30 upvotes, 7 direct replies (showing 7)
View submission: Reddit's Streak of Bad Luck Continues...
It is [easy to implement], and I'll go ahead and do it now that everyone has decided to weigh in.
Personally, I prefer the convenience of being having my passwords emailed to me when I forget, which happens from time to time since I use difference passwords everywhere.
Not hashing was a design decision we made in the beginning, and it didn't stem from irresponsibility-- it stemmed from a decision to provide functionality that I liked.
It bit us in the ass this time, and we are truly sorry for it. The irresponsibility (and there is some) was allowing our data to get nabbed.
Comment by esh at 15/12/2006 at 01:59 UTC
45 upvotes, 2 direct replies
It is just bad practice to store passwords in cleartext & especially email that password. Simply generate a new random password and email that to them. The user can always change the password to whatever they want after that!
Comment by neoform at 15/12/2006 at 15:19 UTC
15 upvotes, 0 direct replies
I've never heard of any responsible site using no encryption of any type to store passwords.
That *is* irresponsible.
You don't have to go with 1-way encryption like many sites do, but you must have some form of encryption if only to respect the security of your users when things like this happen.
I've made several sites that make use of user management systems and i've always used either md5 or sha1 with salt to store passwords and have never had a problem with the *resetting* not *retrieving* of passwords.
There's no real reason why a user should be sent their password via email, this just allows potential hackers to acquire a password that might be used on other sites if they gain access to that user's email account..
Comment by jgfoot at 15/12/2006 at 22:47 UTC
18 upvotes, 2 direct replies
"Not hashing was a design decision we made in the beginning, and it didn't stem from irresponsibility-- it stemmed from a decision to provide functionality that I liked."
Then it *did* stem from irresponsibility. You prioritized convenience over security.
Comment by tmoertel at 15/12/2006 at 03:08 UTC
31 upvotes, 0 direct replies
[Password hashing] is [easy to implement], and I'll go ahead and do it now...
Please don't just hash the passwords, *salt[1] and hash* the passwords. (It's easy.[2]) If you don't, script kiddies can trivially recover a large portion of unsalted-yet-hashed passwords from a compromised user database with readily available tools (e.g., RainbowCrack).
1: http://en.wikipedia.org/wiki/Password_cracking#Salting
2: http://fora.pragprog.com/rails-recipes/discuss-the-book/post/5
The irresponsibility (and there is some) was allowing our data to get nabbed.
No, the irresponsibility was in assuming that "we won't allow our data to get nabbed" is a reasonable security strategy. Given how frequently databases fall into the wrong hands these days, what made you think your strategy was a sensible way to protect your users' secrets?
Comment by [deleted] at 15/12/2006 at 03:40 UTC
16 upvotes, 1 direct replies
Maybe you should have told us that when we registered? I prefer to have my passwords reset when I can't remember them.
Comment by peyton at 16/12/2006 at 03:34 UTC
6 upvotes, 0 direct replies
First of all, thanks for letting us know right away.
I'm going to disagree with those who say that storing unencrypted passwords was a bad design decision. Access credentials are a mutual decision (I pick my username/password, you store them), so it is up to both of us to decide how important it is that someone can't pose as me or access my data on this particular website. If I'm particularly worried about these things, I'll pick a password that is hard to break, and ask you about how you store passwords. If I'm not particularly worried, I'll just use a different password than the sites I *am* worried about people breaking into.
Your part of the bargain is that you store passwords as securely as you deem necessary to keep people from breaking in, weighing against that the convenience of other features such as password-emailing. You've done that. I would argue, however, that it would be nice to let us know somehow how seriously you weighed our account security in your design. While it could be argued that revealing the fact that passwords are unencrypted provides a bigger target, that's really only a security-through-obscurity model (at least for the password data), and not very convincing.
Comment by uedauhes at 17/12/2006 at 21:41 UTC
5 upvotes, 0 direct replies
It is really easy to generate a link and email it. When the user clicks on the link, they are logged in and presented with an option to set their password. Very easy and convenient.