June 25, 2008
I may not be smart enough to join Mensa, but I am smart enough not to build websites like the American Mensa website.
Do you see the mistake? If so, can you explain why this is a mistake, and why you'd desperately want to avoid visiting websites that make this mistake?
(hat tip to Bob Kaufman for pointing this out)
Posted by Jeff Atwood
Forget MENSA, *MySpace* does the same thing!
To Mark Tiefenbruck:
3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user's account name and e-mail address can be used by others to harass the user (or even deny him service if he's lost control of or access to his registered e-mail account).
I only would sent a link with a generated random guid. Only when this link is clicked, a new password could be created on the landing-page.
The link is only allowed to work once.
And only once in 24 hours such a mail could be generated.
ps: i feel jeff doesn't have a clue what's wrong there, but he wants us to give him ideas for his latest project for cheap :-)
Haven't posted here an a while, but...
Isn't it possible that the email some random 'new' password?
Well, I guess you tested for that. Either way, that isn't so obvious based on the screen shot. It could be that they just have the wrong verbiage on the button
I am going to create a site the requires a username and password - and I will not only store that info in clear text, I will make all passwords accessible to everyone. I am going to use ColdFusion. I will use a hash on user profile create/update for the view.
You've all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on facebook - in my opinion, deserves to be shamed.
Take the advise of our host and use passphrases instead - and if you have an account on Mensa - I would suggest using the following phrase: User Not Found.
I dont see any mistake. I think the mistake is this post.
Even the smart people of MENSA will taka advantage of Card Space...it's not only for mere mortal _
You can get to the page in Jeff's screenshot by going to:
click the click here to log in (since it asks for log-in)
click forgot password on the login page.
see that the Event tab is highlighted? And in the sidebar Event and Calendar are bolded, just like in his screenshot.
As to what is wrong with this page. All assumptions about unencrypted passwords are not supported by concrete evidence. Unless you can show an email from them with at plain text password, you don't really know. You can't prove it. So let's not go down that path.
I am very curious to know what is wrong with this page. Sometimes, it's better to admit we don't know if we can't support our answer with absolute concrete evidence.
@df5, the grammar policeman. I think your time is better spent tracking down Bob Kaufman. He must be somewhere with Carmen Diego.
I am not quite sure why did you pick this particular topic today. If it is really because of how Mensa goes about treating its members' passwords.... well, it is not that interesting. However, if you posted this blog to get a bunch of your readers to poke fun at Mensa, then, my friend, you have done well.
A society of people who can do well at certain kind of standardized tests .... yes, they are asking to be ridiculed. On top of it all, there is actually a membership fee. What? Being a brilliant test taker is not enough? I say Roland Berrill and Dr. Lancelot Ware were a couple of hustlers.
Making fools of ourselves by making fun of an organization rather a society of brilliant test takers? No.
Apparently there are a lot of people here who are bitter about not being able to get into Mensa :P
Hey now, there are plenty of brilliant test takers in America.
What if you're an Americain Mensa member and you have changed your mail provider since you register with them 6 years ago ? No way to get your password !
Hey, I was email@example.com and I'm now firstname.lastname@example.org, don't you remember me ?? I scored 212 back then... Hey ? Help !
They should provide a Forgot your email ? button, I think.
Yes, lots of bitter people!
This blog entry can't be serious. Being a member of Mensa doesn't mean you excel in everything. OMG, there are some Mensa members out there who can't code a website! Who knows if the person who made the website is a Mensa member? I'll shut up know and get a life.
As you can see, I'm not a member of Mensa either. But I'm not bitter!
a) on nowadays is common usage to strongly crypt passwords and optionally email addresses on database.
b) for password remembering processes is common usage (also nowadays) to check a security question then send a temporally link for password re-setting.
c) this kind of architecture seems to not to use sessions in user validations. instead it seems to use some kind of: Template/Section combination
d) just checked gmail.com and they say they send me instructions on my secondary email (which I never provided to them). now It seems I have to wait 24h ! for having a security question to ask available to me !!
Everyone seems to be missing what was blindingly obvious to me...
Know someones email address? Find out if they are in mensa....
Not particuarly...... private.
So many websites are culprits of this.
Err... the email only goes to the address, and we don't know enough to assume that the send password button gives any indication of success or not.
As for the encryption thing, I don't get it. To send the password you just decrypt it, being able to send it doesn't prove it isn't encrypted.
