Wednesday, September 23, 2009 crappy security policy

We're in 2009 and we still have web merchants able to resend you your exact password if you have forgotten it. I just tested this with a UK sells it all web site (no link to them sorry. Bad boys!) which I just used to purchase "Amazing Grace" (nice movie BTW).

Hey guys, if you don't fix this, I won't place an order again with you.

Because if I you treat my password like other data I gave you (in particular my credit card details), I can't give you my money.

Can't you do the right thing ? Some tips (at a minimum):

  • store the hash of the password
  • salt it
  • compare salted password hashes !
  • regenerate a new password randomly if the user has lost his password

Why ? Because someone (a cracker or a disgruntled employee) could fetch the customer / passwords list and as most people don't have a new password per site, use it to not only make purchases on, but to access all other accounts, up to probably the customer's mail box. And from there access all his accounts.

Note to self: always test the "send me my password" function on any new web site I use.

Update: at least some other sites know what they are doing

No comments:

Post a Comment