32 upvotes, 2 direct replies (showing 2)
View submission: Reddit's Streak of Bad Luck Continues...
You can often tell by the "forgotten password" process.
If they email your credentials then (obviously) the password is cleartext (for the record, reddit appears to do this).
If they offer a password reset, or some link verification to enable you to set your password again, you can be confident that passwords are hashed.
Edit: Reset link: http://reddit.com/password[1] , and reddit *should* hash their passwords pronto. It's not too hard to implement hashing with backwards compatibility such that upon next login the password is hashed (I've done it before, though, granted, on a smaller scale).
Additional edit: Although I tried that password link and I couldn't for the life of me get the email thing to work (none of my email addresses seemed to be registered). And then I note that you don't need an email address to register (to my chagrin, due to spammers and such). So if you've forgotten your login/pass you seem to be sunk. Which surprises me.
Comment by rnicoll at 14/12/2006 at 21:22 UTC
12 upvotes, 0 direct replies
It's trivial to hash all the passwords, as they have them in cleartext already! It's only changing hash type that gets tricky.
Still, what's even better than places that e-mail your password to you when you lose it, is the ones that have you log in via HTTPS, then e-mail your password to you when you create the account.
Personally, feeling quite lucky, reddit.com purely coincidentally has a nearly throw-away password, which I use on first registration, and then change on any site with enough sense not to e-mail it to back me with my username.
Comment by milkk at 14/12/2006 at 19:41 UTC
-9 upvotes, 2 direct replies
Maybe they encrypt the passwords.