plain text passwords…

Ok, It happened again. I registered at some website and they’ve sent me the password in plain text. Yes, this post was really written in 2015.

I won’t tell you, what website it was. This is not the point of this post, but rather the problem itself. And I want to give the developers of the website, whom I handled with my standard procedure of informing them about the problem, some time to fix that.

I just want to rant it out once more. How can a website that has 100k+ users make such a fundamental mistake? How can anyone, if every educated 12 year old knows better?

Some developers tell me in response “yeah but the data is secure with us”.

Sony said the same before playstation network got hacked. But luckily, as a matter of prudence, they actually hashed user passwords. Apparently, most websites don’t, even though every professional web developer knows how to do better. At least they should.

Even if they don’t get hacked, “it’s secure” is a plain lie. Sending the unencrypted plain-text password out from their servers is like printing your username and password on leaflets and throwing them out of a plane over Shanghai.

Even worse, nobody seems to care. The said website was featured on major news networks around the world.

Since I’m aware of this issue, I always use a throwaway-password when registering anywhere. Just as a reminder for everyone: don’t ever register anywhere with your “standard password” or a derivate of it.

It will ultimately end up in dictionaries used for hacker attacks.

And of course, generally use secure passwords. No, “banana” is not secure. Neither is “pineapple123”. “EeF1rJ7YiyrZazC09myJ”. is also not secure, since, due to the  the very fact that I posted it here, it most likely became part of a hacker’s password dictionary already.

Thank you developers! Thank you, security aware internet users.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *