*
programming and human factors
by Jeff Atwood
*
I may not be smart enough to join Mensa, but I am smart enough not to build websites like the American Mensa website.
Do you see the mistake? If so, can you explain why this is a mistake, and why you'd desperately want to avoid visiting websites that make this mistake?
(hat tip to Bob Kaufman for pointing this out)
Forget MENSA, *MySpace* does the same thing!
Xianhang Zhang on June 26, 2008 2:01 AMTo Mark Tiefenbruck:
...
3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user's account name and e-mail address can be used by others to harass the user (or even deny him service if he's lost control of or access to his registered e-mail account).
I only would sent a link with a generated random guid. Only when this link is clicked, a new password could be created on the landing-page.
The link is only allowed to work once.
And only once in 24 hours such a mail could be generated.
ps: i feel jeff doesn't have a clue what's wrong there, but he wants us to give him ideas for his latest project for cheap :-)
titrat on June 26, 2008 2:04 AMHaven't posted here an a while, but...
Isn't it possible that the email some random 'new' password?
Well, I guess you tested for that. Either way, that isn't so obvious based on the screen shot. It could be that they just have the wrong verbiage on the button
CptBongue on June 26, 2008 2:06 AMI am going to create a site the requires a username and password - and I will not only store that info in clear text, I will make all passwords accessible to everyone. I am going to use ColdFusion. I will use a hash on user profile create/update for the view.
You've all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on facebook - in my opinion, deserves to be shamed.
Take the advise of our host and use passphrases instead - and if you have an account on Mensa - I would suggest using the following phrase: User Not Found.
Kwan on June 26, 2008 2:16 AMI dont see any mistake. I think the mistake is this post.
Nikos on June 26, 2008 2:25 AMEven the smart people of MENSA will taka advantage of Card Space...it's not only for mere mortal _
Nikes on June 26, 2008 2:37 AMYou can get to the page in Jeff's screenshot by going to:
http://www.us.mensa.org//AM/Template.cfm?Section=Home
click Events
click Calendar
click the click here to log in (since it asks for log-in)
click forgot password on the login page.
see that the Event tab is highlighted? And in the sidebar Event and Calendar are bolded, just like in his screenshot.
As to what is wrong with this page. All assumptions about unencrypted passwords are not supported by concrete evidence. Unless you can show an email from them with at plain text password, you don't really know. You can't prove it. So let's not go down that path.
I am very curious to know what is wrong with this page. Sometimes, it's better to admit we don't know if we can't support our answer with absolute concrete evidence.
ns on June 26, 2008 2:38 AM@df5, the grammar policeman. I think your time is better spent tracking down Bob Kaufman. He must be somewhere with Carmen Diego.
BugFree on June 26, 2008 2:50 AMSO what is the answer?
TOM CRUISE on June 26, 2008 2:55 AMAmerican MENSA
Oxymoron ?
@Jeff Atwood,
I am not quite sure why did you pick this particular topic today. If it is really because of how Mensa goes about treating its members' passwords.... well, it is not that interesting. However, if you posted this blog to get a bunch of your readers to poke fun at Mensa, then, my friend, you have done well.
A society of people who can do well at certain kind of standardized tests .... yes, they are asking to be ridiculed. On top of it all, there is actually a membership fee. What? Being a brilliant test taker is not enough? I say Roland Berrill and Dr. Lancelot Ware were a couple of hustlers.
@Luke
Making fools of ourselves by making fun of an organization rather a society of brilliant test takers? No.
Igore on June 26, 2008 3:02 AMApparently there are a lot of people here who are bitter about not being able to get into Mensa :P
Mattkins on June 26, 2008 3:10 AM@james
Hey now, there are plenty of brilliant test takers in America.
Igore on June 26, 2008 3:11 AMWhat if you're an Americain Mensa member and you have changed your mail provider since you register with them 6 years ago ? No way to get your password !
