Oops, looks like I was sorely mistaken. The attacks on SHA-1 are a bit better than I had indicated – Wikipedia says 2^63 ops for a collision, which is actually a bit troubling. There also seem to be a couple other interesting attacks on it.
Still, I’d feel safe enough if my passwords were stored as a salted SHA-1 hash in remote databases, as none but the most determined attackers will go though the trouble to break that.
I just wanted to comment on hashing passwords. When I first started in Web Development, when someone told me we don’t hash passwords, I would jump out of my seat and have a massive cry, but since then, I have changed my stance on the subject. People say if someone gets a dump of your db, they know your password!!. There are a few things wrong with this statement:
1: Why the hell do they have a dump of the database! If they can get access to your db, you already have a serious issue. A plain text password would be the last thing you need to worry about.
2: Why the hell do they have a dump of the database! Yes I know this was point 1, but still…
3: Now that they have said database, wouldn’t the other information be more valuable to them, not just their passwords? Depending on the site, wouldn’t someones email be more valuable (as a spammer) that someones password?
Don’t get me wrong, in some situations, hashing a password needs to happen. But by reading some of the posts above, some of you are insinuating that it is something set in stone and you shouldn’t otherwise.
Send me my password doesn’t imply send me my old password they
can just generate a new one on the fly and send it to you.
How about: If the email address you submit matches the email address in our system, you will receive an email that contains your current password. What does that imply?
I understand normal users forgetting their passwords, but shouldn’t MENSA members compitent enough to remember their passwords? This page is totally unnessassary!
I was about to add password retrieval functionality to my app. Is it normal practice to use an extra password field to store the temporary password. I don’t want to destroy their original password because then someone could keep screwing them over by resetting the password constantly.
Why do so many people mention the fact that you can spam any Mensa user if you know their email? Yes, you can. You can also use SmtpMail.Send() - it’s much more efficient.
As you probably know, encrypting the passwords means more than just implementing a hash algorithm. You can no longer simply send the existing password to the user, there must be additional functionality to create a temporary password, send the new password, allow the user to reset the password, etc. Mensa does not have any of that built currently, to my knowledge.
Yeah, without bringing the security of email into this, you’re basically saying, hey… if you can code something that brute forces the server with random combinations of email addresses (*.gmail.com, *.yahoo.com) you can find out which ones are mensa members.
Of course you know, though, Mensa is a pay membership organization so they didn’t do it themselves… they probably contracted it out to a web design company and were advised to go with ease of use over security. At least they aren’t storing the un/pwd in a text file.
Budget or no budget, properly protecting passwords is essential as this same password could be used for other services e.g. paypal, e-mail, banking, etc…
It is completely irresponsible to run a website that stores passwords insecurely and I think that anyone responsible for a security leak with plain-text passwords stored in the database should be liable for every penny of damage done.
from a standpoint of taking over somebody’s identity by simply gaining access to their email…,
this makes it that much easier to have access to their other websites they visit and be hidden, simply send the email get their password, delete traces of it and enjoy their account while they remain completely oblivious to the fact you have taken over their internet identity. Unless of course they are smart enough to forward all their inbox to a redundant Gmail to watch for stuff like that ( I wonder if there are people out there that do that? )
Then again knowing how good people are at security and passwords, most likely if you have their email password you have all of their passwords.
I’m with Dave: the system should never tell you whether the email you entered was a valid user.
Not just for privacy… if you go to the user login page, you’ll see that it accepts EITHER the username or the email address, along with the password.
It’s been a long time since I’ve seen a system that differentiated between failed login due to invalid username and username valid, but you failed because of the password. That’s a way-back no-no.
Why? Well, they either have a lockout after some # of failures, or they don’t.
If they do, you could abuse this by brute-forcing the send me my password thing until finding a bunch of valid emails, then you could lock them all out of the system by trying to log in as them too many times.
If they DON’T have a lockout, then you could brute force their passwords and log in as them and learn the secrets of the mental universe.
Then, of course, you would check to see if they used that password for their actual email account, or that email/pwd for any number of other sites.