I don't see the problem here...
The design of the site is not co-MENSA-rate with the nature of the organization.
@Xianhang Zhang you beat me to it. I couldn't believe it when MySpace sent me my password when I went to recover it. I can't believe anybody is stupid enough to do that.
Obviously we're all a bunch of stooopid high-IQ'd geeks, and no one have got a clue of what Jeff is trying to point out.
So, Jeff, could you please enlighten your follower's brains and tell us?
I guess the one you were thinking of is that they would have to keep the raw password somewhere, instead of only keeping a hash.
The other problem is that anyone could cause someone's password (or the means to reset the password) to be sent out in an unencrypted email, but a awful lot of websites do exactly that.
Roll on open-id.
I don't know if this is related. But check out this article:
TypeKey stores your passwords in plaintext
The mistake I see is that the password seems not to be hashed.
The password should be hashed using SHA or MD5 and salted.
Else once a hacker manages to dump the database he has everyone's passwords.
It should be enter your email and you will be sent a new temporary password
I used to belong to MENSA. As far as I could see, they're all idiots. The password snafu on the website is just another indication of that.
Any developer worth his salt wouldn't make such a hash of authentication - DailyWTF comment
Maybe I'm missing the point, but does MENSA hold your credit card details on file? Risk management:
- What personal information, valueable information, or otherwise does the MENSA site provide access to?
- Was the password provided by the member?
If the answers were none and no, then resending the old password isn't as big an issue as made out here.
And no, OpenID is not some silver bullet. It has a whole set of new problems that as of today are still unsolved (see various articles at links.org for more information).
Blindly following The Security Book often results in useability nightmares (logging onto $MostOnlineBankingSystems, anyone?) and may exacerbate real problems by diverting the already overloaded programmer's attention.
Personally, even if the MENSA site has a forums facility, I wouldn't be using it to pass confidential information to my extra-marital lover, nor really care if someone sends a few spoof posts from my account (a quick email to the admins would sort that out).
But since I'm not smart enough to be a member of MENSA either, I guess I don't know. :)
The problem is that they send out the old password rather than generating a new or providing a link to do so. If they can send out the original password, by inference they must be storing it without hashing it first.
On a lesser note:
They also claim to have mailed the login info on printed cards, and then admit that losing the cards is highly possible.
Thus, any one finding the cards would have access to the account.
Actually, they're only storing a salted hash. But due to their vastly superior intellect they're able to figure out the original password on the fly anyway.
Many sites send the password in unencrypted emails, even just to confirm that you have registered. It always make me scream.
I don't understand why people do that : they are supposed to be programmers, and known about this kind of problems. At school we all have launch a wireshark and sent an email don't we ?
The plaintext passwords are bad enough, but I think the biggest WTF here is that they give you the Sorry, we don't recognize that email address. error if you enter an address not in their database.
I hit it about 20 times and it doesn't lock you out or add a delay. It would be trivial to write something to datamine valid addresses. Seems like a valuable mailing list to build!
Although I know that it's one of the dumbest things to store passwords in plaintext.
But I actually worked on a project, where a requirement was that the password should not be changed when forgotten. This was because our users weren't tech savy and had problems with everything that exceeded writing mails.
So we decided to store the passwords in plaintext but generating the passwords for the users. We didn't include any possibility of changing the password. In that way we at least managed to prevent loss of valuable passwords.
Anyway, if I were to implement that particular project again, I'd surely stick with encrypted passwords, no matter what management thinks.
If the password issue is supposed to be The Real WTF tm;, of course there's no need for a retrievable password to be stored in plaintext. Encryption is a wonderful 2-way system that doesn't require the intermediate result to be readable.
Of course the method of decrypting the password also has to be stored *somewhere* but again, there's no need for that to be nearby the database with the encrypted passwords.
Remember that security is all about layers, the existance of any particular layer doesn't necessarily tie to any other layer. We can get your password back is not indicative of we store plaintext passwords
Is it lacking a captcha like orange :) ?
Why does Mensa even need to password protect their site? Couldn't they just use a ridiculously hard IQ test to see if people where worthy of access?
Sending a password means they store it as has been mentioned already.
And yeah, not the first time you mention this ;)
For those people who are oblivious to the fact that people re-use their passwords (and LeftHere, 23 posts above, indicates that MENSA passwords are user-changeable and, thus, re-usable), I recommend the following article:
The whole article is interesting, but the part about different passwords for every site is somewhere around the middle.