Hey, I was billx@bigcorp.com and I'm now billx@hotmail.com, don't you remember me ?? I scored 212 back then... Hey ? Help !
They should provide a Forgot your email ? button, I think.
Sylvain Rodrigue on June 26, 2008 3:12 AM@Mattkins
Yes, lots of bitter people!
This blog entry can't be serious. Being a member of Mensa doesn't mean you excel in everything. OMG, there are some Mensa members out there who can't code a website! Who knows if the person who made the website is a Mensa member? I'll shut up know and get a life.
justbrowsing on June 26, 2008 3:17 AMknow-now.
As you can see, I'm not a member of Mensa either. But I'm not bitter!
Jeff,
a) on nowadays is common usage to strongly crypt passwords and optionally email addresses on database.
b) for password remembering processes is common usage (also nowadays) to check a security question then send a temporally link for password re-setting.
c) this kind of architecture seems to not to use sessions in user validations. instead it seems to use some kind of: Template/Section combination
http://www.us.mensa.org/AM/Template.cfm?Section=EventsTemplate=Calendar.cfm
d) just checked gmail.com and they say they send me instructions on my secondary email (which I never provided to them). now It seems I have to wait 24h ! for having a security question to ask available to me !!
http://mail.google.com/support/bin/answer.py?answer=46346
Teixi
Jaume Teixi on June 26, 2008 3:34 AMEveryone seems to be missing what was blindingly obvious to me...
Know someones email address? Find out if they are in mensa....
Not particuarly...... private.
So many websites are culprits of this.
Adam
Err... the email only goes to the address, and we don't know enough to assume that the send password button gives any indication of success or not.
As for the encryption thing, I don't get it. To send the password you just decrypt it, being able to send it doesn't prove it isn't encrypted.
I don't see the problem here...
The design of the site is not co-MENSA-rate with the nature of the organization.
jmags on June 26, 2008 4:11 AM@Xianhang Zhang you beat me to it. I couldn't believe it when MySpace sent me my password when I went to recover it. I can't believe anybody is stupid enough to do that.
Eric Haskins on June 26, 2008 4:27 AMObviously we're all a bunch of stooopid high-IQ'd geeks, and no one have got a clue of what Jeff is trying to point out.
So, Jeff, could you please enlighten your follower's brains and tell us?
Thanks.
Rod.
I guess the one you were thinking of is that they would have to keep the raw password somewhere, instead of only keeping a hash.
The other problem is that anyone could cause someone's password (or the means to reset the password) to be sent out in an unencrypted email, but a awful lot of websites do exactly that.
Roll on open-id.
Bill P. Godfrey on June 26, 2008 5:26 AMI don't know if this is related. But check out this article:
TypeKey stores your passwords in plaintext
http://www.diovo.com/?p=55
The mistake I see is that the password seems not to be hashed.
The password should be hashed using SHA or MD5 and salted.
Else once a hacker manages to dump the database he has everyone's passwords.
It should be enter your email and you will be sent a new temporary password
Vince on June 26, 2008 5:27 AMI used to belong to MENSA. As far as I could see, they're all idiots. The password snafu on the website is just another indication of that.
David A. Lessnau on June 26, 2008 5:32 AMAny developer worth his salt wouldn't make such a hash of authentication - DailyWTF comment
Rob on June 26, 2008 5:32 AMMaybe I'm missing the point, but does MENSA hold your credit card details on file? Risk management:
- What personal information, valueable information, or otherwise does the MENSA site provide access to?
- Was the password provided by the member?
If the answers were none and no, then resending the old password isn't as big an issue as made out here.
And no, OpenID is not some silver bullet. It has a whole set of new problems that as of today are still unsolved (see various articles at links.org for more information).
Blindly following The Security Book often results in useability nightmares (logging onto $MostOnlineBankingSystems, anyone?) and may exacerbate real problems by diverting the already overloaded programmer's attention.
