Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I was thinking of creating a list like this of all the sites that (most likely) store passwords as plain text. I'd get the list by doing a password reminder and seeing if they email me my password.

Would be cool if that was added as a column here. I'd submit some sites.



I'd get the list by doing a password reminder and seeing if they email me my password.

That will tell you whether they send the password in clear, not whether they encrypt it. The only information you'll have is:

IF (they send you the password in clear) THEN (they don't use a one-way hash)

There is no other information to be derived from this method of checking.


But if they use a two way hash and the server is compromised one would presume the mechanism for un-hashing the passwords would also be compromised meaning it is almost as bad?

(? as my knowledge on security is somewhat limited)


The word here is "encrypt" or "cipher" not "hash":

> But if they use a two way cipher and the server is compromised one would presume the mechanism for un-encrypting [decrypting] the passwords would also be compromised meaning it is almost as bad?

It might be. It is conceivable that a site may use public key cryptography and store encrypted passwords, but have password recovery done on an independent system which has the decryption key.

(For our purposes, a "reset question" might also be considered a password because it is still something "you know" and to be differentiated from an email address which would be something "you have")


I'd give an admonishment to anyone who uses a password question from the standard set (mother's maiden name, etc.), even if it is hashed, because the data is so easily discoverable.

Nevertheless, the idea of a password question is so useful that I still support it on my sites. But our implementation is open-ended: you define your own question as well as its answer. I think this is better for anyone who is security conscious, but unfortunately it still allows the lazy or ignorant to be insecure.


I prefer defining my own qesution and answer.

However, a mechanism for sites that use the standard questions is to manufacture a set of fictitious names and use those everywhere. e.g. Father's name - "Keyser Soze". First car make and model, "Millennium Falcon", etc.

There is the overhead of remembering these but that is not too hard with some thought and repeated use.


My point was, you know nothing about how they store their passwords if they send you a reset link.


That's a very good idea. This is something that bothers me a lot. It would also be a good place to educate people about the need to use a different password on each site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: