24

Biggest GTFO moment of the year;

While applying for colleges, I created an account with a username and variant of my usual password (I know, bad move, sorry). I came back to finish the application but had forgotten what variant I had used. So I clicked the forgot password button and got an email with...

MY PASSWORD IN IT!!!!

Plain text password! Just as part of the email! WTF do these people think they are doing?!?!

I immediately changed my password to a random string and deleted my account, so hopefully when someone gets into this database my stuff with be overwritten... stupid programmers...

Comments
  • 6
    My old job my boss refused to hash the user password even after I pleaded with him about the security risks....
  • 5
    Starting from 2018 in EU and for companies handling data of EU folk this level of stupid will be penalized with a hefty fine of 20 million euros or 4% of annual turnover, whichever is higher, in case of a breach.
  • 1
    I just looked at maxons (the creator of cinema4d) student website (reg.maxon-campus.net/login/) they dont hash the passwords either !
  • 1
    Looked through the DB at the last place I was at and some customers thought the first and last name fields were the password fields, so their passwords are stored in plain text next to the hashed pw...

    Hackers Delight since theyll know the password and hashed version...
  • 0
    Love getting emails containing my password over an insecure dinosaur of a system.

    Makes me have confidence in the world.
  • 1
    I had a (recent!) client that was all single vendor for their dev tools (e.g. Git) with single sign on. I got my account sent to my email.. went to log in and felt stupid for not finding the "change password" from the simple one that was obviously a temp password. Ohh, but it wasn't temporary.

    They used the same password across almost 100+ developers. You weren't allowed to change it 'in case they needed to access your account' (my jaw hit the floor when the project manager said this).

    I asked a friend I had there in IT Sec and he looked up, laughed, and said "told you it was bad". I tried to get them to change it since we had remote access, but convenience won over security : /
  • 1
    I can top this.. recently was redoing a web app for user account access.. the sql database had everything from SSN to place of birth.. the original web app was also vulnerable to super simple sql injections.. I ended up deleting the complete database and started fresh.

    Boss:why did you do that? No one knows how to see this stuff.. #facepalm
  • 0
    @invoke-coffee +1 for getting them to change!
Add Comment