programming and human factors
by Jeff Atwood
I may not be smart enough to join Mensa, but I am smart enough not to build websites like the American Mensa website.
Do you see the mistake? If so, can you explain why this is a mistake, and why you'd desperately want to avoid visiting websites that make this mistake?
(hat tip to Bob Kaufman for pointing this out)
I just wanted to comment on hashing passwords. When I first started in Web Development, when someone told me we don't hash passwords, I would jump out of my seat and have a massive cry, but since then, I have changed my stance on the subject. People say if someone gets a dump of your db, they know your password!!. There are a few things wrong with this statement:
1: Why the hell do they have a dump of the database! If they can get access to your db, you already have a serious issue. A plain text password would be the last thing you need to worry about.
2: Why the hell do they have a dump of the database! Yes I know this was point 1, but still.....
3: Now that they have said database, wouldn't the other information be more valuable to them, not just their passwords? Depending on the site, wouldn't someones email be more valuable (as a spammer) that someones password?
Don't get me wrong, in some situations, hashing a password needs to happen. But by reading some of the posts above, some of you are insinuating that it is something set in stone and you shouldn't otherwise.
Keith
@Steve
If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.
WHAT? I don't even know where to begin with this one.
All I'm going to say is that if you're spending a significant amount of money on your hash algorithms, you're doing it wrong. Really, really wrong.
Eam on June 26, 2008 7:36 AM Send me my password doesn't imply send me my old password they
can just generate a new one on the fly and send it to you.
How about: If the email address you submit matches the email address in our system, you will receive an email that contains your current password. What does that imply?
I understand normal users forgetting their passwords, but shouldn't MENSA members compitent enough to remember their passwords? This page is totally unnessassary!
Kris on June 26, 2008 7:39 AMI was about to add password retrieval functionality to my app. Is it normal practice to use an extra password field to store the temporary password. I don't want to destroy their original password because then someone could keep screwing them over by resetting the password constantly.
Joe Beam on June 26, 2008 7:39 AMYou've got it all wrong. MENSA folks are supposed to be really smart.
This insecure password recover system is how they punish the more mentally challenged members that managed to sneak in :p
zhinker on June 26, 2008 7:39 AMWhy do so many people mention the fact that you can spam any Mensa user if you know their email? Yes, you can. You can also use SmtpMail.Send() - it's much more efficient. :-)
Carl on June 26, 2008 7:46 AM@Eam
As you probably know, encrypting the passwords means more than just implementing a hash algorithm. You can no longer simply send the existing password to the user, there must be additional functionality to create a temporary password, send the new password, allow the user to reset the password, etc. Mensa does not have any of that built currently, to my knowledge.
By the way, your arrogance is ugly.
Steve on June 26, 2008 7:46 AMYeah, without bringing the security of email into this, you're basically saying, hey.. if you can code something that brute forces the server with random combinations of email addresses (*.gmail.com, *.yahoo.com) you can find out which ones are mensa members.
Of course you know, though, Mensa is a pay membership organization so they didn't do it themselves.. they probably contracted it out to a web design company and were advised to go with ease of use over security. At least they aren't storing the un/pwd in a text file. :)
Hutch on June 26, 2008 7:54 AMThat reminds me of the time I tried to sign up for ACM's Student Membership. Ugh.
Pardon the self-linking, but the story's a bit too long to write in a comment box: http://www.skrud.net/articles/2008/03/05/acm-and-the-canadian-province-of-alabama/
Skrud on June 26, 2008 7:55 AM@Steve
Budget or no budget, properly protecting passwords is essential as this same password could be used for other services e.g. paypal, e-mail, banking, etc...
It is completely irresponsible to run a website that stores passwords insecurely and I think that anyone responsible for a security leak with plain-text passwords stored in the database should be liable for every penny of damage done.
Ben on June 26, 2008 7:56 AM1) No CAPTCHA
2) No user set question to verify the authenticity of the user.
from a standpoint of taking over somebody's identity by simply gaining access to their email..,
this makes it that much easier to have access to their other websites they visit and be hidden, simply send the email get their password, delete traces of it and enjoy their account while they remain completely oblivious to the fact you have taken over their internet identity. Unless of course they are smart enough to forward all their inbox to a redundant Gmail to watch for stuff like that ( I wonder if there are people out there that do that? )
Then again knowing how good people are at security and passwords, most likely if you have their email password you have all of their passwords.
@ian williams: if there is no content of any use, why password it at all then?
mbowles on June 26, 2008 8:03 AM1) No CAPTCHA
2) No user set question to verify the authenticity of the user.
3) At no match, it gives Sorry, we don't recognize that email address.
almost instantly.
one can easily sniff out valid email addresses by using automation(bots)
= SPAMM!!!!!
