|
I just had to login to a website and my password expired (password expiry is bad practice, according to the pros).
When I tried to reset my password I got an error that my new password looked too much like the previous.
To my knowledge, they can't possibly know that unless they store it as plain text as even a single letter difference should generate a completely different hash.
Am I right to not trust these guys with my password?
Not that I really have a choice in the matter, but I'd at least give them a call about their (mal)practices...
<Realization>
I'm giving these guys my old password as part of the password renewing process...
Must be a Monday
</Realization>
|
|
|
|
|
Did they not ask you to enter the previous password before setting the new password?
If you're entering the old and new password at the same time, then it's trivial to check.
If you've entered the old one and been told that it has expired, they may be storing the old password that you entered in memory to compare to the new one. It wouldn't be great, but it doesn't necessarily mean they're storing your password insecurely.
Alternatively, they may store the salt and hash for one or more previous passwords, apply simple variations to your new password, and see if the modified password produces the same hash as a previous password.
Without seeing their code, you can't be certain that they're not doing the wrong thing; but you can't be certain that they are doing the wrong thing either.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Have +5 for Monday!
For the kind of lob apps I write, it is mandatory that the system is able to recall passwords for end users. The passwords are simply encrypted in the database. I don't believe this practice to be a security risk...besides, we aren't protecting sensitive data.
"Go forth into the source" - Neal Morse
"Hope is contagious"
|
|
|
|
|
If you can decrypt the passwords, so can the hackers. It is safer to store the hash.
If you think 'goto' is evil, try writing an Assembly program without JMP.
|
|
|
|
|
kmoorevs wrote: I don't believe this practice to be a security risk
Well, maybe not in terms of your app, but considering people aren't always careful about using different passwords across different platforms, it might be an external security risk. i.e. if user jdoe42 has password "hello world" in your app, chances are its "hello world" for his gmail, facebook, twitter, bank, yadda yadda yadda ...
Keep Calm and Carry On
|
|
|
|
|
I think recalling passwords for users is simply wrong.
It exposes a vector of attack, and if attacked, their passwords are then known.
I cannot think of a good reason to store someone's password. If they need a new one,
let them generate it via an email link, etc.
But the number of times a site has emailed me "Thanks for signing up... Remember your password is: abc123",
and I am thinking to myself...WHY? I usually go and delete the account...
Super Long passwords, and a password manager. Done.
|
|
|
|
|
Net engendered gentleman's affairs (13)
|
|
|
|
|
|
YAUT
|
|
|
|
|
Why affairs Greg ?
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
An entanglement can refer to a romantic affair.
|
|
|
|
|
Ok
Your not going to sell many books at this price
Robust Communications Software
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
modified 5-Apr-22 6:01am.
|
|
|
|
|
|
Are we on midday CCC ?
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
The North American colony is rebelling once again. Looks like the Canadian loyalists have captured the flag.
|
|
|
|
|
I'll take that as a yes
"Life should not be a journey to the grave with the intention of arriving safely in a pretty and well-preserved body, but rather to skid in broadside in a cloud of smoke, thoroughly used up, totally worn out, and loudly proclaiming “Wow! What a Ride!" - Hunter S Thompson - RIP
|
|
|
|
|
Stars are still out and no coffee yet. Who could be in a puzzle solving frame of mind?
|
|
|
|
|
What does the stars' visibility have to do with it?
No coffee; however...
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
Canadia doesn't work to human schedules ...
@GregUtas
Where's the CCC?
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
What does CCC stand for. Codeproject Comment Committee?
|
|
|
|
|
I believe it stands for: Cryptic Crossword Clue
It's a cryptic crossword solving game played by some CP members on weekdays. I think the "official" full name of the game is: WSO CCC OTD, which stands for "Winner Stays On Cryptic Crossword Clue Of The Day".
The rules of the game can be found near the bottom of OriginalGriff's CP profile.
|
|
|
|
|
I had some help, but I got the Arduino Framework running under PlatformIO with the ESP32-S3 that's still not in mass production yet, meaning i can adopt it early and start writing code for it.
I've been waiting for this. I've had an S3 collecting dust on the shelf since last December or so. I'm thrilled to be able to unbox it finally.
To err is human. Fortune favors the monsters.
|
|
|
|
|
Wordle 289 5/6
⬜⬜⬜⬜⬜
⬜🟨⬜⬜⬜
🟩🟨⬜🟨⬜
🟩🟩🟩⬜🟩
🟩🟩🟩🟩🟩
|
|
|
|
|
Was a close call today.
Wordle 289 6/6
🟨⬜⬜⬜⬜
⬜⬜⬜🟨⬜
⬜🟨⬜⬜⬜
⬜🟨🟩⬜⬜
🟩🟩🟩⬜🟩
🟩🟩🟩🟩🟩
|
|
|
|
|
Wordle 289 5/6
⬜⬜🟩⬜⬜
⬜🟨🟩🟨⬜
⬜⬜🟩🟨🟨
🟩🟨🟩⬜⬜
🟩🟩🟩🟩🟩
|
|
|
|