Retired
Caught this on /r/usenet: http://tinyurl.com/d375yfj It's a laughable practice, subscribers would be wise to contact AW immediately, and submit a ticket. At the very very least, make sure your aw password is unique and segregated from all other logins.
I don't understand. We should avoid all sites that send us passwords in emails ?
Except my bank, all sites I use do that.
Thecubenet and tweaknews being among those btw.
Retired
A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.Originally Posted by chakara
Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.
Last edited by piercerseth; 05-09-2013 at 10:32 AM.
This is exactly the reason why I now use a password locker, together randomly generated passwords for every site that needs one. So many people (like I used to) have the same password across dozens of sites, then your exposed to the weakest link.
Astraweb should have a better system in place.
Well, AW aren't exactly hiding the fact that they're storing that info in plaintext:
http://www.news.astraweb.com/forgotpass.html
And to make things worse:Our server will send you an email with your username and password.
http://helpdesk.astraweb.com/index.p...kbarticleid=22
Hilarious.To avoid your account from being hacked, please ensure that you use a secure password, and do not reveal it to anyone.
Error xɐʇuʎs
BT Rep: +1
Actually, they could be using their own custom encryption/encoding, and they could even be keying it with, say, your email address combined with your join date, or something else entirely, using that as a decryption key, as well as when encrypting it.A temp password they set is one thing, or directing you to a reset prompt--what Astraweb is doing is sending your specific password as plaintext. They absolutely shouldn't be able to do this if they're hashing and salting the passwords, which they aren't. Which means your credentials are potentially ripe for the picking.
Linkedin had an issue like this about a year ago when like 6.5M user SHA1 unsalted pwd hashes were posted to an .ru hacker site. Astraweb isn't even hashing theirs. If their db gets hacked, you're fucked. Maybe someone with more knowledge on the matter can chime in.
Getting your password back through mail may indicate that they store it as plaintext, but you can't use that alone as evidence that they're storing plaintext passwords. Hell, I'm sure it'd be possible they encrypt everything that goes into their db and decrypt information on access, though it wouldn't be very fast.
I've been coding in projects that use both types of solutions (storing hashes or encrypted recoverable passwords), and they both have their advantages and disadvantages. Depending on how elaborate you make it, it may be more difficult to crack recoverable passwords (without access to the source code), if you make it good enough to require the exact right password, as opposed to something more lossy that stores a hash that may, at least in theory be generated from more than one combination of characters and salt.
In short, I'm not saying they absolutely don't have security issues, but without poking around in their code I couldn't say for certain.
Last edited by Snee; 05-11-2013 at 11:16 AM.
Retired
Interesting, that hadn't occurred to me. My understanding on the subject is admittedly cursory.
Last edited by piercerseth; 05-11-2013 at 12:29 PM.
Any recommendations on a good password locker like the one you use? Freeware preferable.
keypass is good and freeAny recommendations on a good password locker like the one you use? Freeware preferable.
i use lastpass
Posting Permissions
Reply With Quote
Bookmarks