>forgot password
>click on password recovery
>enter email
>it sends me my actual password in clear text
WHAT THE FUCK!? What kind of level 99 pajeet makes a login system that actually stores passwords on their servers in plain text? This should be illegal.
Yeah, they should have sent you the password encrypted so you'd have to figure out how to deencrypt it yourself.
The typical approach to password recovery is to email me a link with a unique key which allows me to enter a new password. This has been the way big websites like ebay, Amazon, Hotmail, Yahoo, etc. have been working since the beginning.
Even when I was 16 and I was coding a shitty CMS in my room that would never be used by anyone as a mere hobby, it was common sense to me to encrypt the user's passwords because it felt completely wrong that i would be able to read people's passwords by taking a look at my database.
THIS SHOULD NOT BE A MYSTERY TO ANYONE DELVING IN WEB DEVELOPMENT.
>had to do a site with user login while interning
>boss was upset that I didn't store passwords in plaintext in the database
>forced me to store passwords in plaintext
>important files stored publicly on the site
>passwords for lots of critical things were animal names
Literally everything about that job had the sloppiest security I've ever seen. At least I got a reference out of it.
is the wire good??
In the town I used to live in, the account you can have online for auto bill pay provides your password in plaintext after you register and when you forget your password.
I emailed them and argued that their system was flawed if I could get my plaintext password back and they werent handling their hashing properly and that they therefore weren't PCI compliant and shouldn't be handling payment information at all but they got back to me and mentioned that "everything was safe and encrypted".
The truth is these local governments, and likely the service you were using, are either very incompetent, very poor or most often both.
To follow up on this, if anyone knows of a way to report PCI-DSS violations I'm all ears.
Encrypt is not the right word for the procedure those sites are doing.
This
I'm working on a project for a client at the moment and all the passwords are encrypted before being saved to the database.
Have you heard of Aleksander Krustev?
This sounds like limbo. I would hate to have to work on a project that seems so flawed.
Okay. What is it? Hashing?
>Okay. What is it? Hashing?
Must you really ask? You've been doing this since you've been 16 years old.
>The truth is these local governments, and likely the service you were using, are either very incompetent, very poor or most often both.
Governments often get screwed by IT consulting companies. Baby boomers with vague demands and a virtually bottomless bank account to satisfy millenial electors the needs of whom they're completely disconnected from? It's a fucking cash cow. Absolutely no one involved in the process has a genuine interest in the results, so yeah...
Yes. Don't be a cunt.
>encrypting it
lrn2 pbkdf2 before all those accounts get compromised
you are retsrded. congrats
PCI is a standard not a law. The 'enforcing body's will be whoever a companies eventual credit card processor and bank is. So you'll have to do some phishing to figure that out then reach out to those companies directly.
>Yes. Don't be a cunt.
Your original message was pretty cunty, user.
Yes, it's hashing, more precisely cryptographic hashing because there can be non-cryptographic hashes.
That's nothing. I worked at a small site once that wrote all of their pages in php but instead of having a proper login system they had all employees share one credential for a single account that was hard coded at the top of each page's source code.
Even worse was the fact that while they were working on pages they often copied the old version to ".bak" or ".orig" thus preventing the browser from interpreting the file as php and displaying the source in plaintext, along with the static credentials. Apache/htaccess could have probably been configured to avoid this but that was just another problem on the pile.
>Your original message was pretty cunty, user.
Fuck off my thread pussy kthx.
>doing a crime to prove that a company is vulnerable to crime
this can literally not go wrong
The latest version of ASP.NET Identity uses PBKDF2 by default, so it looks like I'm good :-)
email them about the problem or publicly shitpost about them here
plaintextoffenders.com/
I will.
And it's my ISP. I was already considering switching to a different ISP for speed/price reasons, but I'm gonna tell them it's because of their plain text bullshit so that they get the message.
Their user space website is fucking messed up anyway. Clearly coded by completely incompetent people who can't even code something functional in PHP. Can you imagine? How much of a hack do you have to be to not be able to make a bug-free user panel in PHP. Augh.
On second thought, I'll wait until I confirmed that the payments have stopped before I post that on plaintextoffenders. I don't want them to figure out I did this and pull a "Oh we forgot to cancel your account lol well you're still be charged for the month soz ^____^"
>and its my isp
kek
Thank you for this.