
Originally Posted by
chakara
I don't understand. We should avoid all sites that send us passwords in emails ?
Except my bank, all sites I use do that.
Thecubenet and tweaknews being among those btw.
A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.
Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.
Bookmarks