Jump to content

Recommended Posts

I've noticed that some websites send you your own actual password with email once you clicked on recover or the known "Forgot Password?" link.

 

Other websites simply send you a newly generated password which you can use to log in and then once you're logged in you can change the password again.

 

 

I'm asking myself since you can not decrypt a password that has been inserted encrypted (with the sha1 function) into the database, how are they able to send you your actual password? I hope the passwords are not inserted un-encrypted into the database?

Because SHA1, MD5, et. al. are not encryption methods, they are hashing algorithms. If a site is sending the actual password back when you request a forgotten password, they are either actually storing it encrypted, not hashed, or they're storing it in plain text.

Because SHA1, MD5, et. al. are not encryption methods, they are hashing algorithms. If a site is sending the actual password back when you request a forgotten password, they are either actually storing it encrypted, not hashed, or they're storing it in plain text.

Oh that makes sense, thanks for clarifying. So that means instead of using the hashing method they rather use the encryption method and with that method they simply can decrypt the code before sending the actual password to the user, right? But that would also mean that the encryption method is not as secure because if they can decrypt it others can too, right?

 

And plain text is of course even more insecure.

I have yet to find a script that sends out e-mail plaintext but takes the time to implement two-way encryption in the database, so you can probably assume that they're saved plaintext. 

 

It's usually safe to say that when you find one huge security hole (sending plaintext passwords over totally insecure protocols would fall under this category), there's a lot more best practices that are being ignored.

xylex,

 

that's something I always was suspicious of every time I got my password sent into my inbox in plain text, but I thought to myself why would somebody put their own business (their own baby) so insecure out there into the wild wild web?

 

Is it because business people just don't know better and have no clue what's going on under the hood of their websites? But at the same time why do the programmers let this insecurity happen? Is it laziness or what is it? If I would program per hire for somebody I'd want my work to be as solid as possible.

 

I think it's just one more example how the business world DOESN'T work how it's taught in the books. 

Well, really you have to consider the data that's being stored. If it's just a username/password pair to a site that doesn't store other personal data, if someone gets the uname/pw combination, what do they really have? Pretty much nothing. A site that stores personal and/or financial inormation on the other hand, would need more security.

You're right about that, but that's not the actual problem though.

 

The actual problem is, that many users use the same passwords for multiple websites.

 

Imagine this scenario, you hacked yourself into the database of Twitter and you got this:

 

User:emailpassword

konopkovkonopkov@gmail.comw1ll3t

 

 

Do you notice something? Now, you don't just have the user's password for his Twitter account, you may also have it for his Gmail account.

 

Amazon asks only for a email/password combination, you may go ahead and give it a try, the chance of hitting the jackpot is not that low.

 

Not every user uses difficult passwords for important websites and less difficult passwords for less important sites like internet savvy users as us may do. So you may give it a try and go ahead to see if the user uses the email address for his PayPal account with the same password.

 

 

And with one catch you got like 5-6 flies lol. It's a chain reaction.

 

But if you hack yourself into Twitter's database and all you get is this:

 

 

User:emailpassword

konopkovkonopkov@gmail.com34n0vn58043hbn3453nb5743805bn

 

Which is a hashed password, then there's not much you can do.

 

 

It's a simple step to implement a sha1 function, and at the same time it's a surprise to me that many don't do it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.