However they should be storing hashed passwords instead of plaintext. If they are not, I dread to think what the underlying account codebase is like.
2FA is nice for extra account protection but this site doesn’t jump out to me as something that _needs_ it.
Not a fan of recovery questions personally. Recovery questions are just an extra step to password recovery. The thing is, they are generally either answers that are publicly a available if you know who the account belongs to or they are filled with red-hearings which often just gets forgotten by your “average jo/e” because they are rarely used.
However I wouldn’t say this website is very friend to data security. It’s well know that your average joe will reuse passwords. It only takes one DB dump to now have email/passwords which can be spammed into other more sensitive sites.
Here’s a radical idea: don’t use passwords for logging in. Since the concept of privacy has been compromised everywhere, let’s just evolve to the next phase of existence where it isn’t needed
Suggestions on what that next phase should be? WebAuthn and U2F are great for us geeks, but can be a growing pain for the non-techies and they still need recovery methods incase you lose/damage your key.
Built in password managers have helped but a lot of my non-techie friends think I'm weird for using a password manager. They still don't understand the fundamental risk that comes with password re-use, they believe that the sites they use the password on just won't be breached so there is no problem. The problem with built-in password managers is they can be used as another form of lock in. Try using icloud passwords on firefox for an example (granted they did release a chrome extenstion so windows users are not completely SOL).
The issue (imo) is not only do we have to create a way to auth that us geeks can easily do, but also create a create a way that still allows your ave joe on the street to securely auth and not have a massive headache when they lose their device.
Lets say we wire WebAuthn into all devices and browsers and every website starts using it, the keys are stored online so you can pick up a new device and import your keys and get on with life. How do you secure that inital key import? Chances are we are still going to need a password / passphase of some kinnd to secure that inital root of all knowledge.
If you read the question it isn't clear that they actually store passwords in plaintext, they might of sent it along with the welcome email prior to hashing it.
The person said they did a "forgotten password" route and got part of their password as a hint. Even if they are hashing the full password, they still have part of the password stored somewhere for that to happen.
> I immediately tried to change my password while logged in, but found that I could not even change the password I initially created. I logged out, and chose the "Forgot Password" option, hoping my password would reset and allow me to set a different one. Instead, the "Forgot Password" option only showed me a password hint (i.e. the last 4 characters of my actual password). The site said that if I needed any other password help to please send them an email.
Someone had the fun idea of googling the owner info, tapping the info into the site[0] and well breaking the Computer Misuse Act to show them how much of a bad idea it is.
8 comments
[ 4.8 ms ] story [ 32.7 ms ] threadHowever they should be storing hashed passwords instead of plaintext. If they are not, I dread to think what the underlying account codebase is like.
2FA is nice for extra account protection but this site doesn’t jump out to me as something that _needs_ it.
Not a fan of recovery questions personally. Recovery questions are just an extra step to password recovery. The thing is, they are generally either answers that are publicly a available if you know who the account belongs to or they are filled with red-hearings which often just gets forgotten by your “average jo/e” because they are rarely used.
However I wouldn’t say this website is very friend to data security. It’s well know that your average joe will reuse passwords. It only takes one DB dump to now have email/passwords which can be spammed into other more sensitive sites.
Built in password managers have helped but a lot of my non-techie friends think I'm weird for using a password manager. They still don't understand the fundamental risk that comes with password re-use, they believe that the sites they use the password on just won't be breached so there is no problem. The problem with built-in password managers is they can be used as another form of lock in. Try using icloud passwords on firefox for an example (granted they did release a chrome extenstion so windows users are not completely SOL).
The issue (imo) is not only do we have to create a way to auth that us geeks can easily do, but also create a create a way that still allows your ave joe on the street to securely auth and not have a massive headache when they lose their device.
Lets say we wire WebAuthn into all devices and browsers and every website starts using it, the keys are stored online so you can pick up a new device and import your keys and get on with life. How do you secure that inital key import? Chances are we are still going to need a password / passphase of some kinnd to secure that inital root of all knowledge.
> I immediately tried to change my password while logged in, but found that I could not even change the password I initially created. I logged out, and chose the "Forgot Password" option, hoping my password would reset and allow me to set a different one. Instead, the "Forgot Password" option only showed me a password hint (i.e. the last 4 characters of my actual password). The site said that if I needed any other password help to please send them an email.
Someone had the fun idea of googling the owner info, tapping the info into the site[0] and well breaking the Computer Misuse Act to show them how much of a bad idea it is.
[0] https://i.imgur.com/WzKLH8C.png