plaintext passwords are Really Bad. i'm not crazy am i?

Submitted by twovests at March 27, 2019, 6:09 PM in just_post

I sign up for a conference that uses a software that stores and transmits passwords in plaintext and will happily email it to you if you forget it.

In my mind, this screams incompetency and destroys my trust in the vendor and in the conference who uses their software.

It makes me think that whatever is going on their backend is probably similarly insecure throughout, and that it'd probably be Super Easy To Hack if I didn't care about breaking Laws.

Am I wrong here? This is a big engineering conference too, shame on them for fucking up so badly, right??

Comments

You must log in or register to comment.

Dogmantra wrote at March 27, 2019, 6:12 PM

doing passwords right is really hard from what I understand but I think if you're not even going to bother that says a lot about your business

cute_spider_ni_srsly wrote at March 27, 2019, 6:51 PM

Doing passwords right is very very hard, and that's why they have published libraries and frameworks which do passwords right for you.

emma wrote at March 27, 2019, 8:02 PM (edited at March 27, 2019, 8:05 PM)

i only trust vendors who've taken the enlightened, moderate approach of hashing half the password, and letting the other half remain in plain text.

but yeah, it's bad

jaidedctrl wrote at March 28, 2019, 6:24 PM (edited at March 28, 2019, 8:07 PM)

the enlightened, moderate approach

I can't tell if that's sarcasm or not, jajaja.
is it better to hash only half, than to hash the whole password?

EDIT: okok it was obviously a good gag. :P

musou wrote at March 27, 2019, 6:32 PM

yeah that's really bad. there are solid password handling libraries for pretty much every popular language out there by now. many of them aren't perfect by any means, but anything is better than doing absolutely nothing. i wouldn't trust that vendor either.