|
Title: Yay for not hashing your passwords and sending them via email! Post by: 🏰 TradeFortress 🏰 on June 07, 2013, 04:21:47 PM Title: Re: Yay for not hashing your passwords and sending them via email! Post by: greyhawk on June 07, 2013, 04:24:18 PM In the same mail, even. :D
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: lch on June 07, 2013, 04:43:13 PM lol ;D
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: niko on June 07, 2013, 06:54:31 PM What's the big deal? It's not like they've got something to hide.
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Foxpup on June 08, 2013, 03:18:29 AM I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. :o I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed.
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: MysteryMiner on June 08, 2013, 03:31:02 AM The same with SEB bank latvian branch. It is unlikely that the passwords will be leaked by dumped database but saving unhashed passwords - retarded decision by those who made the system. This is a result of hiring oldfarts with 1990-ties security school versus new and smart boys who are hackers and know how to properly make secure system.
Post this info to AnonOps. Might be useful next time ausies are hit by Anons for revoking Julian Assange's passport. Title: Re: Yay for not hashing your passwords and sending them via email! Post by: enquirer on June 08, 2013, 03:35:25 AM maybe they used sha2(pass.tolower())
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Foxpup on June 08, 2013, 04:10:29 AM maybe they used sha2(pass.tolower()) They don't. Passwords are case sensitive when determining whether your login password is correct, but not case sensitive when determining whether a new password is the same as one of your old passwords. I'm pretty sure they're not storing two different hashes of each password solely to produce inconsistent case sensitivity, because there's just no real reason to do that and it runs the risk of people like me noticing the inconsistency and complaining about it unnecessarily. No, it's far more likely that they're storing passwords in plain text, and the inconsistent behaviour is the result of the two password comparison functions being written by two different people, neither of whom thought it was strange that they were comparing actual passwords instead of hashes, or if they did, their boss angrily reminded them that "they don't get paid to think". ::)Title: Re: Yay for not hashing your passwords and sending them via email! Post by: 🏰 TradeFortress 🏰 on June 09, 2013, 04:45:53 PM I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. :o I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed. LOL wow.Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Phinnaeus Gage on June 09, 2013, 04:51:10 PM I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Gabi on June 09, 2013, 04:55:46 PM No, it is NOT ok to do that!
There is a website dedicated to that problem http://plaintextoffenders.com/about/ Title: Re: Yay for not hashing your passwords and sending them via email! Post by: mprep on June 09, 2013, 04:58:50 PM No, it is NOT ok to do that! I always though whether this is a problem. Never thought there was someone running such campaign.There is a website dedicated to that problem http://plaintextoffenders.com/about/ Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Este Nuno on June 09, 2013, 05:02:47 PM It's only the DoD. It's not like they care about keeping secrets or anything. /s
Title: Re: Yay for not hashing your passwords and sending them via email! Post by: Raoul Duke on June 09, 2013, 05:06:52 PM I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential. Just because they send you your password in plaintext doesn't mean it's stored in plaintext. Wordpress does that. It sends the user a generated password when they register and it is mailed in plaintext, but stored hashed in the database. Title: Re: Yay for not hashing your passwords and sending them via email! Post by: jackjack on June 09, 2013, 05:09:06 PM The worst part is that it's far from being just Au DoD...
|