Um. Spambot anyone?
Oded on June 26, 2008 8:12 AMMensa is full of idiots. Loathsome, arrogant, condescending, zero-people-skills idiots. Just because you're intelligent doesn't mean you're smart.
PaulG. on June 26, 2008 8:12 AMI'm with Dave: the system should never tell you whether the email you entered was a valid user.
Not just for privacy... if you go to the user login page, you'll see that it accepts EITHER the username or the email address, along with the password.
It's been a long time since I've seen a system that differentiated between failed login due to invalid username and username valid, but you failed because of the password. That's a way-back no-no.
Why? Well, they either have a lockout after some # of failures, or they don't.
If they do, you could abuse this by brute-forcing the send me my password thing until finding a bunch of valid emails, then you could lock them all out of the system by trying to log in as them too many times.
If they DON'T have a lockout, then you could brute force their passwords and log in as them and learn the secrets of the mental universe.
Then, of course, you would check to see if they used that password for their actual email account, or that email/pwd for any number of other sites.
Patrick on June 26, 2008 8:13 AMThe first mistake I noticed was that they left the hyphen out of e-mail. Six times.
...doug
Doug on June 26, 2008 8:13 AMHah! If they are so smart why do they even need a forgotten password tool?
I call this putting your own ignorance on display for the whole world to see.
'Forgot your password' page still under Events tab..
Fariq Izwan on June 26, 2008 8:18 AMI would call mailing login information a pretty big and stupid mistake. It reminds me of a Web site some kids at my old fraternity set up. They printed the password on business cards they gave alumni.
Matt on June 26, 2008 8:21 AMThere is nothing implicitly wrong with that page.
Rip Rowan on June 26, 2008 8:22 AMAaron -- I don't know for sure if the Mensa site currently allows for changing passwords. And I certainly would never recommend cutting corners on security.
I do estimates and proposals all the time for various implementations of secure transactions and I can tell you that the difference is more than a few hours for enabling password change functionality.
Our firm has strict guidelines in place for protecting privacy, and we have our customers sign a waiver whenever these guidelines might not be met. From my limited knowledge of the Mensa application, I would guess that a waiver would be required, along with all the written and verbal disclaimers regarding security.
But it is also possible that this application would not require a waiver. If the password is assigned by Mensa, and not changed by the user, and the password is randomly associated with an email address, and the login process simply enables the management of the users public profile, what is the risk?
Steve on June 26, 2008 8:24 AMCheck the page source...there is a Javascript function 'exeMailTo' with some useful comments...one of which is:
Use function instead of mailto: in href attribute. ex: exeMailTo('bryanm', 'americanmensa', 'org');
Guess who has a valid email address that might want a password reminder...yep you guessed it... bryanm@americanmensa.org
Alright, well I'll be the first to admit I'm not a up on password hashing etc. But, Couldn't they still be encrypting the passwords in the database? I mean, if all you have to do is enter you email they could just be decrypting it and then sending it using some proprietary encryption to just secure the database without inconveniencing the user. They could even be using the email address as some sort of hash or key.
It's impossible, IMHO to really tell what's going to behind the front without seeing the code. Just because they can send you your password doesn't mean the database is insecure. While it may not be the best scheme it could definitely stop a hacker from the outside, but not necessarily one on the inside. ;)
Not Quite on June 26, 2008 8:27 AMCall it base irony, but I'm of the impression that if you are smart enough to be in MENSA (and I've tried and failed), you would be smart enough to remember a password.
Wes on June 26, 2008 8:27 AM@Ben
I believe the password is randomly assigned by Mensa, so there is no concern that the password could be used to gain access to other external accounts.
Steve on June 26, 2008 8:28 AMClearly this is a honeypot web site, the real intelligentsia meets in secret.
Jes5199 on June 26, 2008 8:32 AMNever having used it before, I could be doing this wrong. But, I went to:
and submitted that MENSA URL:
https://www.us.mensa.org/am/template.cfm?section=CalendarTemplate=/Security/Login.cfm
for validation (and that page looks different from Jeff's image). The validator came back with:
This page is not Valid XHTML 1.0 Transitional!
Result: Failed validation, 222 Errors
Address: https://www.us.mensa.org/am/template.cfm?section=CalendarTemplate=/Security/Login.cfm
Encoding: utf-8
Doctype: XHTML 1.0 Transitional
Root Element: html
Root Namespace: http://www.w3.org/1999/xhtml
On the other hand, I'll bet anyone who works at MENSA and has access to the table where the passwords are stored would get quite a kick out of browsing the passwords that geniuses select (the token 'IQ180' is probably rather common).
