Go Down

Topic: Concern about password security (Read 2041 times) previous topic - next topic

dimonic

Jul 31, 2012, 03:03 pm Last Edit: Jul 31, 2012, 03:50 pm by dimonic Reason: 1
I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text, and therefore has no barrier whatsoever against hacker discovery.

Unfortunately, this lack of security is so serious to me that I do not know if I can remain a member of this community, since it cares so little for my identity.

I must change my password immediately to one that no longer uses the pattern I normally use for such membership websites.

By way of adding something advisory - I would be happy with OAuth 1.0 (use my Google, Twitter or other OAuth source to login).

WizenedEE


I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text,


I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.

Also, I'd be willing to bet that immediately after they email you your password, it gets hashed with a salt. Why do you think that because it was in plain text for long enough to send it, it has been kept in plain text for the rest of eternity?

dxw00d

If your email is being intercepted, you probably have bigger problems than your identity here being stolen.

Quote
I must change my password immediately to one that no longer uses the pattern I normally use for such membership websites.

That's a good thing. Using the same patterns for all your passwords is poor security anyway.

AWOL

If it is any consolation, I can ban your account, but not delete it, but I cannot see your password.
"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

jointtech

strange that he got nothing but asshat answers. Its a valid question.
Email is never secure.  period.  Why would a password EVER be sent via email?  You just told arduino what you want your PW to be.  Why do they need to send it back to you>? If you lose your PW you should get a reset link.  theres never any reason for a PW to be emailed.
Its 1990 web site thinking.  get with the times.

Now since arduino doesnt sell anything on this forum its highly unlikely they have any credit card info, address or even your name unless you gave it in your profile.  So what any hacker could actually get by getting your PW is debatable. 


Still with the bunch of nerds trolling this site its surprising that nobody sees this as an issue even if its just for the principle.

Quote
I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.

no.

Who uses email for banking?  Nobody... Email is not secure, far from it.  it goes in plain text across the interwebs hopping across multiple routers and servers. Any of those hops it can be sniffed,saved, read or whatever.

dxw00d

#5
Aug 09, 2012, 08:46 am Last Edit: Aug 09, 2012, 08:49 am by dxw00d Reason: 1
Quote
it goes in plain text across the interwebs

Yours might. Don't assume that everyone's does. You can also embed secure elements inside the wrapper, just as you can with web pages.

Quote
Who uses email for banking?  Nobody...

Now you don't really believe that, do you?

jointtech

oh really?  Arduino uses PGP encryption and a digital certificate in the confirmation email containing your PW?
I suppose I could check my server logs and see if it uses TLS even.  Doubtful.
Just because you have the knowledge and the ability to encrypt your OUTBOUND mail doesnt mean that everybody does.  And it certainly doesnt mean that a forum will.

jointtech

i dont have any clients left that do any day to day type bank business via email.  They all make you go download the doc or whatever from a secure server sortof like yousendit but more secure (supposedly).  Maybe they do it the old way somewhere still.  I havent seen it in years.

ribbery45

Once my mail was hacked by a hacker after that i am really concern about my email.Cause sometime when i open my mail it show me that  my password security is not sufficient secure.So that i am really about my password  security.How can i increase my password security?

PaulS

Quote
How can i increase my password security?

Post it here on the forum. We'll tell you how secure it is.

Jack Christensen

#10
Aug 11, 2012, 08:41 pm Last Edit: Aug 11, 2012, 08:43 pm by Jack Christensen Reason: 1
Agree with the OP 110%. Any system that stores or mails passwords in cleartext is not secure. They should be stored encrypted, with a one-way algorithm so that the cleartext is never recoverable. If a password is forgotten, the only option should be to set a new one.

@AWOL, no consolation, but it's not so much about the moderators.
MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

James C4S

The concern is not that the password was transmitted via email.  The concern is that by being able to include the password in an email means it is not stored securely. 

If the passwords are salted but not hashed, it is effecrively the same as storing them in plaintext.
Capacitor Expert By Day, Enginerd by night.  ||  Personal Blog: www.baldengineer.com  || Electronics Tutorials for Beginners:  www.addohms.com

Jack Christensen


The concern is not that the password was transmitted via email.  The concern is that by being able to include the password in an email means it is not stored securely. 


Actually, I have an issue with both.
MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

dxw00d

Quote
being able to include the password in an email means it is not stored securely.


That assumes the email is sent after being stored, which is not necessarily the case, it may be sent prior to storage. If you click the 'forgot password' link on the sign in screen, you are sent a link to reset your password, you are not re-sent the original.

AWOL

(I'm still wondering what "asshat" means. Isn't he the president of Syria?)
"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

Go Up