Online Security at it's best

By +Warwagon
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

So I recently signed up for the dating website Plentyoffish.com, ya I know but for them most part all of it is free, so that's cool.

Well once a week (I probably should unsubscribe) they send me an email saying New matches for October 10. That's not so bad. What is included in the email is disturbing.

Below is a copy of the email.

First they say Hello ____________, telling my username which isn't so bad most sites do. But then it goes on to say

Thank you for signing up for Plentyoffish.com

Remember your password is ____________.

It then proceeds to give out your password for plentyoffish.com.

I know this email should be private being it's getting sent to the persons email, but what if someone logs into your email account. Long story short websites should not be including the ****ing password in an email PERIOD!.

post-4927-12867760498524.jpg

Link to comment
https://www.neowin.net/forum/topic/944688-online-security-at-its-best/
Share on other sites
Proficient

JoeyF

Posted
Posted

I know this email should be private being it's getting sent to the persons email, but what if someone logs into your email account.

Um........ I think they'd already know your password if that was the situation......

And don't forget, there's always the "forgot password" button, which would give them your pass anyway if they got into your email.....

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Um........ I think they'd already know your password if that was the situation......

And don't forget, there's always the "forgot password" button, which would give them your pass anyway if they got into your email.....

You are correct, but what if someone just access my email when I have it open on my computer.

  • 6 months later...
Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

The problem isn't someone hacking into your email and finding out the password by looking in the box...

When sent via regular, non-encrypted email, it can easily be sniffed out on the wire at ANY point between the original server and the destination box. It can also be stored in log files on any of those servers along the way...

Meaning the hacking could be done without the user EVER being directly touched and knowing!

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

The problem isn't someone hacking into your email and finding out the password by looking in the box...

When sent via regular, non-encrypted email, it can easily be sniffed out on the wire at ANY point between the original server and the destination box. It can also be stored in log files on any of those servers along the way...

Meaning the hacking could be done without the user EVER being directly touched and knowing!

You would think after the Sony tabockle, companies would be more careful with people's data. Lesson learned? Apparently not.

Grand Master

Miuku.

Posted
Posted
When sent via regular, non-encrypted email, it can easily be sniffed out on the wire at ANY point between the original server and the destination box. It can also be stored in log files on any of those servers along the way...

True but then it would have to be someone from the ISP or backbone.

The only way someone could sniff it would be if you accessed your mail from say an IMAP server with no TLS/SSL in an untrusted LAN (University/College network or public unencrypted WLAN in which case you deserve to be haxed :p)

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

True but then it would have to be someone from the ISP or backbone.

The only way someone could sniff it would be if you accessed your mail from say an IMAP server with no TLS/SSL in an untrusted LAN (University/College network or public unencrypted WLAN in which case you deserve to be haxed :p)

Still the principle of the thing. Plus they are apparently storing passwords and not hashes.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

True but then it would have to be someone from the ISP or backbone.

The only way someone could sniff it would be if you accessed your mail from say an IMAP server with no TLS/SSL in an untrusted LAN (University/College network or public unencrypted WLAN in which case you deserve to be haxed :p)

You have no idea of the network topology between the origin and the destination. A sniffer at ANY point on that path could wreak for you by sniffing out the data.

For instance, there could a sniffer sharing a LAN segment with the application's mailbox server (MTA) on the same hosting subnet that sniffs it out very close to the point of origin...

Or

When the mail is being received by your MTA the link between the perimeter MTA and the next hop from the origin MTA could be sniffed out...

Packet sniffing isn't as hard as you think it is...

The only way to be safe is to treat email as being 100% open and as such sensitive information should never be transmitted via it. The only time you can reasonably trust the security of the message is when it is either sent in an encrypted form or when it is sent via two users on the same domain AND you have 100% control over the MTA and can ensure that information on it is secure and safe... The latter is not possible with ANY email transmitted online, especially transactional mail such as has been posted here by Warwagon.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

Most likely they are, or rather they are encrypting it at both ends.

Not possible...

1. HASH is ONE WAY (i.e. not reversible)

2. Sending it in plain text voids ANY security you had on it if you did use something like SSL level reversible encryption.

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Not possible...

1. HASH is ONE WAY (i.e. not reversible)

2. Sending it in plain text voids ANY security you had on it if you did use something like SSL level reversible encryption.

Exactly. Plus they wouldn't store the password, just the hash, which is why sites that hash have no password character limit. The fact they can provide me with my original password makes it obvious no hashing is taking place. If they were hashing they wouldn't have my password.

At least that's what I've gathered from the security now podcast.

Grand Master

dragon2611

Posted
Posted

BkKv9.png - Accidently entered an old password into facebook and was more than a little suprised to see this error message.

Yes that's really great isn't it?