Genius on June 26, 2008 8:35 AMHah! If they are so smart why do they even need a forgotten password tool?
The two have absolutely nothing to do with each other. Memory and intelligence are two completely separate things.
Wisdom and intelligence are two completely separate things too. If you hadn't figured that out by this time in your life, perhaps this password email thing will prove it to you.
T.E.D. on June 26, 2008 8:36 AMBeing mensan does not imply being a security expert nor a skilled web developer. For instance the website was no designed by mensa, but a company that seems to be out of business now.
Jose on June 26, 2008 8:40 AM@ T.E.D.
Memory and intelligence are two completely separate things.
So a person with no memory at all could score as a genius on an IQ test?
Steve on June 26, 2008 8:45 AMYour fundamental mistake is thinking that Mensa is a society for wise or intelligent people
Mensa members do not need to be Wise
Mensa members do not need to be intelligent
.... they just need to be good at IQ tests ....
@Samrat: The email takes care of user authentication much better than any other questions would. Those where were you born and what was your first pet questions just test how much someone knows about you, and turn into back-door passwords. They're evil.
@doug: email without a hyphen is quite well-established by now. Language evolves.
http://www-cs-faculty.stanford.edu/~knuth/email.html (see the bottom)
http://www.webpronews.com/topnews/2003/09/05/email-vs-email
http://motivatedgrammar.wordpress.com/2008/04/11/stupid-grammar-rules-email-vs-e-mail/
http://www.thefictiondesk.com/blog/spelling-email-vs-e-mail/
Keith P:
Again, it's not about the data on your site. It's about the data on all the other sites the person frequents and which (statistically) likely use the same password as the one you just gave to identity thiefs.
The entire world does not revolve around your solitary web site.
Tom Dibble on June 26, 2008 8:48 AMThey provide a print this page link, but no mailing address for where I should mail this forgotten password form. I wanna log in and play my Mind Games, damn it!
Mike Wheaton on June 26, 2008 8:52 AMAaron and Konrad.
Think before you write. The password for mensa is auto generated. It is not likely that you use it at another site. you don't protect anything on the site with the password like banking. It's not worth to even think about encrypting that password.
Even worse: If you use something like ethereal or wiresharl it is totaly irelevant if your password is stored as hash or plain text. You see the plain password when accessing a site.
gooofer on June 26, 2008 8:59 AMJaster nailed it:
Mensa members do not need to be Wise
Mensa members do not need to be intelligent
.... they just need to be good at IQ tests ....
I'm about to join. It looks impressive (to some people, not all) on a resume. I qualified because I scored highly on my SATs. Am I smarter than you? Maybe, maybe not. I do smart things sometimes, and dumb things sometimes. I'm normal. I just did very well on my SAT test.
An organization whose members include Jodie Foster, Geena Davis, James Woods, Norman Schwarzkopf, STEVE MARTIN!, Asia Carrera, and Scott Adams can't be all bad. Oh yeah, and soon, me, which can't help but to raise the spiffitude quotient a bit.
Matt on June 26, 2008 8:59 AM@Steve fair enough, but that is a yet-another-password-to-remember problem.
Ben on June 26, 2008 9:06 AM@AT - calling me dumb when you don’t understand basic grammar is rather rude.
Just to let you know, whats should have an apostrophe.
Anyway, the point remains - until someone actually tries to reset their password on this site all the criticism is hot air.
Wisdom and intelligence are two completely separate things too.
This is an important distinction, especially if you are a cleric or wizard!
Adam on June 26, 2008 9:13 AM@Skrud: That post about the ACM site is fantastic.
Adam on June 26, 2008 9:18 AMWTF does it really matter if the password is in plain text or not? If you encrypt the password then you need to include some security routine that would allow the user to change their password. I get sick of websites knowing my fathers name, my city of birth etc. If I hacker got the database they may not know my password that I created specifically for that site, but know they know my personal information to use on other websites that ask the same stupid security questions.
1. Protect your database by not leaving it out in the DMZ or at a hosting company
2. Protect the forgot password page by only allowing that IP to use it two times in a given period of time.
3. Audit the use of the forgot password to ensure that it's not being misused.
4. All your base belong to us.
Tim on June 26, 2008 9:26 AMum, you don't have to hash the password. you can encrypt it too, which would allow you to resend them the original.
call me crazy.
Darren Kopp on June 26, 2008 9:29 AMWTF does it really matter if the password is in plain text or not?
Remember Reddit?
Adam on June 26, 2008 9:33 AMHi Jeff,
Can you please enlighten us? I have a feeling that this thread is going off on too many different directions :)
Stephane Grenier on June 26, 2008 9:35 AMThis page is not Valid XHTML 1.0 Transitional!
