An open letter to websites that require your registration, then email you your details, including the password, in cleartext.
Dear cleartext-email password people,
You've got to be fucking kidding me.
Firstly, let's pretend you have some kind of technology that allows you to safely store passwords in cleartext. Let's further pretend that there's a way to safely transmit and store those password through email. Pretending that, why are you sending people the password they just set 30 seconds ago? Do you think they've forgotten already? Do you think they blindly mash the keyboard, in order to keep their password SO SECRET that not even THEY know it? Did you not bother to code a "I forgot my password" function?
Secondly, let's merely pretend you have the magic Safe Storage of Cleartext Passwords technology. Why are you sending cleartext passwords through email? Suppose a Bad Guy gets into the user's email account, whether it's the user's fault [poor password, unattended session, insecure environment] or not [server hack, vulnerable authentication method, session hijacking]. Thanks to the miracle of YOUR technology, all the Bad Guy needs to do is search for "Password:" and now he has your user's account details, along with the details for any other crappy sites just like yours. If the user doesn't choose a different password for every account (and who does? I don't even do that, and here I am writing obscene security rants), the Bad Guy now has a nice user/pass pair to try for more significant services than your crappy site [banks, paypal, etc.]. Thanks for doing your part to deploy Vulnerability In Depth!
Thirdly, let's abandon all pretense and face it: there's no reason for you to store cleartext passwords in your crappy database. I'll let you in on a secret: thanks to time travel, I've come up with a more secure way to do things! I've traveled back in time to the 1970s and brought back a magical pile of voodoo called password hashing. If you want to go nuts, you might even consider salt! [Haha, I do not refer to food in the previous sentence. An explanation of "salt" is here, and an explanation of "nuts" is that you're retarded.]
Fourthly, go to hell. If you actually wrote that code, fuck you. Put some forethought into it. If you merely use that code, fuck you. Don't make your users pay for someone else's stupid mistake.
Love,
Me
Tuesday, January 13, 2009
Dear cleartext-email password people,
Posted by hogg at 4:21 PM
Labels: get off my lawn
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment