Some miscreant could send any known Mensa member (if they know their e-mail) a constant stream of e-mails.
As a developer who works for a company that sends out plain text logins and passwords in both emails and mailings, Iâd like to defend the intelligence of at least some portion of the developers who are doing thisâŚ
Itâs not our choice. Really.
Sometimes, in spite of our best arguments and all evidence to the contrary, we are forced to do really dumb things by the powers that be. Usually this is done in a misguided attempt to provide more customer friendly solutions to a problem. And we hate every minute of it.
Sometimes we even go to extra-ordinary lengths to do the smart thing while making it appear that we are doing the dumb thing mandated by the powers. If they notice that we arenât doing what they ask, we argue that it is a limitation of the technology. Or we log it as a bug in a long list of low priority bugs that will never see the light of day. Or we make the smart thing smarter so it can appear dumber.
And sometimes we are forced to do the dumb thing anyway. Then we can only make a note of our protests, reiterate them every chance we get, make snarky remarks in code comments, and - when it comes around and bites them in the posterior - gently remind the powers: We told you so.
So, please, take a moment and reserve judgment on the myriad of dumb programmers in the trenches - at least until you see their snarky comments in the code.
Aside from the obvious privacy and security problems that everyoneâs already mentionedâŚ
- ColdFusion.
- !-- Source Code Copyright 2001 Active Matter, Inc. www.activematter.com â
- Above domain is dead.
- Occasionally, itâs 2003
- Name-based browser checks.
- 200 lines of hardcoded switch-case lists for simple image swap code.
- Spacer GIFs.
- Canât make up their mind whether they want www. prefixes in their subdomains or not.
- !-- saved from url=(0022)http://internet.e-mail â
@Ilia Jerebtsov
I think you are making your point clear more than enough.
Does this site have a virus? I can see telling people not to register with a site, but usually you tell others not to visit a site because it runs some type of exploit.
âŚand the function _CF_checkCFForm_1() always returns true.
âŚand the function:
function exeMailTo(thisUser, thisServer, thisExt)
{
var sLink = ma + il + to + : + thisUser + @ + thisServer + . + thisExt;
//Check for a 4th, optional argument for default email subject
if(arguments.length 3)
{
sLink += ?subject= + arguments[3];
}
window.location = sLink;
}
just to hide the email address from spammers.
For Mensa, it should suffice to have Forgot password? Click here, without an input field. Anyone who can not memorize the automatically generated GUID-like password clearly has no business signing in there anyways.
@Ilia Jerebtsov
Yes. Every single web developer with an IQ 0 should know that they can swap images in CSS.
If you are using JavaScript for that, you are out of business(and certainly out of your mind).
âŚand donât throw tables at me.
It doesnât matter that they store the passwords in plaintext⌠every member has the same password: imagenius_notu
-m
Maybe they just send the hash - youâre in MENSA, figure it out from that.
Are they supposed to forget passwords?
There is one good cause for storing plain-text passwords, and that is that it allows for more secure authentication methods.
If the attacker can listen on the wire but canât get access to the password storage, storing hashed passwords will allow the attacker to read the passwords on the wire, because storings hashed (and optionally salted) passwords means you also have to send a plaintext password, or a hash of it. Both are open to replay attacks.
Now, if you store the plaintext password you can use replay-safe authentication methods by having server and client agree on a one-time salt for sending a hashed password over the wire.
Most protocols (including e-mail submittal and retrieval, and HTTP) support both paradigms of authentication in one or more ways.
But as long as youâre on an unencrypted connection, you canât have it both ways.
If you want both, using some public key crypto for the connection itself, establishing the crypto before authenticating the client. That way you can store a hashed and salted password and still be secure on the wire.
So if eavesdropping is a risk and SSL/TLS isnât an option, storing plaintext passwords might not be that bad an option.
Send me my password doesnât imply send me my old password they can just generate a new one on the fly and send it to you.
I donât see anything wrong with it. What I found most curious about this post is the maybe Iâm not smart enough to be in Mensa but⌠Looks like jealousy or somethingâŚ
Intelligence and knowledge are two different things. The most inteligent people on the planet may not have that particular knowledge about building web sites so they hired someone who did the site the way it looks. Saying that mensa people are dump because you geeks found some mistakes in their site is weird and you pepole make fools of yourself.
Mensa site:
I am a member of British Mensa.
I wouldnât worry in the slightest if someone got hold of my password.
Thereâs damn all of any use to anyone on their website.
If American Mensa is like UK Mensa, there wonât be any need to hide your password there either!
Err⌠They blather on and on. Why not just have a âforgot my passwordâ button? Oh, all the other stuff too.