Also if you try to login with someones email address enough times facebook will eventually disclose who that user is, not everyone has their name in their email address so facebook are essentialy then linking a internet alias with a real person.

Grand Master

+Xinok Subscriber²

Posted
  • Subscriber²
Posted

Accidently entered an old password into facebook and was more than a little suprised to see this error message.

Yes that's really great isn't it?

Also if you try to login with someones email address enough times facebook will eventually disclose who that user is, not everyone has their name in their email address so facebook are essentialy then linking a internet alias with a real person.

I don't even give Facebook my real email address. I created a random email address just for them, for this exact reason.

Grand Master

HawkMan

Posted
Posted

Not possible...

1. HASH is ONE WAY (i.e. not reversible)

2. Sending it in plain text voids ANY security you had on it if you did use something like SSL level reversible encryption.

Hence why I said they didn't hash i, but just plain encrypted it, a lot of sites and services do this. they encrypt it during transmission, and encrypt it in their database, that way they can decrypt it and send it to the user on request, instead of all those ass backwards annoying, secret question and all the other idiotic password reset functions.

though this method is at least as secure as Hash, sending the password in the mail without the user requesting it is rather stupid of them.

Grand Master

+LogicalApex MVC

Posted
  • MVC
Posted

Hence why I said they didn't hash i, but just plain encrypted it, a lot of sites and services do this. they encrypt it during transmission, and encrypt it in their database, that way they can decrypt it and send it to the user on request, instead of all those ass backwards annoying, secret question and all the other idiotic password reset functions.

though this method is at least as secure as Hash, sending the password in the mail without the user requesting it is rather stupid of them.

I would disagree. Encrypting it in transmission only makes you secure against having the password sniffed out on the wire. It doesn't protect you against having you database server hacked into and the unencrypted data being stolen or your application server being hacked and the decryption keys being siphoned off to make wire sniffing possible again.

I would wager that protecting against the data itself being stolen is far more important (in a website login scenario) than protecting against wire snooping (between the application and its back-end data store, communication between the site and end user should always be HTTPS for login)

Grand Master

HawkMan

Posted
Posted

I would disagree. Encrypting it in transmission only makes you secure against having the password sniffed out on the wire. It doesn't protect you against having you database server hacked into and the unencrypted data being stolen or your application server being hacked and the decryption keys being siphoned off to make wire sniffing possible again.

I would wager that protecting against the data itself being stolen is far more important (in a website login scenario) than protecting against wire snooping (between the application and its back-end data store, communication between the site and end user should always be HTTPS for login)

Hence why I said it was kept encrypted in their database, this is what most sites who don't run simple public scripts today operate, an encrypted DB, with password stored, and passwords encrypted in transfer, unless you request it in mail, naturally. Being stored in a databse so the password can be read/recovered does not naturally means it's stored in plaintext.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft releases major feature updates for stock Windows 11 apps

      By PurSpyk · Posted

      Anyway to download these versions without being on the Experimental builds?
    • Microsoft about to radically change how often your Edge browser updates

      By testman · Posted

      Nothing is stopping you from continuing with your testing cadence. If updates are released every 2 weeks instead of 4, and you test once every 4 weeks, the exact same amount of patches will still be available for you in those 4 weeks. For example: Before 4th week - patch 1, 2, 3, 4 After 2nd week - patch 1 and 2 4th week - patch 3 and 4 Still the same amount after 4.
    • Microsoft about to radically change how often your Edge browser updates

      By testman · Posted

      Everyone else has said it. I'm gonna say it - you don't know what you're talking about. I do. I have two laptops. One work, one personal. I have access to two more laptops - both personal. At home I manually update my personal laptop when I see on Neowin that there is an update - I carry on and only apply the updates when I am ready. My work one only updates when my workplace decides to send it - I carry on and only apply the updates (when they actually arrive, which is usually days after the release) when I switch off the laptop at the end of the day as usual. The two other personal laptops only get updated when I get to it which is rarely - the people who own them carry on using them until I get to it and update them. All of the browsers on all laptops are configured to restore the tabs when launched. Google and Microsoft have changed from 6 weeks to 4, and it looks like it's going to move to 2. None of these changes affect how any of these browsers on the laptops are used. Not one jot. My advice to you is stop panicking whenever you see an update. Just carry on with what you're doing. This even benefits you in a way - from your comment you sound like you don't like the changes or the frivolous new features - great - then carry on as before!
    • Lethal fake phone chargers are still being sold on Amazon and eBay, UK watchdog warns

      By Brian Miller · Posted

      AMAZON needs to take total accountability for this.
    • Windows Server gets DNS over HTTPS (DoH) support

      By binaryzero · Posted

      Server Summit had a heap of announcements, ADCS changes are baller.

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      509
    2. 2
      +Edouard
      198
    3. 3
      PsYcHoKiLLa
      138
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      81
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!