One quote that always sticks in my mind:
Mensa is full of people that like to THINK they're clever, not those that actually are.
How do you know that send me my password doesn't in fact send a temporary password, with instructions to reset the password?
You cannot assume from this screen that the password isn't encrypted/salted. You cannot assume that the email to the user isn't encrypted either.
this captcha is always orange, and here we are bashing something else
The mistake is that the Events tab is chosen when you're on a forgot password form. It means they are not using any cool framework for development, or at least misusing some framework.
I wouldn't work for them either.
If the email address you submit matches the email address in our system, you will receive an email that contains your current password.
YOUR CURRENT PASSWORD
whats not so clear, you dumb mensite.
It pays to consider the level of security in the context of what's being protected. Quite frankly, I could care less if any of many of the web sites I have accounts on were compromised. The password more often protects their interests, not mine. Of course, if the account is at all sensitive with membership information (as is likely the case here), there may be a problem.
Since you've sent readers on a wild goose chase by not explaining the problem that we should be discussing, I'll withhold any further comment. Depending on which can of worms you actually open on us in a later post, I'll be able to better elucidate in context.
if you know an existing mensa member's email address it might be kind of fun to spam them by hitting the 'Send me my password' button a couple hundred times ...
I've always found it funny that Mensa means stupid in Spanish.
*yawn* who cares? I'd have preferred to have you mention the WTF and then perhaps expound on a few alternatives.
Well, it's Mensa which means many, many smart people. Maybe their coders were able to break SHA, MD5 or whatever hash alg they are using... The only question is why they keep it secret?
Everyone seems to be missing what was blindingly obvious to me...
Know someones email address? Find out if they are in mensa....
Not particuarly...... private.
So many websites are culprits of this.
It's not a good idea to tell we don't have the entered email address in our system, easier and safer to give the same response whether we sent an email or not.
I was in MENSA once. I got tired of hanging out with those people. I was stunned at how many of these supposedly briliiant people either held down the lamest jobs you could imagine (one guy was the nightime cleanup guy at a dive bar). And those were the ones that could hold down a steady job! Most of them dressed like a bunch of slobs and smelled like they never showered
Silly people, the real issue is that you don't put the word Colloquium on a website. I mean, what the heck does that mean... stupid fancy Latin word users! ;-)
Never like the password being sent to me. Better to have a reset password link, I think.
It isn't some hidden password trick, it's that they are on the events tab (look on the side bar) and up pops the password retrieval page.
I didn't get the whole idea of the post. I am in a puzzle.
Owh i know, the web colours are mistmatched!
So which one were you thinking of? Not storing the password as a hash, or sending the email through an insecure communications method?
Nobody got the idea of this post. We are just pretending.
... and it doesn't take too much googleing to figure out the email addresses of some mensa people.
'Your password has been sent to you via email.'
I'm not native english, but in latin IIRC it was spelled another way...
Some miscreant could send any known Mensa member (if they know their e-mail) a constant stream of e-mails.
As a developer who works for a company that sends out plain text logins and passwords in both emails and mailings, I'd like to defend the intelligence of at least some portion of the developers who are doing this...
It's not our choice. Really.
Sometimes, in spite of our best arguments and all evidence to the contrary, we are forced to do really dumb things by the powers that be. Usually this is done in a misguided attempt to provide more customer friendly solutions to a problem. And we hate every minute of it.
Sometimes we even go to extra-ordinary lengths to do the smart thing while making it *appear* that we are doing the dumb thing mandated by the powers. If they notice that we aren't doing what they ask, we argue that it is a limitation of the technology. Or we log it as a bug in a long list of low priority bugs that will never see the light of day. Or we make the smart thing smarter so it can appear dumber.
And sometimes we are forced to do the dumb thing anyway. Then we can only make a note of our protests, reiterate them every chance we get, make snarky remarks in code comments, and - when it comes around and bites them in the posterior - gently remind the powers: We told you so.
So, please, take a moment and reserve judgment on the myriad of dumb programmers in the trenches - at least until you see their snarky comments in the code.
Aside from the obvious privacy and security problems that everyone's already mentioned...
- !-- Source Code Copyright 2001 Active Matter, Inc. www.activematter.com --
- Above domain is dead.
- Occasionally, it's 2003
- Name-based browser checks.