Personally, even if the MENSA site has a forums facility, I wouldn't be using it to pass confidential information to my extra-marital lover, nor really care if someone sends a few spoof posts from my account (a quick email to the admins would sort that out).
But since I'm not smart enough to be a member of MENSA either, I guess I don't know. :)
David W on June 26, 2008 5:32 AMThe problem is that they send out the old password rather than generating a new or providing a link to do so. If they can send out the original password, by inference they must be storing it without hashing it first.
Casper on June 26, 2008 5:34 AMOn a lesser note:
They also claim to have mailed the login info on printed cards, and then admit that losing the cards is highly possible.
Thus, any one finding the cards would have access to the account.
hobbylobby on June 26, 2008 5:38 AMActually, they're only storing a salted hash. But due to their vastly superior intellect they're able to figure out the original password on the fly anyway.
So there.
Konrad on June 26, 2008 5:38 AMMany sites send the password in unencrypted emails, even just to confirm that you have registered. It always make me scream.
I don't understand why people do that : they are supposed to be programmers, and known about this kind of problems. At school we all have launch a wireshark and sent an email don't we ?
The plaintext passwords are bad enough, but I think the biggest WTF here is that they give you the Sorry, we don't recognize that email address. error if you enter an address not in their database.
I hit it about 20 times and it doesn't lock you out or add a delay. It would be trivial to write something to datamine valid addresses. Seems like a valuable mailing list to build!
Dave on June 26, 2008 5:40 AMAlthough I know that it's one of the dumbest things to store passwords in plaintext.
But I actually worked on a project, where a requirement was that the password should not be changed when forgotten. This was because our users weren't tech savy and had problems with everything that exceeded writing mails.
So we decided to store the passwords in plaintext but generating the passwords for the users. We didn't include any possibility of changing the password. In that way we at least managed to prevent loss of valuable passwords.
Anyway, if I were to implement that particular project again, I'd surely stick with encrypted passwords, no matter what management thinks.
If the password issue is supposed to be The Real WTF tm;, of course there's no need for a retrievable password to be stored in plaintext. Encryption is a wonderful 2-way system that doesn't require the intermediate result to be readable.
Of course the method of decrypting the password also has to be stored *somewhere* but again, there's no need for that to be nearby the database with the encrypted passwords.
Remember that security is all about layers, the existance of any particular layer doesn't necessarily tie to any other layer. We can get your password back is not indicative of we store plaintext passwords
Gareth on June 26, 2008 5:42 AMIs it lacking a captcha like orange :) ?
Sarath on June 26, 2008 5:44 AMWhy does Mensa even need to password protect their site? Couldn't they just use a ridiculously hard IQ test to see if people where worthy of access?
Anders Nors on June 26, 2008 5:45 AMSending a password means they store it as has been mentioned already.
And yeah, not the first time you mention this ;)
Shoo!
Carra on June 26, 2008 5:49 AMFor those people who are oblivious to the fact that people re-use their passwords (and LeftHere, 23 posts above, indicates that MENSA passwords are user-changeable and, thus, re-usable), I recommend the following article:
http://technet.microsoft.com/en-us/magazine/cc626076(TechNet.10).aspx
The whole article is interesting, but the part about different passwords for every site is somewhere around the middle.
David A. Lessnau on June 26, 2008 5:49 AMOne quote that always sticks in my mind:
Mensa is full of people that like to THINK they're clever, not those that actually are.
Paul on June 26, 2008 5:51 AMHow do you know that send me my password doesn't in fact send a temporary password, with instructions to reset the password?
You cannot assume from this screen that the password isn't encrypted/salted. You cannot assume that the email to the user isn't encrypted either.
Jo on June 26, 2008 5:52 AMthis captcha is always orange, and here we are bashing something else
AT on June 26, 2008 5:52 AMThe mistake is that the Events tab is chosen when you're on a forgot password form. It means they are not using any cool framework for development, or at least misusing some framework.
