Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Update on the same site-
So I changed my password (dad was using a week password), it was a randomly generated 30 char string. I enter it and the reset is successful. I try to log back in, doesn’t work. It’s a password manager, absolutely no chance of an error. So I click reset password.
In a minute or so, I get an email with my username and password as plaintext in the body. And the password is first 15 characters of my 30 char password. Apparently the site takes only the first 15 chars and mind you this was not mentioned anywhere. This is just wrong on so many levels. -
@bizAnalyst That last bit about taking only so many characters, not too surprising.
And old national big bank of mine did that for a LONG time. -
neeno31464y@bizAnalyst "I get an email with my username and password as plaintext" What the fuck. They have absolutely no idea what they're doing, pure incompetence.
-
@N00bPancakes a lazy way to prevent SQL injection and negate risk at the expense of the user
-
Also maybe to make sure passwords can be emailed while avoiding potential unicode issues in email clients
-
I mean that’s a weird requirement but doesn’t affect security too much. Password security grows geometrically with the size of the character set but exponentially with respect to length, so you could have a pretty strong password even with just lowercase letters provided it’s long enough
-
Fractal failure:
When you can zoom in to any level and all you see is pure incompetence and sprawling bugs.
So bad that it becomes art...
Did you find the one leftover Flash widget yet? -
hjk10156964yIt's all the same reason. If they store plain text they have to have a character limit as the database field will have one. To prevent readability issues they only allow certain characters.
Security is not the goal of this authentication system. At least they should have truncated the input string to match the db field length. So incompetent at so many levels. GDPR purge your data from them is my advice. -
This reminds me of a case I encountered, when a guy, who has a similar name as me and regularly gives my gmail address to providers because he's an idiot, contracted an insurance company and I received a PDF with sensitive data inside (like all personal details that exist, also health info, etc). The pdf was password protected. And the email said that the password is his birth date in YYYY-MM-DD form... That's not a lot of possibilities. I emailed the ciso of the insurance company and he reassured, that they are in the process of transitioning to another system, where the password will be the healthcare id number. Which is 9 digits. And the last 2 digits are calculated from the first 7. Well, it IS an improvement, but I seriously don't understand why they bothered implementing it...
-
@demoralizeddev trimming a password in the age of password managers? Sending password in an email (and possibly storing it in plain text)? These guys need a breach.
-
@KatatonDzsentri don’t most modern password managers support different character set requirements? And how do we know it’s being sent via email? I agree that would be bad and maybe I missed something but I didn’t think this was anything but a strange character set requirement
-
@demoralizeddev why trim? That is the worst, laziest, etc solution to anything. You save the untrimmed one to your password manager, and cannot login afterwards.
What kind of a fucking idiot are you?
rant