31 comments

[ 4.4 ms ] story [ 88.8 ms ] thread
I realize this site is referring to password storage but it is itself a plaintext offender in that it doesn't support https.
All of the areas where you can actually submit data or login (comments, submit a site) are in https iframes. I'd agree that there are benefits for read-only sites using https, but it's not quite as serious.
it's mostly pointless to have an https iframe on an http site, as you won't know if the page is intercepted and the iframe is replaced
That's a good point. I only really deal with https-enabled sites any more - hadn't even thought of that.
Why does everything need to be https? Are you worried someone might find out what kinda lols your into?
https://https.cio.gov/everything/

Privacy is beneficial in itself, but also: > protecting less sensitive sites strengthens the protections of more sensitive sites

Any site that can be MITMed is a site that can be used to gather personal information and escalate from there. Especially seeing as most people reuse passwords like crazy.

Yes, everything does need to be HTTPS. If not for user privacy then for response integrity - to be sure the response hasn't been MITMed.

You might think most sites are innocuous, but it depends on where you live. I could see this site getting classified as "hacking/encryption-related" by something like sonicwall's firewall (HN too). What if your government tasks your ISP to round up all those trying to bypass state firewalls? Heck I live in a western country where our government is misguidedly angling to ban encryption. For the minimal effort involved, I believe all sites should be https.

The same reason the pharmacy puts your order into a brown paper bag even though you only bought some cough drops: That it provides cover for the next customer, who's buying hemorrhoid cream or whatever. If you only encrypt the sensitive stuff then encryption flags your stuff as sensitive.
I spent night and day wasting my time away trying to make sure my apps are secure enough. I am never satisfied and it wears me down.

"I need to change my random token generator to use the one that comes with openssl, but then I'll have to rework a huge part of my application. Eff it, I'm doing it. "

Mean while Duolingo just saves the password in the database and gets on with it.

Something new to add to your checklist: “I need extra logic that prevents people from accidentally entering their passwords into every other profile field, otherwise it’ll show up in emails and I’ll get accused of saving plaintext passwords in a widely distributed blog post.”
Question: Is it possible she simply typed her password into the wrong field when registering for the account? It seems like all of the fields would be an appropriate place for the name of, for example, an organization.
Yes, it is possible, the complete silence from Duolingo is as much a frustration as anything.
If you think this is bad... here are the emails I got from Robinhood after I had to contact them for my statements (since the app wasn't loading them):

> Robinhood: For security purposes, we'll need you to verify the following: Your username, the last 4 digits of your SSN, and your DOB.

> Me: (reluctantly sent them the info, because what else could I do)

> Robinhood: Attached is your requested document. For security purposes, we've encrypted it and set the password to the last 7 digits of your SSN.

(In case you don't know, SSNs are only 9 digits, and the first 3 digits are known based on the location of either where you were born, or where you got the number -- I forget which. I recall the following 2 are also predictable, though I forget exactly how. In other words: they are not hard to guess. And don't forget the whole thing is 9 digits. Meaning it'd take less than a minute [if even a second] for anyone with a copy of my statement to crack it AND extract my SSN from it.)

> Me: (Sends them an email lecture telling them exactly why everything so far has been extremely alarming.)

> Robinhood: Robinhood Financial is a member of the Financial Industry Regulatory Authority (FINRA) and the Securities Investor Protection Corporation (SIPC). We take the security of our members' private information very seriously. Robinhood uses bank-level security measures to protect your personal information. Your password, social security number, and other sensitive data are encrypted. Our mobile and web applications communicate securely using SSL and 256-bit encryption.

(emphasis mine)

Oh, and to top it off, it turned out they had forgotten to actually encrypt the document with my SSN like they had claimed to. In other words they aren't even following their own security policies. Which I'm not sure whether to classify as a good thing or a bad thing given what their policies were.

And dont forget, robinhood is a b$ company now...
I'm inclined to trust in the intentions and competence of the people at Duolingo because I've worked with them before, so with that disclaimer:

Is it possible that this person accidentally mixed up the username and password fields when editing their own account? Or, some type of browser auto-fill mixup put the password in the username field when editing the account?

It feels like in both places that's the location of the username. Forget having passwords in plain text, for what reason would passwords be prominently displayed?
This does seem to be very likely, I've spent too much time to count trying to investigate bugs that should not exist only to discover that the issue is of PEBKAC nature.
I don't mean to imply that it's necessarily the fault of the individual. Even it the password did get entered into the username field (for example), it could be that an autofill bug, or just bad UI was the cause.

If this was the case, though, it means that there's there may not be reason to assume that passwords are not stored safely.

Hi there, I'm an engineer on the Schools team at Duolingo and I remember looking into this a while back.

A couple of important things to note here:

1. We do store all passwords hashed. We do not store plaintext passwords

2. That spot in the subject line for the update is for the name of a classroom in the Schools product. When we investigated we realized this was just a case of user-error where they must have typed their password in as a classroom name when they created a class.

3. I'm not positive if we ever responded to the report... I'm trying to find the thread. If we didn't respond, that's my fault and I'm very sorry. Not a great user experience to think your password is stored in plaintext!

I'm trying to find the email thread where I first encountered this so that I can understand more thoroughly what's going on.

UPDATE: The discussion we had internally was a slack conversation, not an email. I verified that one of the user's classroom names appears to be something someone would use for a password. Once we determined there wasn't a security issue, I didn't ask for the reporter's contact info or anything like that. I'm really sorry to Arron and his wife for the poor service & bad customer experience.

From the author's article:

"It is completely possible that my wife entered her password as the organization name when signing up. In which case—that's not Duolingo's fault. Thanks Hacker News for staying sharp."

To the author - please delete, or refactor your slanderous article if your claims are unfounded then.

EDIT: Author updated= https://news.ycombinator.com/item?id=15679191

Good to hear, and we know stuff happens and falls through the cracks.

Upon discussing it with my wife, user error did come up—should have had that discussion again before writing the post (adding an update, now).

wipes egg off face

Yes - thoroughly researching the issue is extremely important before accusations, even a 'refactored' one like yours has a lasting impact on organisations.

If you go to the Duolingo Schools website or account profile, you will notice the classroom name at the top, clearly listed - this should have quelled any plaintext suspicions.

https://schools.duolingo.com

FWIW This is yet _another_ reason, albeit probably not even in the top 100, for why we need to get rid of passwords.

It's essentially inconceivable that somehow your 512-bit TLS session key, or an RSA signature, or even the seed of your one time password system would get pasted into some random field in error. But a password you're constantly typing into boxes all day to make anything work is obviously sooner or later going to get typed in somewhere it shouldn't.

How many people reading this have typed their screen unlock password in, only to realise that it wasn't locked after all? Where did that end up - in a Slack chat? A Google search? Email to your best friend? Did you the rest of the day changing all your passwords? Or did you just shrug it off and get on with your life.

Anyway, that's my thought on the matter, hunter2

Thanks, glad to hear that.
(comment deleted)
Citicem journalism at its best: making false accusations and finding a way to still blame it on the victim.