I wouldn't work for them either.
OS on June 26, 2008 5:55 AM#Jo
If the email address you submit matches the email address in our system, you will receive an email that contains your current password.
YOUR CURRENT PASSWORD
whats not so clear, you dumb mensite.
AT on June 26, 2008 5:55 AMIt pays to consider the level of security in the context of what's being protected. Quite frankly, I could care less if any of many of the web sites I have accounts on were compromised. The password more often protects their interests, not mine. Of course, if the account is at all sensitive with membership information (as is likely the case here), there may be a problem.
Since you've sent readers on a wild goose chase by not explaining the problem that we should be discussing, I'll withhold any further comment. Depending on which can of worms you actually open on us in a later post, I'll be able to better elucidate in context.
if you know an existing mensa member's email address it might be kind of fun to spam them by hitting the 'Send me my password' button a couple hundred times ...
I've always found it funny that Mensa means stupid in Spanish.
FakeOpenID on June 26, 2008 6:05 AM*yawn* who cares? I'd have preferred to have you mention the WTF and then perhaps expound on a few alternatives.
JohnM on June 26, 2008 6:06 AMWell, it's Mensa which means many, many smart people. Maybe their coders were able to break SHA, MD5 or whatever hash alg they are using... The only question is why they keep it secret?
Ondra on June 26, 2008 6:09 AMEveryone seems to be missing what was blindingly obvious to me...
Know someones email address? Find out if they are in mensa....
Not particuarly...... private.
So many websites are culprits of this.
Adam on June 26, 2008 6:10 AMIt's not a good idea to tell we don't have the entered email address in our system, easier and safer to give the same response whether we sent an email or not.
snomag on June 26, 2008 6:13 AMI was in MENSA once. I got tired of hanging out with those people. I was stunned at how many of these supposedly briliiant people either held down the lamest jobs you could imagine (one guy was the nightime cleanup guy at a dive bar). And those were the ones that could hold down a steady job! Most of them dressed like a bunch of slobs and smelled like they never showered
JP on June 26, 2008 6:13 AMSilly people, the real issue is that you don't put the word Colloquium on a website. I mean, what the heck does that mean... stupid fancy Latin word users! ;-)
Never like the password being sent to me. Better to have a reset password link, I think.
It isn't some hidden password trick, it's that they are on the events tab (look on the side bar) and up pops the password retrieval page.
Cybercat on June 26, 2008 6:16 AMI didn't get the whole idea of the post. I am in a puzzle.
Startlogic Review on June 26, 2008 6:18 AMOwh i know, the web colours are mistmatched!
MENSU on June 26, 2008 6:19 AMSo which one were you thinking of? Not storing the password as a hash, or sending the email through an insecure communications method?
Bjarne Stroustrup on June 26, 2008 6:20 AM@Startlogic Review
Nobody got the idea of this post. We are just pretending.
... and it doesn't take too much googleing to figure out the email addresses of some mensa people.
'Your password has been sent to you via email.'
Matt Berseth on June 26, 2008 6:21 AMcolloquiUm?
I'm not native english, but in latin IIRC it was spelled another way...
Some miscreant could send any known Mensa member (if they know their e-mail) a constant stream of e-mails.
Paul on June 26, 2008 6:30 AMAs a developer who works for a company that sends out plain text logins and passwords in both emails and mailings, I'd like to defend the intelligence of at least some portion of the developers who are doing this...
It's not our choice. Really.
Sometimes, in spite of our best arguments and all evidence to the contrary, we are forced to do really dumb things by the powers that be. Usually this is done in a misguided attempt to provide more customer friendly solutions to a problem. And we hate every minute of it.
Sometimes we even go to extra-ordinary lengths to do the smart thing while making it *appear* that we are doing the dumb thing mandated by the powers. If they notice that we aren't doing what they ask, we argue that it is a limitation of the technology. Or we log it as a bug in a long list of low priority bugs that will never see the light of day. Or we make the smart thing smarter so it can appear dumber.
