Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Astraweb Storing Your Passwords As Plaintext

  1. #1
    Caught this on /r/usenet: http://tinyurl.com/d375yfj It's a laughable practice, subscribers would be wise to contact AW immediately, and submit a ticket. At the very very least, make sure your aw password is unique and segregated from all other logins.

  2. Newsgroups   -   #2
    I don't understand. We should avoid all sites that send us passwords in emails ?
    Except my bank, all sites I use do that.

    Thecubenet and tweaknews being among those btw.

  3. Newsgroups   -   #3
    Quote Originally Posted by chakara View Post
    I don't understand. We should avoid all sites that send us passwords in emails ?
    Except my bank, all sites I use do that.

    Thecubenet and tweaknews being among those btw.
    A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.

    Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.
    Last edited by piercerseth; 05-09-2013 at 10:32 AM.

  4. Newsgroups   -   #4
    This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

    Astraweb should have a better system in place.

  5. Newsgroups   -   #5
    Well, AW aren't exactly hiding the fact that they're storing that info in plaintext:
    http://www.news.astraweb.com/forgotpass.html
    Our server will send you an email with your username and password.
    And to make things worse:
    http://helpdesk.astraweb.com/index.p...kbarticleid=22
    To avoid your account from being hacked, please ensure that you use a secure password, and do not reveal it to anyone.
    Hilarious.

  6. Newsgroups   -   #6
    Snee's Avatar Error xɐʇuʎs BT Rep: +1
    Join Date
    Sep 2003
    Location
    on something.
    Age
    45
    Posts
    17,971
    Quote Originally Posted by piercerseth View Post
    Quote Originally Posted by chakara View Post
    I don't understand. We should avoid all sites that send us passwords in emails ?
    Except my bank, all sites I use do that.

    Thecubenet and tweaknews being among those btw.
    A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.

    Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.
    Actually, they could be using their own custom encryption/encoding, and they could even be keying it with, say, your email address combined with your join date, or something else entirely, using that as a decryption key, as well as when encrypting it.

    Getting your password back through mail may indicate that they store it as plaintext, but you can't use that alone as evidence that they're storing plaintext passwords. Hell, I'm sure it'd be possible they encrypt everything that goes into their db and decrypt information on access, though it wouldn't be very fast.


    I've been coding in projects that use both types of solutions (storing hashes or encrypted recoverable passwords), and they both have their advantages and disadvantages. Depending on how elaborate you make it, it may be more difficult to crack recoverable passwords (without access to the source code), if you make it good enough to require the exact right password, as opposed to something more lossy that stores a hash that may, at least in theory be generated from more than one combination of characters and salt.

    In short, I'm not saying they absolutely don't have security issues, but without poking around in their code I couldn't say for certain.
    Last edited by Snee; 05-11-2013 at 11:16 AM.

  7. Newsgroups   -   #7
    Quote Originally Posted by Snee View Post
    .
    Interesting, that hadn't occurred to me. My understanding on the subject is admittedly cursory.
    Last edited by piercerseth; 05-11-2013 at 12:29 PM.

  8. Newsgroups   -   #8
    Quote Originally Posted by kanine View Post
    This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

    Astraweb should have a better system in place.
    Any recommendations on a good password locker like the one you use? Freeware preferable.

  9. Newsgroups   -   #9
    DmzHwsfjiO
    Guest
    Quote Originally Posted by wintressdude View Post
    Quote Originally Posted by kanine View Post
    This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.

    Astraweb should have a better system in place.
    Any recommendations on a good password locker like the one you use? Freeware preferable.
    keypass is good and free

  10. Newsgroups   -   #10
    i use lastpass

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •