created by spez on 14/12/2006 at 19:05 UTC
558 upvotes, 42 top-level comments (showing 25)
Comment by bobcat at 14/12/2006 at 19:16 UTC
173 upvotes, 7 direct replies
Let me get this straight: you keep passwords stored in cleartext, not a hash?
I would like a refund of my subscription fee, please.
Comment by [deleted] at 14/12/2006 at 20:49 UTC
35 upvotes, 0 direct replies
So you guys got drunk and did *what* last night?
Comment by jimmyr at 14/12/2006 at 19:55 UTC
33 upvotes, 2 direct replies
It was probably kevin rose
Comment by [deleted] at 14/12/2006 at 22:47 UTC
24 upvotes, 1 direct replies
[deleted]
Comment by altheahouse at 14/12/2006 at 20:48 UTC
22 upvotes, 1 direct replies
Thank you for being upfront about the status of the passwords.
Comment by mlgoss at 14/12/2006 at 19:47 UTC
20 upvotes, 1 direct replies
Little reddit alien is slacking off again, isn't he?? He could have blasted the thieves with his secret laser eyes!
Comment by milkk at 14/12/2006 at 19:35 UTC
49 upvotes, 0 direct replies
Enough with the bad news already, you karma-whore.
Comment by psykotic at 15/12/2006 at 01:04 UTC
11 upvotes, 0 direct replies
I appreciate the warning. I'm pretty pissed, though: Storing passwords in the clear gives new meaning to "irresponsible".
You emphasize that you respect our privacy. Well, respecting privacy goes beyond keeping personal information out of the hands of third parties. It also means spending effort on planning for contingencies; database theft is among the most obvious contingencies, and password hashing is among the most obvious countermeasures.
You fucked up. Blaming it on bad luck just makes you look worse.
Comment by praetorian42 at 14/12/2006 at 20:58 UTC
30 upvotes, 2 direct replies
I thought hashing passwords was a standard security practice?
I'm really disappointed in you guys. God knows how many passwords I have to change now. (Probably my own fault for duplicating the same username/password combination so many times... But habits are hard to break.)
Comment by jetsetter at 14/12/2006 at 19:50 UTC
9 upvotes, 1 direct replies
Uh. That sucks. How was it stolen? Why are you not sure whether or not passwords / emails were on the media or not?
Comment by [deleted] at 15/12/2006 at 03:10 UTC
7 upvotes, 0 direct replies
Leaving the passwords unencrypted was definitely a lapse in judgement. That the password database was stored on media that could be easily stolen is unfortunate and shows that the reddit admins need to do a better job keeping sensitive information protected. The site going down because of a predictable DNS mis-configuration means that good change management planning isn't being practiced.
I don't see how any of this is bad luck. It's bad systems management. Get it together, guys!
Comment by braclayrab at 14/12/2006 at 20:47 UTC
25 upvotes, 0 direct replies
Oh no!!! Someone has my hotmail address!!! *slits wrists*
Comment by [deleted] at 14/12/2006 at 20:28 UTC
16 upvotes, 0 direct replies
This title should have been something like "YOUR REDDIT PASSWORD MAY HAVE BEEN STOLEN" -- letting this story sit for an hour or so w/out reading it may mean the difference for some people between avoiding identity theft or not.
Thanks for the honesty, though.
Comment by robin22 at 14/12/2006 at 23:13 UTC
6 upvotes, 0 direct replies
I should be angry about that, but I'm too damn glad reddit is finally back!
It's like that kid who comes back after going missing for some time, and confesses he's crashed the car, but his parents are so happy he's back they won't even punish him.
Comment by [deleted] at 14/12/2006 at 21:36 UTC
15 upvotes, 2 direct replies
[removed]
Comment by 7wheels at 15/12/2006 at 01:46 UTC
4 upvotes, 0 direct replies
What about users of Infogami? I thought some? users are not on separate database.
I'm going to change mine nonetheless.
Comment by lazyout at 14/12/2006 at 21:25 UTC
7 upvotes, 0 direct replies
Reddit team, thanks for heads up. Data theft happens, and I'm grateful that you're open about it and quick to inform us.
Comment by degustibus at 15/12/2006 at 00:26 UTC
10 upvotes, 0 direct replies
Incompetence is not really bad luck.
Comment by anupamkapoor at 15/12/2006 at 07:29 UTC
3 upvotes, 0 direct replies
do you *really* believe that *luck* has anything to do with this ? hm.
Comment by [deleted] at 14/12/2006 at 20:41 UTC
13 upvotes, 1 direct replies
[deleted]
Comment by n8dog at 15/12/2006 at 18:56 UTC
5 upvotes, 0 direct replies
It's not incompetence but a common design decision of 95% of the "fun" sites everyone here uses every day. Go look at YouTube and MySpace, no SSL and they both send back the original passwords in email. 37Signals sends back forgotten passwords in email. Everyone here then should spread this outrage around with all those sites too.
If the site isn't using SSL for logins, then it doesn't really matter if these passwords are cleartext in the database. And if you move to SSL logins, then that makes logging in one extra click for everyone. (since the login form can't be embedded right on the page anymore, or your form is prone to a 'man in the middle' attack)
I expect my Mom maybe to use the same password here and at her bank, but the people here!? Why would you trust any site with the same password that you might use somewhere that's important?
I like these Reddit guys a lot, but Aaron is one shady looking mofo. :) I just assume that he'd try to use my password at every bank site he could find to funnel money into his porno slush fund.
Comment by jotaroh at 15/12/2006 at 00:25 UTC
4 upvotes, 0 direct replies
wow that was disgraceful
Comment by [deleted] at 15/12/2006 at 10:39 UTC
2 upvotes, 0 direct replies
s/Bad Luck/Incompetence/
Comment by balinx at 14/12/2006 at 22:39 UTC
3 upvotes, 0 direct replies
A few more details about what happened, - and what will change and why this is not going to happen again, would be in order.
Comment by toxic at 14/12/2006 at 23:00 UTC
5 upvotes, 0 direct replies
Cleartext password storage passed Wired's due diligence process? Things sure have changed since the hotwired days.
For as awesome as reddit and other young companies are, this is one of the big reasons why startups need at least one grey ponytailed engineer overseeing things -- they've already learned from the mistakes that you haven't made yet.