And sometimes we are forced to do the dumb thing anyway. Then we can only make a note of our protests, reiterate them every chance we get, make snarky remarks in code comments, and - when it comes around and bites them in the posterior - gently remind the powers: We told you so.
So, please, take a moment and reserve judgment on the myriad of dumb programmers in the trenches - at least until you see their snarky comments in the code.
RS Reitz on June 26, 2008 6:31 AMAside from the obvious privacy and security problems that everyone's already mentioned...
- ColdFusion.
- !-- Source Code Copyright 2001 Active Matter, Inc. www.activematter.com --
- Above domain is dead.
- Occasionally, it's 2003
- Name-based browser checks.
- 200 lines of hardcoded switch-case lists for simple image swap code.
- Spacer GIFs.
- Can't make up their mind whether they want www. prefixes in their subdomains or not.
- !-- saved from url=(0022)http://internet.e-mail --
@Ilia Jerebtsov
I think you are making your point clear more than enough.
Does this site have a virus? I can see telling people not to register with a site, but usually you tell others not to visit a site because it runs some type of exploit.
Joseph on June 26, 2008 6:37 AM...and the function _CF_checkCFForm_1() always returns true.
Niyaz PK on June 26, 2008 6:39 AM...and the function:
function exeMailTo(thisUser, thisServer, thisExt)
{
var sLink = ma + il + to + : + thisUser + @ + thisServer + . + thisExt;
//Check for a 4th, optional argument for default email subject
if(arguments.length 3)
{
sLink += ?subject= + arguments[3];
}
window.location = sLink;
}
just to hide the email address from spammers.
For Mensa, it should suffice to have Forgot password? Click here, without an input field. Anyone who can not memorize the automatically generated GUID-like password clearly has no business signing in there anyways.
danijels on June 26, 2008 6:41 AM@Ilia Jerebtsov
Yes. Every single web developer with an IQ 0 should know that they can swap images in CSS.
If you are using JavaScript for that, you are out of business(and certainly out of your mind).
...and don't throw tables at me.
Niyaz PK on June 26, 2008 6:47 AMIt doesn't matter that they store the passwords in plaintext... every member has the same password: imagenius_notu
-m
Maybe they just send the hash - you're in MENSA, figure it out from that.
chris on June 26, 2008 6:48 AMAre they supposed to forget passwords?
Niyaz PK on June 26, 2008 6:48 AM@chris
That is clever.
There is one good cause for storing plain-text passwords, and that is that it allows for more secure authentication methods.
If the attacker can listen on the wire but can't get access to the password storage, storing hashed passwords will allow the attacker to read the passwords on the wire, because storings hashed (and optionally salted) passwords means you also have to send a plaintext password, or a hash of it. Both are open to replay attacks.
Now, if you store the plaintext password you can use replay-safe authentication methods by having server and client agree on a one-time salt for sending a hashed password over the wire.
Most protocols (including e-mail submittal and retrieval, and HTTP) support both paradigms of authentication in one or more ways.
But as long as you're on an unencrypted connection, you can't have it both ways.
If you want both, using some public key crypto for the connection itself, establishing the crypto before authenticating the client. That way you can store a hashed and salted password and still be secure on the wire.
So if eavesdropping is a risk and SSL/TLS isn't an option, storing plaintext passwords might not be that bad an option.
Niels on June 26, 2008 6:50 AMSubmitted to: http://www.plaintextshame.com/
7753590 on June 26, 2008 6:50 AMSend me my password doesn't imply send me my old password they can just generate a new one on the fly and send it to you.
I don't see anything wrong with it. What I found most curious about this post is the maybe I'm not smart enough to be in Mensa but... Looks like jealousy or something...