- 200 lines of hardcoded switch-case lists for simple image swap code.
- Spacer GIFs.
- Can't make up their mind whether they want www. prefixes in their subdomains or not.
- !-- saved from url=(0022)http://internet.e-mail --
I think you are making your point clear more than enough.
Does this site have a virus? I can see telling people not to register with a site, but usually you tell others not to visit a site because it runs some type of exploit.
...and the function _CF_checkCFForm_1() always returns true.
...and the function:
function exeMailTo(thisUser, thisServer, thisExt)
var sLink = ma + il + to + : + thisUser + @ + thisServer + . + thisExt;
//Check for a 4th, optional argument for default email subject
sLink += ?subject= + arguments;
window.location = sLink;
just to hide the email address from spammers.
For Mensa, it should suffice to have Forgot password? Click here, without an input field. Anyone who can not memorize the automatically generated GUID-like password clearly has no business signing in there anyways.
Yes. Every single web developer with an IQ 0 should know that they can swap images in CSS.
...and don't throw tables at me.
It doesn't matter that they store the passwords in plaintext... every member has the same password: imagenius_notu
Maybe they just send the hash - you're in MENSA, figure it out from that.
Are they supposed to forget passwords?
There is one good cause for storing plain-text passwords, and that is that it allows for more secure authentication methods.
If the attacker can listen on the wire but can't get access to the password storage, storing hashed passwords will allow the attacker to read the passwords on the wire, because storings hashed (and optionally salted) passwords means you also have to send a plaintext password, or a hash of it. Both are open to replay attacks.
Now, if you store the plaintext password you can use replay-safe authentication methods by having server and client agree on a one-time salt for sending a hashed password over the wire.
Most protocols (including e-mail submittal and retrieval, and HTTP) support both paradigms of authentication in one or more ways.
But as long as you're on an unencrypted connection, you can't have it both ways.
If you want both, using some public key crypto for the connection itself, establishing the crypto before authenticating the client. That way you can store a hashed and salted password and still be secure on the wire.
So if eavesdropping is a risk and SSL/TLS isn't an option, storing plaintext passwords might not be that bad an option.
Send me my password doesn't imply send me my old password they can just generate a new one on the fly and send it to you.
I don't see anything wrong with it. What I found most curious about this post is the maybe I'm not smart enough to be in Mensa but... Looks like jealousy or something...
Intelligence and knowledge are two different things. The most inteligent people on the planet may not have that particular knowledge about building web sites so they hired someone who did the site the way it looks. Saying that mensa people are dump because you geeks found some mistakes in their site is weird and you pepole make fools of yourself.
I am a member of British Mensa.
I wouldn't worry in the slightest if someone got hold of my password.
There's damn all of any use to anyone on their website.
If American Mensa is like UK Mensa, there won't be any need to hide your password there either!
Err.. They blather on and on. Why not just have a 'forgot my password' button? Oh, all the other stuff too.
@Niels: Even with agreement on a one-time salt, that doesn't mean they have to store it in plain text. They could apply the same technique to a hash.
I think the biggest issue, is that if you didn't get your card yet, how do they have your e-mail address registered? Does that mean that if you never get your card you will just never be able to log in? Its not like there is a contact us link that you can explain your situation with.
they should never store passwords in plain text, or in any other way that makes it possible to be read in plain text (eg, encrypting). the password should be hashed (using salt) and stored in a database.. to be able to access your account even though you forgot the password, they should create a new password on the fly (eg. 1n23asds), send that in the email, hash it and store it as the new password in the database.
The web site, like everything else in the national office of American Mensa, Limited, is operated by paid staff who are not members.
Mind you, many of them could be members, were it not for a rule disallowing it. But they operate mostly with off-the-shelf software and limited staff and funding. Just like a lot of you.
Whatever you can do with plaintext password you can do the same with hashed versions also. right? Tell me if I am missing something.
in the case of hashed passwords, even if someone is eavesdropping only one password is lost. But if the database is in plaintext and the database is lost, everything is lost. Right?
I would never join an institution that would have me as a member. ;-)
I think the point is that they should have the intelligence to become knowledgeable about the correct way of making a secure website.
They (Mensa) must be intelligent enough to hire the RIGHT people to do their website.
