Smart Enough Not To Build This Website

Oops, looks like I was sorely mistaken. The attacks on SHA-1 are a bit better than I had indicated – Wikipedia says 2^63 ops for a collision, which is actually a bit troubling. There also seem to be a couple other interesting attacks on it.

Still, I’d feel safe enough if my passwords were stored as a salted SHA-1 hash in remote databases, as none but the most determined attackers will go though the trouble to break that.

I just wanted to comment on hashing passwords. When I first started in Web Development, when someone told me we don’t hash passwords, I would jump out of my seat and have a massive cry, but since then, I have changed my stance on the subject. People say if someone gets a dump of your db, they know your password!!. There are a few things wrong with this statement:

1: Why the hell do they have a dump of the database! If they can get access to your db, you already have a serious issue. A plain text password would be the last thing you need to worry about.
2: Why the hell do they have a dump of the database! Yes I know this was point 1, but still…
3: Now that they have said database, wouldn’t the other information be more valuable to them, not just their passwords? Depending on the site, wouldn’t someones email be more valuable (as a spammer) that someones password?

Don’t get me wrong, in some situations, hashing a password needs to happen. But by reading some of the posts above, some of you are insinuating that it is something set in stone and you shouldn’t otherwise.

Keith

@Steve
If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.

WHAT? I don’t even know where to begin with this one.

All I’m going to say is that if you’re spending a significant amount of money on your hash algorithms, you’re doing it wrong. Really, really wrong.

Send me my password doesn’t imply send me my old password they
can just generate a new one on the fly and send it to you.

How about: If the email address you submit matches the email address in our system, you will receive an email that contains your current password. What does that imply?

I understand normal users forgetting their passwords, but shouldn’t MENSA members compitent enough to remember their passwords? This page is totally unnessassary!

I was about to add password retrieval functionality to my app. Is it normal practice to use an extra password field to store the temporary password. I don’t want to destroy their original password because then someone could keep screwing them over by resetting the password constantly.

You’ve got it all wrong. MENSA folks are supposed to be really smart.

This insecure password recover system is how they punish the more mentally challenged members that managed to sneak in :stuck_out_tongue:

Why do so many people mention the fact that you can spam any Mensa user if you know their email? Yes, you can. You can also use SmtpMail.Send() - it’s much more efficient. :slight_smile:

@Eam

As you probably know, encrypting the passwords means more than just implementing a hash algorithm. You can no longer simply send the existing password to the user, there must be additional functionality to create a temporary password, send the new password, allow the user to reset the password, etc. Mensa does not have any of that built currently, to my knowledge.

By the way, your arrogance is ugly.

Yeah, without bringing the security of email into this, you’re basically saying, hey… if you can code something that brute forces the server with random combinations of email addresses (*.gmail.com, *.yahoo.com) you can find out which ones are mensa members.

Of course you know, though, Mensa is a pay membership organization so they didn’t do it themselves… they probably contracted it out to a web design company and were advised to go with ease of use over security. At least they aren’t storing the un/pwd in a text file. :slight_smile:

That reminds me of the time I tried to sign up for ACM’s Student Membership. Ugh.

Pardon the self-linking, but the story’s a bit too long to write in a comment box: http://www.skrud.net/articles/2008/03/05/acm-and-the-canadian-province-of-alabama/

@Steve

Budget or no budget, properly protecting passwords is essential as this same password could be used for other services e.g. paypal, e-mail, banking, etc…

It is completely irresponsible to run a website that stores passwords insecurely and I think that anyone responsible for a security leak with plain-text passwords stored in the database should be liable for every penny of damage done.

  1. No CAPTCHA
  2. No user set question to verify the authenticity of the user.

from a standpoint of taking over somebody’s identity by simply gaining access to their email…,

this makes it that much easier to have access to their other websites they visit and be hidden, simply send the email get their password, delete traces of it and enjoy their account while they remain completely oblivious to the fact you have taken over their internet identity. Unless of course they are smart enough to forward all their inbox to a redundant Gmail to watch for stuff like that ( I wonder if there are people out there that do that? )

Then again knowing how good people are at security and passwords, most likely if you have their email password you have all of their passwords.

@ian williams: if there is no content of any use, why password it at all then?

  1. No CAPTCHA
  2. No user set question to verify the authenticity of the user.
  3. At no match, it gives Sorry, we don’t recognize that email address.
    almost instantly.

one can easily sniff out valid email addresses by using automation(bots)
= SPAMM!!!

Um. Spambot anyone?

Mensa is full of idiots. Loathsome, arrogant, condescending, zero-people-skills idiots. Just because you’re intelligent doesn’t mean you’re smart.

I’m with Dave: the system should never tell you whether the email you entered was a valid user.

Not just for privacy… if you go to the user login page, you’ll see that it accepts EITHER the username or the email address, along with the password.

It’s been a long time since I’ve seen a system that differentiated between failed login due to invalid username and username valid, but you failed because of the password. That’s a way-back no-no.

Why? Well, they either have a lockout after some # of failures, or they don’t.

If they do, you could abuse this by brute-forcing the send me my password thing until finding a bunch of valid emails, then you could lock them all out of the system by trying to log in as them too many times.

If they DON’T have a lockout, then you could brute force their passwords and log in as them and learn the secrets of the mental universe.

Then, of course, you would check to see if they used that password for their actual email account, or that email/pwd for any number of other sites.

The first mistake I noticed was that they left the hyphen out of e-mail. Six times.

…doug