Jorge on June 26, 2008 6:51 AMIntelligence and knowledge are two different things. The most inteligent people on the planet may not have that particular knowledge about building web sites so they hired someone who did the site the way it looks. Saying that mensa people are dump because you geeks found some mistakes in their site is weird and you pepole make fools of yourself.
Luke on June 26, 2008 6:54 AMMensa site:
I am a member of British Mensa.
I wouldn't worry in the slightest if someone got hold of my password.
There's damn all of any use to anyone on their website.
If American Mensa is like UK Mensa, there won't be any need to hide your password there either!
Err.. They blather on and on. Why not just have a 'forgot my password' button? Oh, all the other stuff too.
Steve on June 26, 2008 6:57 AM@Niels: Even with agreement on a one-time salt, that doesn't mean they have to store it in plain text. They could apply the same technique to a hash.
Dave Aronson on June 26, 2008 6:58 AMI think the biggest issue, is that if you didn't get your card yet, how do they have your e-mail address registered? Does that mean that if you never get your card you will just never be able to log in? Its not like there is a contact us link that you can explain your situation with.
ChrisK on June 26, 2008 6:59 AMthey should never store passwords in plain text, or in any other way that makes it possible to be read in plain text (eg, encrypting). the password should be hashed (using salt) and stored in a database.. to be able to access your account even though you forgot the password, they should create a new password on the fly (eg. 1n23asds), send that in the email, hash it and store it as the new password in the database.
ninuhadida on June 26, 2008 6:59 AMThe web site, like everything else in the national office of American Mensa, Limited, is operated by paid staff who are not members.
Mind you, many of them could be members, were it not for a rule disallowing it. But they operate mostly with off-the-shelf software and limited staff and funding. Just like a lot of you.
@Niels
Whatever you can do with plaintext password you can do the same with hashed versions also. right? Tell me if I am missing something.
in the case of hashed passwords, even if someone is eavesdropping only one password is lost. But if the database is in plaintext and the database is lost, everything is lost. Right?
Niyaz PK on June 26, 2008 7:00 AMI would never join an institution that would have me as a member. ;-)
Brian on June 26, 2008 7:02 AM@Luke
I think the point is that they should have the intelligence to become knowledgeable about the correct way of making a secure website.
Nate on June 26, 2008 7:03 AM@Luke
They (Mensa) must be intelligent enough to hire the RIGHT people to do their website.
@Ian: Excellent point, and one I was refraining from making to Niels. There are tons of far more secure solutions... but which of them are trivial enough to be worth bothering with, to protect the particular asset in question? Even the already-mentioned no-no of sending plain text passwords via email, often along with the corresponding user ID, is perfectly tolerable for some sites. How much do you want to invest in the site's security, and how many hoops do you want to make the user jump through?
Seems to me there are (at least) three stages of security awareness:
1) Ignorance: I don't have anything to protect! Nobody would bother to attack me!
2) Paranoia: OMG, there are h4x0rz! Lock everything down tight!
3) Rationality: Don't invest in a $100 lock to protect a $10 bike.
-Dave, life member, American Mensa
Dave Aronson on June 26, 2008 7:05 AMYou're all only half right. Not only is there a blatant security issue, they used TABLES in their markup.
TABLES! Burn them with fire!
Which is what I'll have to do to Jeff, judging by his latest twitter!
Ben on June 26, 2008 7:10 AMThe problem is hard to see until you go to the actual website, they used Cold Fusion!
Kearns on June 26, 2008 7:14 AMDave, about your point 3: You underestimate the value the passwords themselves have. Few people use different passwords for all their online accounts. I don't believe for one second that Mensa members are any different. The lock might not be worth protecting a $10 bike but on the other hand don't hand out the key if it also opens your high-security vault.
So, yes, storing passwords in plain text is *always* a problem, even if it's only used to secure trivial content.
Konrad on June 26, 2008 7:14 AM@OS / @Cybercat - You guys have it right.
