Author: kyanha
Subject: Is my password *really* encrypted?
Posted: 11 May 2014 at 2:47am
"Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you. However, should you forget your password you can request a new one sent to your email address."
But, you just sent it in-the-clear via SMTP a few lines above. Why would I need to request a new one to be sent?
I'm sure you think this is an appropriate response, but this violates so many web security guidelines it's not even funny. The most notable are:
0) Never assume your user is smart enough to use different passwords for different sites.
1) Never send the password via an alternate route.
2) Never trust the user's email to be secure.
and
3) Send a password reset link, not a new password.
Yes, I know that this isn't supposed to be a "high security" system, but this reflects poorly on Microsoft (which owns Sysinternals). It's too bad it dropped Passport, you could have used it to integrate Microsoft account authentication.
Subject: Is my password *really* encrypted?
Posted: 11 May 2014 at 2:47am
"Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you. However, should you forget your password you can request a new one sent to your email address."
But, you just sent it in-the-clear via SMTP a few lines above. Why would I need to request a new one to be sent?
I'm sure you think this is an appropriate response, but this violates so many web security guidelines it's not even funny. The most notable are:
0) Never assume your user is smart enough to use different passwords for different sites.
1) Never send the password via an alternate route.
2) Never trust the user's email to be secure.
and
3) Send a password reset link, not a new password.
Yes, I know that this isn't supposed to be a "high security" system, but this reflects poorly on Microsoft (which owns Sysinternals). It's too bad it dropped Passport, you could have used it to integrate Microsoft account authentication.