Caught this on /r/usenet: http://tinyurl.com/d375yfj It's a laughable practice, subscribers would be wise to contact AW immediately, and submit a ticket. At the very very least, make sure your aw password is unique and segregated from all other logins.

I don't understand. We should avoid all sites that send us passwords in emails ?
Except my bank, all sites I use do that.

Thecubenet and tweaknews being among those btw.

I don't understand. We should avoid all sites that send us passwords in emails ?
Except my bank, all sites I use do that.

Thecubenet and tweaknews being among those btw.
A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.

Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.

This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

Astraweb should have a better system in place.

Well, AW aren't exactly hiding the fact that they're storing that info in plaintext:
http://www.news.astraweb.com/forgotpass.html

Our server will send you an email with your username and password.

And to make things worse:
http://helpdesk.astraweb.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=22

To avoid your account from being hacked, please ensure that you use a secure password, and do not reveal it to anyone.

Hilarious. :D

I don't understand. We should avoid all sites that send us passwords in emails ?
Except my bank, all sites I use do that.

Thecubenet and tweaknews being among those btw.
A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.

Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.

Actually, they could be using their own custom encryption/encoding, and they could even be keying it with, say, your email address combined with your join date, or something else entirely, using that as a decryption key, as well as when encrypting it.

Getting your password back through mail may indicate that they store it as plaintext, but you can't use that alone as evidence that they're storing plaintext passwords. Hell, I'm sure it'd be possible they encrypt everything that goes into their db and decrypt information on access, though it wouldn't be very fast.


I've been coding in projects that use both types of solutions (storing hashes or encrypted recoverable passwords), and they both have their advantages and disadvantages. Depending on how elaborate you make it, it may be more difficult to crack recoverable passwords (without access to the source code), if you make it good enough to require the exact right password, as opposed to something more lossy that stores a hash that may, at least in theory be generated from more than one combination of characters and salt.

In short, I'm not saying they absolutely don't have security issues, but without poking around in their code I couldn't say for certain.

.
Interesting, that hadn't occurred to me. My understanding on the subject is admittedly cursory.

This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

Astraweb should have a better system in place.

Any recommendations on a good password locker like the one you use? Freeware preferable.

This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

Astraweb should have a better system in place.

Any recommendations on a good password locker like the one you use? Freeware preferable.

keypass is good and free

i use lastpass

I like KeePass2