I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text, and therefore has no barrier whatsoever against hacker discovery.
Unfortunately, this lack of security is so serious to me that I do not know if I can remain a member of this community, since it cares so little for my identity.
I must change my password immediately to one that no longer uses the pattern I normally use for such membership websites.
By way of adding something advisory - I would be happy with OAuth 1.0 (use my Google, Twitter or other OAuth source to login).
dimonic:
I was extremely disturbed to have my password e-mailed back to me after signing up for this community. This indicates to me that the password is transmitted and stored in plain text,
I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.
Also, I'd be willing to bet that immediately after they email you your password, it gets hashed with a salt. Why do you think that because it was in plain text for long enough to send it, it has been kept in plain text for the rest of eternity?
strange that he got nothing but asshat answers. Its a valid question.
Email is never secure. period. Why would a password EVER be sent via email? You just told arduino what you want your PW to be. Why do they need to send it back to you>? If you lose your PW you should get a reset link. theres never any reason for a PW to be emailed.
Its 1990 web site thinking. get with the times.
Now since arduino doesnt sell anything on this forum its highly unlikely they have any credit card info, address or even your name unless you gave it in your profile. So what any hacker could actually get by getting your PW is debatable.
Still with the bunch of nerds trolling this site its surprising that nobody sees this as an issue even if its just for the principle.
I'm not sure about the security of email, but I'm pretty sure it's very secure -- it's used for things like bank transactions.
no.
Who uses email for banking? Nobody... Email is not secure, far from it. it goes in plain text across the interwebs hopping across multiple routers and servers. Any of those hops it can be sniffed,saved, read or whatever.
oh really? Arduino uses PGP encryption and a digital certificate in the confirmation email containing your PW?
I suppose I could check my server logs and see if it uses TLS even. Doubtful.
Just because you have the knowledge and the ability to encrypt your OUTBOUND mail doesnt mean that everybody does. And it certainly doesnt mean that a forum will.
i dont have any clients left that do any day to day type bank business via email. They all make you go download the doc or whatever from a secure server sortof like yousendit but more secure (supposedly). Maybe they do it the old way somewhere still. I havent seen it in years.
Once my mail was hacked by a hacker after that i am really concern about my email.Cause sometime when i open my mail it show me that my password security is not sufficient secure.So that i am really about my password security.How can i increase my password security?
Agree with the OP 110%. Any system that stores or mails passwords in cleartext is not secure. They should be stored encrypted, with a one-way algorithm so that the cleartext is never recoverable. If a password is forgotten, the only option should be to set a new one.
@AWOL, no consolation, but it's not so much about the moderators.
The concern is not that the password was transmitted via email. The concern is that by being able to include the password in an email means it is not stored securely.
If the passwords are salted but not hashed, it is effecrively the same as storing them in plaintext.
being able to include the password in an email means it is not stored securely.
That assumes the email is sent after being stored, which is not necessarily the case, it may be sent prior to storage. If you click the 'forgot password' link on the sign in screen, you are sent a link to reset your password, you are not re-sent the original.