Pages: [1]   Go Down
Author Topic: Concern about password security  (Read 1756 times)
0 Members and 1 Guest are viewing this topic.
Toronto, Canada
Offline Offline
Newbie
*
Karma: 0
Posts: 1
Raspberry Pi with a side of Arduino for the win!
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text, and therefore has no barrier whatsoever against hacker discovery.

Unfortunately, this lack of security is so serious to me that I do not know if I can remain a member of this community, since it cares so little for my identity.

I must change my password immediately to one that no longer uses the pattern I normally use for such membership websites.

By way of adding something advisory - I would be happy with OAuth 1.0 (use my Google, Twitter or other OAuth source to login).
« Last Edit: July 31, 2012, 08:50:05 am by dimonic » Logged

Offline Offline
Edison Member
*
Karma: 19
Posts: 1041
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text,

I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.

Also, I'd be willing to bet that immediately after they email you your password, it gets hashed with a salt. Why do you think that because it was in plain text for long enough to send it, it has been kept in plain text for the rest of eternity?
Logged

Gosport, UK
Offline Offline
Faraday Member
**
Karma: 21
Posts: 3113
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

If your email is being intercepted, you probably have bigger problems than your identity here being stolen.

Quote
I must change my password immediately to one that no longer uses the pattern I normally use for such membership websites.
That's a good thing. Using the same patterns for all your passwords is poor security anyway.
Logged

Global Moderator
UK
Offline Offline
Brattain Member
*****
Karma: 308
Posts: 26469
I don't think you connected the grounds, Dave.
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

If it is any consolation, I can ban your account, but not delete it, but I cannot see your password.
Logged

"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

0
Offline Offline
Sr. Member
****
Karma: 0
Posts: 291
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

strange that he got nothing but asshat answers. Its a valid question.
Email is never secure.  period.  Why would a password EVER be sent via email?  You just told arduino what you want your PW to be.  Why do they need to send it back to you>? If you lose your PW you should get a reset link.  theres never any reason for a PW to be emailed.
Its 1990 web site thinking.  get with the times.

Now since arduino doesnt sell anything on this forum its highly unlikely they have any credit card info, address or even your name unless you gave it in your profile.  So what any hacker could actually get by getting your PW is debatable. 


Still with the bunch of nerds trolling this site its surprising that nobody sees this as an issue even if its just for the principle.

Quote
I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.
no.

Who uses email for banking?  Nobody... Email is not secure, far from it.  it goes in plain text across the interwebs hopping across multiple routers and servers. Any of those hops it can be sniffed,saved, read or whatever.
Logged

Gosport, UK
Offline Offline
Faraday Member
**
Karma: 21
Posts: 3113
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
it goes in plain text across the interwebs
Yours might. Don't assume that everyone's does. You can also embed secure elements inside the wrapper, just as you can with web pages.

Quote
Who uses email for banking?  Nobody...
Now you don't really believe that, do you?
« Last Edit: August 09, 2012, 01:49:46 am by dxw00d » Logged

0
Offline Offline
Sr. Member
****
Karma: 0
Posts: 291
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

oh really?  Arduino uses PGP encryption and a digital certificate in the confirmation email containing your PW?
I suppose I could check my server logs and see if it uses TLS even.  Doubtful.
Just because you have the knowledge and the ability to encrypt your OUTBOUND mail doesnt mean that everybody does.  And it certainly doesnt mean that a forum will.
Logged

0
Offline Offline
Sr. Member
****
Karma: 0
Posts: 291
Arduino rocks
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

i dont have any clients left that do any day to day type bank business via email.  They all make you go download the doc or whatever from a secure server sortof like yousendit but more secure (supposedly).  Maybe they do it the old way somewhere still.  I havent seen it in years.
Logged

Offline Offline
Newbie
*
Karma: 0
Posts: 33
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Once my mail was hacked by a hacker after that i am really concern about my email.Cause sometime when i open my mail it show me that  my password security is not sufficient secure.So that i am really about my password  security.How can i increase my password security?
Logged

Seattle, WA USA
Online Online
Brattain Member
*****
Karma: 631
Posts: 50046
Seattle, WA USA
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
How can i increase my password security?
Post it here on the forum. We'll tell you how secure it is.
Logged

Grand Blanc, MI, USA
Offline Offline
Faraday Member
**
Karma: 95
Posts: 4089
CODE is a mass noun and should not be used in the plural or with an indefinite article.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

Agree with the OP 110%. Any system that stores or mails passwords in cleartext is not secure. They should be stored encrypted, with a one-way algorithm so that the cleartext is never recoverable. If a password is forgotten, the only option should be to set a new one.

@AWOL, no consolation, but it's not so much about the moderators.
« Last Edit: August 11, 2012, 01:43:00 pm by Jack Christensen » Logged

MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

Fort Lauderdale, FL
Offline Offline
Faraday Member
**
Karma: 71
Posts: 6144
Baldengineer
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

The concern is not that the password was transmitted via email.  The concern is that by being able to include the password in an email means it is not stored securely. 

If the passwords are salted but not hashed, it is effecrively the same as storing them in plaintext.
Logged

Capacitor Expert By Day, Enginerd by night.  ||  Personal Blog: www.baldengineer.com  || Electronics Tutorials for Beginners:  www.addohms.c

Grand Blanc, MI, USA
Offline Offline
Faraday Member
**
Karma: 95
Posts: 4089
CODE is a mass noun and should not be used in the plural or with an indefinite article.
View Profile
WWW
 Bigger Bigger  Smaller Smaller  Reset Reset

The concern is not that the password was transmitted via email.  The concern is that by being able to include the password in an email means it is not stored securely. 

Actually, I have an issue with both.
Logged

MCP79411/12 RTC ... "One Million Ohms" ATtiny kit ... available at http://www.tindie.com/stores/JChristensen/

Gosport, UK
Offline Offline
Faraday Member
**
Karma: 21
Posts: 3113
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

Quote
being able to include the password in an email means it is not stored securely.

That assumes the email is sent after being stored, which is not necessarily the case, it may be sent prior to storage. If you click the 'forgot password' link on the sign in screen, you are sent a link to reset your password, you are not re-sent the original.
Logged

Global Moderator
UK
Offline Offline
Brattain Member
*****
Karma: 308
Posts: 26469
I don't think you connected the grounds, Dave.
View Profile
 Bigger Bigger  Smaller Smaller  Reset Reset

(I'm still wondering what "asshat" means. Isn't he the president of Syria?)
Logged

"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

Pages: [1]   Go Up
Jump to: