The Intelligent & Relentless Pursuit of Muscle™
T-Nation Tech Support
 
Password Reset Question (In Progress)
1
 

toddthebod
Level 3

Join date: Jan 2008
Posts: 93

I am disappointed to realize that our account passwords are stored as plain text in the database. Come on guys, that security problem has been solved a million times over many years ago. Encrypt the damn things, and when someone loses their password, email them a link to reset it instead of the actual password.

  Post New Thread | Reply | Quote | Report
 

LowfatMatt
Moderator, Admin, Designer

Join date: Dec 2000
Posts: 4030

I assure you, all passwords ARE encrypted in our database.

As far as the password retrieval / reset process, that is changing soon.

  Post New Thread | Reply | Quote | Report
 

toddthebod
Level 3

Join date: Jan 2008
Posts: 93

LowfatMatt wrote:
I assure you, all passwords ARE encrypted in our database.

As far as the password retrieval / reset process, that is changing soon.


Good to hear (the second part). As far as whether or not they are "encrypted", if the system can email me my password in plain text, a hacker (or disgruntled employee!) can get it as well.

Why does this matter?

1. Many people use the same password for multiple accounts, even though they shouldn't. A hacker steals username/email/password combos from your database and tries them on various bank websites.

2. The fact that you don't salt & hash passwords is a poor security practice. If there's one security hole (especially such an obvious one), should we trust you with our credit card info?

So thank you for the response to my original inquiry. Please do what you (as a company, not you Matt) can to accelerate a change in the password reset process, and please, please, please salt & hash passwords such that the plain text is unrecoverable.

  Post New Thread | Reply | Quote | Report
 

LowfatMatt
Moderator, Admin, Designer

Join date: Dec 2000
Posts: 4030

I assure you that we also take the utmost care with payment info, and any info that is stored for payment methods is 100% encrypted. We do not decrypt or display CC numbers anywhere within our applications.

We'll have a change in the password reset policy released very soon.

  Post New Thread | Reply | Quote | Report
1