Everyone: Look at what is highlighted on the top tabs and sidebar.
Events - Calendar
But you're on the password reset page?
The funny part is that this is the Mensa website, so they're supposed to be sooper smarrt.
I love this quote: I thought you were a member of MENSA, until you spelled it wrong.
But I actually disagree with that. There was a guy here at work who was actually a member, but he was the weirdest guy. Very quirky, very annoying, very bad speller.
This is *not the real* Mensa site, just a clever deceit to delude us into thinking that this Mensa thing is nothing but some kind of chess club for dorks. The actual Mensa site is rigorously secured, runs on UFO technology and is their discussion platform for the secret world government.
Mac on June 26, 2008 7:14 AMThe message should say, check under your keyboard first. lol
Saleem on June 26, 2008 7:15 AMNO CAPTCA
k_der on June 26, 2008 7:16 AMI think the first error is in spelling out to the user (or potential hacker) that the password was written out on a plain sheet of paper and mailed.
Some cheap social engineering could have them mail the password out to a new address. 'I just moved. I work at this other institution now. etc.'
Or you could just dumpster dive.
The second error is saying that the stored password will be emailed to the stored address. If the email is compromised, that's an issue. Another vector would be to sniff the traffic.
Lastly, sending the password. They should send a confirmation link which the user then clicks on. The page should log the time, their IP, and have them create a new password.
baboalex on June 26, 2008 7:19 AM@Gareth
You honestly think that if someone can get a copy of your database, they won't also get the key? It would be especially easy in this case since the password recovery page needs access to the key somehow.
@Aaron G:
Unless I'm sorely mistaken, the best attack on SHA-1 is 2^69 ops to find a collision. Seems just a bit safer to me than storing in plain text. Still, your point is well-taken -- there's no good reason not to use a hashing algorithm that is currently considered more secure.
I seriously think that high IQ programs ruin people. Suddenly they think they deserve everything and shouldn't have to work and study anymore because they were gifted with high intelligence.
Yes, I was in one, and I have had to spend a large portion of my life learning that you still have to stick your nose in the dirt and work to get ahead (Of course, we all have to learn that).
I would have been better off without it. However, at the same time, it would have been nice if we had more accelerated regular classes. But those classes would simply reward those who moved quickly. They could get their by talent, or by studying hard, or by asking the right questions—it doesn't really matter. Then I would have learned that working hard got me ahead, rather than thinking it was some kind of birthright.
Not everyone in such programs has this problem. Some of them are actually smart enough to realize early on that they aren't actually that smart and not get all caught up in their own intelligence.
Anyway, that's why those people are so quirky and weird and don't bother doing anything the way they should—they believe they don't have to, they are entitled to do as they please.
Jeff Davis on June 26, 2008 7:30 AMThe decision to store raw passwords would typically be based on requirements for privacy. For instance, is there information associated with the user account that would be considered sensitive? Without knowing the properties associated with each account, it is difficult to say if this is a mistake. Does my online Mensa account exist only to manage my public user profile? If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.
Adam hits the nail on the head in his comment above. This system is essentially a lookup tool to determine Mensa membership, with no CAPTCHA.
Oops, looks like I was sorely mistaken. The attacks on SHA-1 are a bit better than I had indicated -- Wikipedia says 2^63 ops for a collision, which is actually a bit troubling. There also seem to be a couple other interesting attacks on it.
Still, I'd feel safe enough if my passwords were stored as a salted SHA-1 hash in remote databases, as none but the most determined attackers will go though the trouble to break that.
Eam on June 26, 2008 7:33 AMThis is only a preview. Your comment has not yet been posted.
As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.
Having trouble reading this image? View an alternate.
| Content (c) 2009 Jeff Atwood. Logo image used with permission of the author. (c) 1993 Steven C. McConnell. All Rights Reserved. |
Subscribe in a reader
Subscribe via email
Posted by: |