18

Signed up for a driving class...
This is what i get in the mail shortly after.

Fucking fantastic guys! Saving passwords plaintext. Is it because of the government?

Comments
  • 3
    Report them to plain text offenders!
  • 1
    dont wanna interfere here, and know it's bad practice, .... but, how in the world do you _know_ it's saved in plain text?
  • 4
    @sideways Because they sent it to him

    If they saved passwords properly (hash + unique salt) then they wouldn't know your actual password
  • 1
    then again how do you know they saved it plain text... maybe they got the baddest ass bcrypter blowfish with hashes of 12512 bits and saved it in the db like that and sent the mail with a former variable :₱
  • 2
    What @sideways is asking, is that they could could always auto generate a password, email it, hash it and finally store it to the db
  • 0
    @sideways @ObiSwagKenobi Hmm true true. That's a good point.
    I hope that they at least force you to change the password then
  • 2
    @ObiSwagKenobi the password wasn't auto generated. It was the password I entered at sign up.
  • 0
    @iSwimInTheC i had the same idea as @ObiSwagKenobi but in that case well... It's shit.
  • 0
    Ha! I know your pw starts with “my”. That makes it so much easier to hack your devRant account and post an embarrassing rant muhahahahaha
  • 1
    @zshh lol, sorry password is some long unintelligible word from keepass. Good luck.
  • 0
    I'm quite sure they sent the credentials in plaintext because they want you to be able to read them 😇
  • 0
    Maybe, just maybe they sent your password so you wouldn't forget; before hashing & saving in the db
  • 3
    That kind of feature is quite common and actually more user friendly for people with low IT knowledge and more likely to forget the password habit. I don't think that is the case here though.
  • 0
    I don't consider sending the password with an email or sms really secure but I had to implement a feature like that in the last project I worked on. It is a system mostly used by people with little to none technical knowledge, who need to register their clients. Most of the time, their clients have the same technical level as them. So I had to choose between every user having 123456 as their password or auto generating and sending the password with an sms before hashing it to the DB. I'm sure that's not the case here, but I'd really to hear some thoughts on the matter ☺️
  • 1
    only way to figure out if they stored passwords plaintext, or easy encryption is to use "forgot password" if they even have one, if they send your entered password again, then it's safe to say they store *asswords somekind of plaintext. (see what i did there?)
Add Comment