Or the website hashes the password, and then stores a plaintext (or weakly encrypted) copy in the database as well so they can make sure you don't use a "similar" password on the next change. And in fact keep like 30 passwords in the database so hackers can get a good sense of how you construct your passwords. All for better security of course.
If they can send it to you in email it means they are storing it as plain text. That means that if their database gets breached all the passwords are exposed. They should be storing a salted hash of the password.
Also, I don't agree that everyone uses the same password over and over. They are nice bookmarklets that can generate per-site passwords. I actually generate a new password for every site in my head.
That doesn't necessarily mean that it stores the password in plaintext. It can mail you the plaintext password based on your own input upon sign-up before storing a salted hash in the database.
Yep. I just noticed this as I logged in to update my email address. I saw that the password field was actually populated with something so I checked the markup. Sure enough, there was my [fortunately unique and randomly-generated] password in plain text. That means whoever coded their shopping Web site is most likely storing passwords in plain text in a database. I've sent them two messages about this.
That does not mean they store plaintext passwords. When you login to most any website you have to submit your whole password. It is usually hashed and the hash is compare to the stored hashed pasword
Who said they're storing passwords in plain text? They could be paranoid enough to remove hashed passwords. If you know what makes the hash you can reproduce. If it's a database with financial information, I can see crackers devoting time to do this, making their rainbow tables and botnets or whatever to guess the passwords.
Many of these are the sites sending users generated passwords which doesn't necessarily indicate that the passwords are stored in the database as plain text. It's reasonable that the passwords are generated, the email is sent with the password, then the password is hashed and stored in the database, and the plain text version deleted.
Unless they're storing hashes of every combination of characters in your password... seems pretty indicative of them storing the password in plain text.
The people that run the sites you use could easily know your passwords. Even if they do store them hashed they may see them in POST debugging logs or something.
It's more likely that they coerce to lowercase the the first letter of the password you put in and then store/compare the hash of that resulting plaintext. They could even transparently upgrade passwords created before they started doing this by using the plaintext from the next time you login successfully to regenerate the hash.
This site, while clever, is spreading potentially bad information. For instance, ive worked for plenty of companies that send out site-generated passwords. The password is stored encrypted and sent out once to the user. While not the most secure, an attacker still wont be able to get to all of the plaintext passwords if they cracked into the database.
There is a difference between the plaintext password being stored in memory and in a database. One is just how things work (the client browser needs the password in plaintext as well), and another is a security breach waiting to happen.
That's what I'm guessing too. Magento and WordPress both store only the hashed passwords in the database; however, a screenshot from the article shows that the hosting company had stored plain-text passwords for an admin user, which were likely generated automatically, and stored in a separate (and publicly accessible) database.
I'd like to believe that. However, I was recently asked to test a new website for an organization I volunteer for, and discovered their "forgot password" flow emailed me my plaintext password. I wrote an explanation of why this was bad, and how it could be fixed, to a non-technical friend of mine who works there; he passed my email to the (Bay Area based!) consulting shop that did their website. The shop sent this response:
"We do not store passwords as a plain text in database. We have functionality which encrypts and decrypts passwords. We have only ecnrypted passwords in the database.
Almost all other servers use one-way encryption. In this case, passwords cannot be decrypted from hashing."
Again, this is a Bay Area based shop. For code written in 2016.
I was shocked to receive this, but it (among other things) leads me to suspect that there are lot of people out there, in positions of power, who aren't just ignorant, but who actively cling to password-storage anti-patterns.
We're using Drupal, and from what I understand the password is md5 encrypted before it is saved into the database. However it sends you a one time email of the password before encryption. This is so that you have a local copy of your password.
reply