A website just emailed me my forgotten password in PLAINTEXT.

I'm out of breath from running for the hills so fast.

Ruuuuuuuuunnnnnnnnnnnnnnnn

can't they have unhashed it and then emailed it? or am I missing something?

@craig939393 hashing is a one-way function by design

@craig939393 The point is passwords should be encrypted one way so they cant be decrypted.

ahhh. thanks for the helpful answer.

what confuses me then, is if you use random number generation to hash a password, surely you need to unhashed it to login and check that password against the database?

sorry for hijacking this xD

@craig939393 no, no problem, happy to help!

Here's how it works - when you type in a password on a website, the server hashes it with the same algorithm and compares it to the hashed password in their database. if the hashes match, you're allowed in. They never have to touch the plaintext password after signup. AND if (when) they get breached and the hackers get a database dump, they can't just grab all the passwords at once.

hopefully they use a salt and an expensive (i.e. slow) hashing function like bcrypt and even if the hackers have the database, they have to brute-force each password individually, and it is a slow process requiring lots of hardware.

I understand now. by touching the password in the database you invite trouble. thanks man.

@craig939393 anytime!

http://plaintextoffenders.com
Report that shit..

@Bastian oh didn't know! Will do!!

@Bastian haha it was already on there

@kheftel
Great tool, some guy in here told me about it, cant remember who, but it is nice ! i think is has some plugin that checks the site you visit in the registry of offendors aswell 😃

That is sooooo bad 😩

@Bastian I knew there was a site like that! *off to report some websites* Thx!

naaaaaame and shaaaaaame....

It was referralkey.com. Avoid.

What if the hash just looks like plain text? =)
Besides, secure servers. No breach possible. Lol.