@Ian: Excellent point, and one I was refraining from making to Niels. There are tons of far more secure solutions... but which of them are trivial enough to be worth bothering with, to protect the particular asset in question? Even the already-mentioned no-no of sending plain text passwords via email, often along with the corresponding user ID, is perfectly tolerable for some sites. How much do you want to invest in the site's security, and how many hoops do you want to make the user jump through?
Seems to me there are (at least) three stages of security awareness:
1) Ignorance: I don't have anything to protect! Nobody would bother to attack me!
2) Paranoia: OMG, there are h4x0rz! Lock everything down tight!
3) Rationality: Don't invest in a $100 lock to protect a $10 bike.
-Dave, life member, American Mensa
You're all only half right. Not only is there a blatant security issue, they used TABLES in their markup.
TABLES! Burn them with fire!
Which is what I'll have to do to Jeff, judging by his latest twitter!
The problem is hard to see until you go to the actual website, they used Cold Fusion!
Dave, about your point 3: You underestimate the value the passwords themselves have. Few people use different passwords for all their online accounts. I don't believe for one second that Mensa members are any different. The lock might not be worth protecting a $10 bike but on the other hand don't hand out the key if it also opens your high-security vault.
So, yes, storing passwords in plain text is *always* a problem, even if it's only used to secure trivial content.
@OS / @Cybercat - You guys have it right.
Everyone: Look at what is highlighted on the top tabs and sidebar.
Events - Calendar
But you're on the password reset page?
The funny part is that this is the Mensa website, so they're supposed to be sooper smarrt.
I love this quote: I thought you were a member of MENSA, until you spelled it wrong.
But I actually disagree with that. There was a guy here at work who was actually a member, but he was the weirdest guy. Very quirky, very annoying, very bad speller.
This is *not the real* Mensa site, just a clever deceit to delude us into thinking that this Mensa thing is nothing but some kind of chess club for dorks. The actual Mensa site is rigorously secured, runs on UFO technology and is their discussion platform for the secret world government.
The message should say, check under your keyboard first. lol
I think the first error is in spelling out to the user (or potential hacker) that the password was written out on a plain sheet of paper and mailed.
Some cheap social engineering could have them mail the password out to a new address. 'I just moved. I work at this other institution now. etc.'
Or you could just dumpster dive.
The second error is saying that the stored password will be emailed to the stored address. If the email is compromised, that's an issue. Another vector would be to sniff the traffic.
Lastly, sending the password. They should send a confirmation link which the user then clicks on. The page should log the time, their IP, and have them create a new password.
You honestly think that if someone can get a copy of your database, they won't also get the key? It would be especially easy in this case since the password recovery page needs access to the key somehow.
Unless I'm sorely mistaken, the best attack on SHA-1 is 2^69 ops to find a collision. Seems just a bit safer to me than storing in plain text. Still, your point is well-taken -- there's no good reason not to use a hashing algorithm that is currently considered more secure.
I seriously think that high IQ programs ruin people. Suddenly they think they deserve everything and shouldn't have to work and study anymore because they were gifted with high intelligence.
Yes, I was in one, and I have had to spend a large portion of my life learning that you still have to stick your nose in the dirt and work to get ahead (Of course, we all have to learn that).
I would have been better off without it. However, at the same time, it would have been nice if we had more accelerated regular classes. But those classes would simply reward those who moved quickly. They could get their by talent, or by studying hard, or by asking the right questions—it doesn't really matter. Then I would have learned that working hard got me ahead, rather than thinking it was some kind of birthright.
Not everyone in such programs has this problem. Some of them are actually smart enough to realize early on that they aren't actually that smart and not get all caught up in their own intelligence.
Anyway, that's why those people are so quirky and weird and don't bother doing anything the way they should—they believe they don't have to, they are entitled to do as they please.
The decision to store raw passwords would typically be based on requirements for privacy. For instance, is there information associated with the user account that would be considered sensitive? Without knowing the properties associated with each account, it is difficult to say if this is a mistake. Does my online Mensa account exist only to manage my public user profile? If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.
Adam hits the nail on the head in his comment above. This system is essentially a lookup tool to determine Mensa membership, with no CAPTCHA.
Oops, looks like I was sorely mistaken. The attacks on SHA-1 are a bit better than I had indicated -- Wikipedia says 2^63 ops for a collision, which is actually a bit troubling. There also seem to be a couple other interesting attacks on it.
Still, I'd feel safe enough if my passwords were stored as a salted SHA-1 hash in remote databases, as none but the most determined attackers will go though the trouble to break that.