without admin rights (at least on Windows and Mac)
    • Must have a version runnable from a cellphone (Java/Symbian S60)
    • Must be able to generate passwords to site-specific requirements (length, allowable characters, etc)

    At the moment, I use the same password for everything (except the really important things). But if there is an app that meets all of those specs then I would be glad to change my ways. Anyone heard of anything? Maybe I'll end up writing something...
     

    Looks like I've ended up writing something...

    I've begun developing a program to meet my needs a specified above. It's called "StorWords" and is on Google Code here.
    Not much more than the beginnings of a UI so far. Written in C++ using GTKmm (for cross-platform compatibilty). Will write a Java version for phones at a later stage. The google code repository has a win32 binary for anybody who wants to take a look. (And I'm sure WTF hunters could have a field day with my code!).



  • @mallard said:

    @mallard said:

    On this subject, does anybody know of a password storage/generation program that meets the following requirements:

    • Must sync with a central server (with client-side encryption, so the server admin can't read my passwords)
      • Even better if it could use an FTP server of my choice
    • Must be cross-platform (Win, Linux, Mac), preferably available as both a Firefox extension and a stand-alone app
    • Must be runnable without installation (i.e. from USB), without admin rights (at least on Windows and Mac)
    • Must have a version runnable from a cellphone (Java/Symbian S60)
    • Must be able to generate passwords to site-specific requirements (length, allowable characters, etc)

    At the moment, I use the same password for everything (except the really important things). But if there is an app that meets all of those specs then I would be glad to change my ways. Anyone heard of anything? Maybe I'll end up writing something...
     

    Looks like I've ended up writing something...

    I've begun developing a program to meet my needs a specified above. It's called "StorWords" and is on Google Code here.
    Not much more than the beginnings of a UI so far. Written in C++ using GTKmm (for cross-platform compatibilty). Will write a Java version for phones at a later stage. The google code repository has a win32 binary for anybody who wants to take a look. (And I'm sure WTF hunters could have a field day with my code!).

     

    Doesn't use server storage, but seems to generate reasonable passwords that can be duplicated on other machines and/or with any OS that will run Firefox.

    https://addons.mozilla.org/en-US/firefox/addon/874 


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.