173 upvotes, 7 direct replies (showing 7)
View submission: Reddit's Streak of Bad Luck Continues...
Let me get this straight: you keep passwords stored in cleartext, not a hash?
I would like a refund of my subscription fee, please.
Comment by duketime at 14/12/2006 at 19:38 UTC
34 upvotes, 2 direct replies
You can often tell by the "forgotten password" process.
If they email your credentials then (obviously) the password is cleartext (for the record, reddit appears to do this).
If they offer a password reset, or some link verification to enable you to set your password again, you can be confident that passwords are hashed.
Edit: Reset link: http://reddit.com/password[1] , and reddit *should* hash their passwords pronto. It's not too hard to implement hashing with backwards compatibility such that upon next login the password is hashed (I've done it before, though, granted, on a smaller scale).
Additional edit: Although I tried that password link and I couldn't for the life of me get the email thing to work (none of my email addresses seemed to be registered). And then I note that you don't need an email address to register (to my chagrin, due to spammers and such). So if you've forgotten your login/pass you seem to be sunk. Which surprises me.
Comment by uedauhes at 14/12/2006 at 21:04 UTC
60 upvotes, 2 direct replies
That is completely irresponsible. Hashing passwords is a joke to implement.
Comment by grzelakc at 14/12/2006 at 21:09 UTC
16 upvotes, 2 direct replies
Not only should the passwords have been hashed but emails should have been encrypted with some standard two way encryption like RSA or AES (with keys securely kept on a separate physical device, preferably a real keystore). I was trusting enough to register for reddit with my real account instead of trashmail, so I expect the volume of spam to triple in the next few days from the couple of hundred I get every day to the levels that will render my long held gmail account completely useless. Damn!
Comment by [deleted] at 14/12/2006 at 22:56 UTC
16 upvotes, 1 direct replies
[deleted]
Comment by lemmikins at 14/12/2006 at 19:49 UTC
8 upvotes, 1 direct replies
I'll redo Reddit in Django. It hashes and salts passwords by default.
I'll also make it support <
< <
< code blocks don't parse less-than correctly
Comment by elusive at 15/12/2006 at 07:43 UTC
2 upvotes, 0 direct replies
Let me get this straight: you keep passwords stored in cleartext, not a hash?
Where did anybody say that? If the bad guys have the database they can brute-force anyone's password. Let's not get all crazy and start wildly jumping to conclusions.
[edit] fuck, nevermind. spez said they didn't hash. shame on reddit.
Comment by philh at 14/12/2006 at 22:31 UTC
-2 upvotes, 1 direct replies
From the response it sounds like this is be true, but how did you infer it? It's not like hashing makes your password impregnable, just more time-consuming to crack - and dictionary attacks are most effective when you have a long list to check against.
What would be really worrying is if they hashed, and then decided that that made it okay not to inform us.