k0pernikus

6y

I forgot my password to my mindfactory account, one of Germany's biggest online vendor for computer components. So I go through the resetting process, which is:

- apply for password reset
- get a mail
- confirm the mail
(So far, so good)

- get a mail with a new CLEAR TEXT PASSWORD

Is this the stone age!?

You never send an email containing the cleartext! You never even store the password as is!
You, as the provider, should never be able to know what the actual password was.

All you are supposed to do is to generate a random salt, and hash the user's password with the salt, and then you only store the salt and the hash. And whenever a user inputs their password, all you do is to check if the you can recreate the hash with the help of the salt and your hash algorithm. (There are libraries for that!)

If a user wants to reset their password? Send them to a mail with link on where they can assign a new password.

At no point should the password ever be stored or transmitted in any other medium.

rant

mindfactory

is it that hard

password

security

Ranter

Comments

1

feroza

977

6y

Just because they are sending you the password in plaintext, does not necessarily mean that they are storing it as plaintext.
2

djlazz3

1376

6y

@feroza although they might not be storing it in plaintext, that doesn't mean that the email client isn't storing it in plaintext...
0

h3kt1c0

1444

6y

Are you talking about xda developers?
0

anonymus19941

147

6y

@djlazz3
Well, the first thing to do is changing it again, so that's not really a problem. Only those who have access to your email account will see the password, and they can click the link as well.
0

david-hil

750

6y

@feroza how would that be possible?

Related Rants

devRant © 2021 Hexical Labs LLC
Privacy Policy | Terms of Service