TGT Posted April 24, 2011 Share Posted April 24, 2011 Went to try and purchase the Battlefield Bad Company 2: Vietnam expansion that was on sale today from Direct 2 Drive. For whatever reason, they weren't able to process my order, so my friend decided to gift it to me instead. When I got the e-mail, imagine my surprise when I saw this: They E-Mailed me my account password in paintext! What does this mean? My username, password and any related information to that account are all stored in a database - unencrypted. :angry: Shocking, especially given the amount of news compromised databases this year. Link to comment Share on other sites More sharing options...
The_Observer Posted April 24, 2011 Share Posted April 24, 2011 hahahah thats the funnest one i have seen! Link to comment Share on other sites More sharing options...
Alladaskill17 Posted April 24, 2011 Share Posted April 24, 2011 That, my friend is ridiculous. I never really checked out D2D as I was never a huge PC gamer, but is there a reason you do not use Steam? I doubt Valve would allow this type of behavior. Link to comment Share on other sites More sharing options...
TGT Posted April 24, 2011 Author Share Posted April 24, 2011 That, my friend is ridiculous. I never really checked out D2D as I was never a huge PC gamer, but is there a reason you do not use Steam? I doubt Valve would allow this type of behavior. I use and adore Steam. The expansion was on sale though, and I'm cheap (I bought BFBC2 when it was on sale through the EA store). D2D being a store that deals with financial transactions, I had assumed that they'd be a little more responsible with my data though. Link to comment Share on other sites More sharing options...
+Majesticmerc MVC Posted April 24, 2011 MVC Share Posted April 24, 2011 I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy. Link to comment Share on other sites More sharing options...
TGT Posted April 24, 2011 Author Share Posted April 24, 2011 I would still say that the data will be encrypted, but it will be 2-way encryption, instead of doing what everyone else does and use a hash. Still, that's pretty apalling to email you your password. I have had websites do that to me as a "forgot your password" reminder, and it still makes me uneasy. Well then, maybe I've over-reacted. However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well. Link to comment Share on other sites More sharing options...
+Majesticmerc MVC Posted April 24, 2011 MVC Share Posted April 24, 2011 Well then, maybe I've over-reacted. However, given that the e-mail was automated, wouldn't that suggest that the pass-phrase / function used to encrypt the password would be found somewhere in the source code? If an attacker were to gain access to the database, then they could also gain access to the back-end code as well. Actually I don't think you did. When the email was sent, it was still sent (most likely) over an insecure path, free for anyone to intercept along the way. Link to comment Share on other sites More sharing options...
Tharp Daddy Posted April 24, 2011 Share Posted April 24, 2011 You should email / call about this. It may not make a difference, but still bring it to their attention. Link to comment Share on other sites More sharing options...
Anibal P Posted April 24, 2011 Share Posted April 24, 2011 How do you know the email was sent in plain text? Link to comment Share on other sites More sharing options...
Pupik Posted April 24, 2011 Share Posted April 24, 2011 Man, that's some short password you got there. Link to comment Share on other sites More sharing options...
TGT Posted April 24, 2011 Author Share Posted April 24, 2011 You should email / call about this. It may not make a difference, but still bring it to their attention. Yup, opened a support ticket with them to let them know. Hopefully they'll be able to change this behavior. Man, that's some short password you got there. It's actually larger than that, I just botched up while doing the redaction. (Note the white space to the right of "You") ;) Link to comment Share on other sites More sharing options...
Yusuf M. Veteran Posted April 24, 2011 Veteran Share Posted April 24, 2011 It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security. Link to comment Share on other sites More sharing options...
Samn9 Posted April 25, 2011 Share Posted April 25, 2011 It's odd that they'd send you your actual password like that. I wouldn't be too worried though. A lot of services send you a randomly generated password after requesting a new password. I don't think it's any different in terms of security. They generate the random password, send it to you in an email, then hash it before it is put in the database. It's not retrievable in plain text after this point. Link to comment Share on other sites More sharing options...
Chosen One Posted April 25, 2011 Share Posted April 25, 2011 I Think that is suppose to be a temp password, it auto created an account for you so u can login. Whom ever sent you a gift, sent it to a email address that did not have an account. Link to comment Share on other sites More sharing options...
TGT Posted April 26, 2011 Author Share Posted April 26, 2011 I Think that is suppose to be a temp password, it auto created an account for you so u can login. Whom ever sent you a gift, sent it to a email address that did not have an account. Sadly, this isn't the case - it was actually my password that I had personally set for that account. Link to comment Share on other sites More sharing options...
Chosen One Posted April 26, 2011 Share Posted April 26, 2011 Sadly, this isn't the case - it was actually my password that I had personally set for that account. Well then, that is some serious f'd up shiz Link to comment Share on other sites More sharing options...
+LogicalApex MVC Posted April 26, 2011 MVC Share Posted April 26, 2011 I would bet that more sites that not still haven't learned the benefits of hashing passwords sadly. I wonder too how many of those that have take the time to also salt the password hash. Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted April 26, 2011 MVC Share Posted April 26, 2011 I hate companies like that, when they send you emails with your ****ing password clear as day in the email. They say **** like ... Login now with your password and the proceed to tell you in plain text what your ****ing password is. Idiots Plenty of fish does the same thing https://www.neowin.net/forum/topic/944688-online-security-at-its-best/ Link to comment Share on other sites More sharing options...
Argi Posted April 26, 2011 Share Posted April 26, 2011 We store some passwords in cleartext for our clients at work too. When I brought my concern up with the lead dev, he said that it's actually one of the requirements of the client's because the they'd like to be able to retrieve them if they forget. :pinch: Link to comment Share on other sites More sharing options...
LiquidSolstice Posted April 26, 2011 Share Posted April 26, 2011 :p I think you meant "plaintext", not "plantext" or "paintext" But yeah, I agree, that's a tad bit worrying. I feel like they shouldn't be emailing that unless its a password reset, and even then, most sites NEVER ever send you your password in plain text. Link to comment Share on other sites More sharing options...
Recommended Posts