I've read today terrifying article about un-ethical storage of users password. It is often common practice that users passwords are stored unencrypted in database. But this case is even more dreadful. It about software, G-Archiver, that is available to everyone. If you ever used this software, you should change your G-mail password right now.
So what is the problem:
- G-Archiver has build in user-name and password for one of g-mail accounts.
- Whenever someone uses G-Archiver and provides his credentials for g-mail, user-name and password is send to author of this software
- Additionally, any one who finds out the user-name and password stored in G-Archiver, can get passwords of thousand of previous users.
But also big corporations do not care for security enough. It is common practice, that users password is stored internally as plain text. It can be easily found out by using "I forgot my password" feature. If in return you will get email with your original password, then it is a crappy web side. And you should never reuse password passed to such web side as this is big risk for you. Take a look at Password Security: It’s Not That Hard (But You Still Can’t Get It Right) for further explanation and examples.
Cheers Paweł
--
Related Articles on Paweł Barut blog:
No comments:
Post a Comment