🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
 Offline
Activity: 1316
Merit: 1043
👻
|
 |
June 07, 2013, 04:21:47 PM |
|
|
|
|
|
|
|
greyhawk
|
|
June 07, 2013, 04:24:18 PM |
|
In the same mail, even.  |
|
|
|
|
lch
Newbie
Offline
Activity: 28
Merit: 0
|
|
June 07, 2013, 04:43:13 PM |
|
lol  |
|
|
|
|
|
niko
|
|
June 07, 2013, 06:54:31 PM |
|
What's the big deal? It's not like they've got something to hide.
|
They're there, in their room.
Your mining rig is on fire, yet you're very calm.
|
|
|
Foxpup
Legendary
Offline
Activity: 4396
Merit: 3062
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
June 08, 2013, 03:18:29 AM |
|
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text.  I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed. |
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions! |
|
|
MysteryMiner
Legendary
Offline
Activity: 1498
Merit: 1042
Death to enemies!
|
|
June 08, 2013, 03:31:02 AM |
|
The same with SEB bank latvian branch. It is unlikely that the passwords will be leaked by dumped database but saving unhashed passwords - retarded decision by those who made the system. This is a result of hiring oldfarts with 1990-ties security school versus new and smart boys who are hackers and know how to properly make secure system.
Post this info to AnonOps. Might be useful next time ausies are hit by Anons for revoking Julian Assange's passport.
|
bc1q59y5jp2rrwgxuekc8kjk6s8k2es73uawprre4j
|
|
|
|
enquirer
|
|
June 08, 2013, 03:35:25 AM |
|
maybe they used sha2(pass.tolower())
|
|
|
|
|
Foxpup
Legendary
Offline
Activity: 4396
Merit: 3062
Vile Vixen and Miss Bitcointalk 2021-2023
|
|
June 08, 2013, 04:10:29 AM |
|
maybe they used sha2(pass.tolower())
They don't. Passwords are case sensitive when determining whether your login password is correct, but not case sensitive when determining whether a new password is the same as one of your old passwords. I'm pretty sure they're not storing two different hashes of each password solely to produce inconsistent case sensitivity, because there's just no real reason to do that and it runs the risk of people like me noticing the inconsistency and complaining about it unnecessarily. No, it's far more likely that they're storing passwords in plain text, and the inconsistent behaviour is the result of the two password comparison functions being written by two different people, neither of whom thought it was strange that they were comparing actual passwords instead of hashes, or if they did, their boss angrily reminded them that "they don't get paid to think".  |
Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions! |
|
|
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
Offline
Activity: 1316
Merit: 1043
👻
|
|
June 09, 2013, 04:45:53 PM |
|
I already knew that Australian government agencies don't hash passwords. I discovered that a few years ago when I changed my password to one of my old passwords but with part of it capitalised differently, and got an error message that the new password was the same as one that I was used previously, even though passwords are case senstive. There's only possible way the system could know that, and that's if they stored every password I've ever used in plain text. I tried complaining, but nobody knew what I was talking about and wouldn't even listen when I tried to explain it. I see nothing's changed. LOL wow. |
|
|
|
|
Phinnaeus Gage
Legendary
Offline
Activity: 1918
Merit: 1570
Bitcoin: An Idea Worth Spending
|
|
June 09, 2013, 04:51:10 PM |
|
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
|
|
|
|
|
Gabi
Legendary
Offline
Activity: 1148
Merit: 1008
If you want to walk on water, get out of the boat
|
|
June 09, 2013, 04:55:46 PM |
|
No, it is NOT ok to do that! There is a website dedicated to that problem http://plaintextoffenders.com/about/ |
|
|
|
mprep
Global Moderator
Legendary
Offline
Activity: 3766
Merit: 2610
In a world of peaches, don't ask for apple sauce
|
|
June 09, 2013, 04:58:50 PM |
|
I always though whether this is a problem. Never thought there was someone running such campaign. |
|
|
|
Este Nuno
Legendary
Offline
Activity: 826
Merit: 1000
amarha
|
|
June 09, 2013, 05:02:47 PM |
|
It's only the DoD. It's not like they care about keeping secrets or anything. /s
|
|
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
June 09, 2013, 05:06:52 PM |
|
I guess it's okay to do such, for a couple weeks ago I opened up an anonymous account at Amazon and received a similar email showing the name I chosen and the password, instructing me to keep the login info confidential.
Just because they send you your password in plaintext doesn't mean it's stored in plaintext. Wordpress does that. It sends the user a generated password when they register and it is mailed in plaintext, but stored hashed in the database. |
|
|
|
|
jackjack
Legendary
Offline
Activity: 1176
Merit: 1255
May Bitcoin be touched by his Noodly Appendage
|
|
June 09, 2013, 05:09:06 PM |
|
The worst part is that it's far from being just Au DoD...
|
Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2 Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc. |
|
|
|
