One would expect that they'd at least have started hashing passwords rather than leaving them as plain text...


In a statement on Thursday, Lulz Security said it had hacked into a database that included unencrypted passwords as well as names, addresses and dates of birth of Sony customers.

"From a single injection, we accessed EVERYTHING," it said. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

"What's worse is that every bit of data we took wasn't encrypted. Sony stored over 1,000,000 passwords of its customers in plain text, which means it's just a matter of taking it.
http://www.bbc.co.uk/news/business-13636704

Sony have lost my faith entirely just now, I can understand that they may have slacked before, but if you're trying to improve your security and you're a massive walking target then why would you be dumb enough to keep passwords in plain text? Any person who's worked with a database knows that one of the first things you do with a password is hash it.

Also BBC need to hire some journalists who know the difference between hashing and encrypting because encrypting the password isn't really solving the problem.

One would expect that they'd at least have started hashing passwords rather than leaving them as plain text...


http://www.bbc.co.uk/news/business-13636704

Sony have lost my faith entirely just now, I can understand that they may have slacked before, but if you're trying to improve your security and you're a massive walking target then why would you be dumb enough to keep passwords in plain text? Any person who's worked with a database knows that one of the first things you do with a password is hash it.

Also BBC need to hire some journalists who know the difference between hashing and encrypting because encrypting the password isn't really solving the problem.

Welcome to the world. http://plaintextoffenders.com/

Poor Sony, is this the evenenth time?

Really bad that large organisations use plaintext.

It really annoys me when a website emails me the password I created.

Really bad that large organisations use plaintext.

It really annoys me when a website emails me the password I created.

Am I the only one that likes being emailed my password when I register on websites? Obviously I always hope that they're emailing it to me, then encrypting/hashing it and storing it in the database. I just like being able to search my emails when I forget a password, rather than having to go through the process of resetting it.

Am I the only one that likes being emailed my password when I register on websites? Obviously I always hope that they're emailing it to me, then encrypting/hashing it and storing it in the database. I just like being able to search my emails when I forget a password, rather than having to go through the process of resetting it.

If they're sending you your password in an email, then you can pretty much assume they're either using plaintext or easily reversible encryption :P

If they're sending you your password in an email, then you can pretty much assume they're either using plaintext or easily reversible encryption :P

Not necessarily. In some of the sites I've made, I set it up to do exactly what I said: user hits register, details get emailed, then encrypted, then stored. I don't do it on every site though, it can cause problems when the email gets sent out but an error stops the info being written to the database. I've just had an awesome idea for how to deal with that though, yay.
This thread has made me a bit nervous, I might email some of the sites that do send out plain text passwords and ask if they encrypt them afterwards.

Not necessarily. In some of the sites I've made, I set it up to do exactly what I said: user hits register, details get emailed, then encrypted, then stored. I don't do it on every site though, it can cause problems when the email gets sent out but an error stops the info being written to the database. I've just had an awesome idea for how to deal with that though, yay.
This thread has made me a bit nervous, I might email some of the sites that do send out plain text passwords and ask if they encrypt them afterwards.

I meant if you're requesting your password and they send it in plaintext.

Also, I like the way you do it, but what if someone has a typo in their address and it goes to the wrong person? Their password is then out in the open, which is especially true for people who use the same one for everything.

I don't get the point of these people and their attacks:

"From a single injection, we accessed EVERYTHING," it said. "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Isn't that the same as stabbing someone in the face hundreds of times saying "Why did they not put up a fight? Someone else could of done this too and they'll be evil!"

Am I the only one that likes being emailed my password when I register on websites? Obviously I always hope that they're emailing it to me, then encrypting/hashing it and storing it in the database. I just like being able to search my emails when I forget a password, rather than having to go through the process of resetting it.

If they're emailing it to you they have a blatant disregard for security. The only time a password for any worth-while service should traverse the internet in a non-hashed fashion is when you're either logging in or creating the password. Both of which should be done over SSL.

Although clearly most online banking passwords aren't hashed as they ask for specific letters :S.

I meant if you're requesting your password and they send it in plaintext.

Also, I like the way you do it, but what if someone has a typo in their address and it goes to the wrong person? Their password is then out in the open, which is especially true for people who use the same one for everything.

That's a brilliant point. Websites always ask me to confirm my password when I'm signing up, but they very rarely ask me to confirm my email address.
(I just checked over some of my old work, I wasn't sure) I usually get my users to confirm their email address, but I can list at least 10 well known sites right now that send out passwords in plain text without confirming the email address.


If they're emailing it to you they have a blatant disregard for security. The only time a password for any worth-while service should traverse the internet in a non-hashed fashion is when you're either logging in or creating the password. Both of which should be done over SSL.

Although clearly most online banking passwords aren't hashed as they ask for specific letters :S.

I'm talking about the password creation anyway, so boom, but I know what you mean. I still like being emailed my plain text password though.
I was thinking about the banking thing the other day when I saw my mum log in to online banking with by using the third, fifth and seventh letter of her password, but that can still be secured just like a standard password by splitting it up into separate letters before it's encrypted, or possibly some super geeky way that I don't understand because I don't work for a bank.