Oooo Noooo!!! How can people use it now?? *cry*
HB on June 26, 2008 9:37 AMwhy am i still subscribed to this feed.. *blerg*
perlguy on June 26, 2008 9:39 AMThe strength of security for any given web site should be based on the importance of the data you are protecting. The Mensa site may contain some personal profile info, but it can't be anything important enough to require hashed passwords.
Really, if someone can get to your database, they don't need plain-text passwords, they have access to all your data! Game over. Encrypted passwords won't save you.
And for those worried that someone can mine for email addresses of Mensa members, give me a break. If you're so worried, use an anonymous email address when you sign up.
I would have thought that commenters here would be smart enough not to trust any website with their important passwords and primary email addresses. You all have throwaway passwords for sites like these right?
Sal on June 26, 2008 9:42 AMEmail addresses on a file! With possibly the corresponding passwords in the same file!! Can someone share the link to that file?
Daanish Rumani on June 26, 2008 9:44 AMI just had a quick look at their site. What is there that needs to be protected except, perhaps, their list of members.
The biggest problem is that it needs a password at all.
Richard on June 26, 2008 9:44 AM@Sal
Of course *we're* too smart for that, but are the blokes at Mensa?
:-P
Jeff,
I sense some nitpicking here. First off, Mensa is a bit trite for an organization where smart people go. I happen to be eligible (by their standards) but refuse to pay for useless membership.
Mensa and tons of other sites out there do not (and I repeat: they do not) have a whole lot of sensitive information. They basically have what you give them. Case in point. My moniker here is 'BugFree' because I have no idea what Jeff (or someone who manages to steal his blog and hard drive it lives on :) may do with names, emails and even my somewhat controversial posts.
Your privacy begins with you. Couple of points of interest:
- Use an email address different from your personal email address. That will contain spam if it occurs and make it easier to sift through notifications from social sites
- use a funky username / password, something that even dictionaries could not guess, combination of letters, numbers, words from different languages. Have fun with it.
- accept that anything entered in an online form somewhere is recorded, potentially sold, abused. Make it really hard for others to have fun with your personal information
- Do not nitpick. Maybe Mensa's site is not the best, but it probably works for their members. Many other sites allow you to send yourself a password reminder. Big deal. If my personal info is obfuscated (and it always is when I am online), I have nothing to worry about, let alone if some programmer read security best practices. If you cannot come up with a constructive solution to a problem (if it exists at all), do not nitpick. Criticism for the sake of criticism is not very useful.
- Too much security is overkill for 99.9% of sites. I have a profile at too many forums with passwords that I had to write down before I could change them. Come on.
- I do not have a password on my voice mail. Anyone with enough spare time is welcome to listen to my voice mails, shall I lose my phone (which I never do) :). Security begins with me, not with the password.
Hope this helps relief some anxiety about online profiles.
BugFree on June 26, 2008 9:51 AMFrom the Xml angle bracket tax to this? I can't be bothered reading anymore inane comments. Jeff just post the answer please.
For all the salty hash responses, get a life and goo off and write (or read) a real article that says what best practices are. Too much rhetoric without real communication being made.
Oh, and not every website needs to be fort knox. What per-se does the Mensa website do except maybe allow you to read some member-only pages? What damage can be done when it's lost? Like all those crap bulletin boards that require multi-level authentication because car discussion websites are like soooo critical.
As many others write, if someone can read your plaintext OR hashed passwords direct from the db, you're already in trouble.
TerrysChocolate on June 26, 2008 9:52 AMSame as everyone else, plus:
- they will confirm if you provide a valid email, allowing you to find which email addresses are already in the system
- they send your password through snail-mail, and you might not have received it by the time you hit this page. Why wait for snail-mail? How to you avoid someone taking the letter out of your mail box and discovering your password?
- they ask for your 'primary email address' rather then the email address you registered with.
matt on June 26, 2008 9:52 AM@ HB
I know. I fainted here three times myself. Need oxygen now.
Bad, bad html.
BugFree on June 26, 2008 9:55 AMOne more hint I forgot to add to the list. If a site is asking for donations, they WILL sell your info to spammers. Give them a donation, along with an email address (gmail?) where you can sift through spam easily and control/change your online identity as you see fit.
BugFree on June 26, 2008 9:57 AMThe problem is that they do not reset the password. When you open the email that they send you will receive your current password. Instead you should receive a email with a link that (if you want to) gives you a new password. This is better because if someone stole your login information, only you have acess to your own email. While the thief would still have acess to your account until you changed your password manually. Also because of the password in plain text in a email file and all that other people spoke of.
To Sal:
Mensa if for people with high IQ, not with high computer knowledge. In fact I have plenty of really smart math professors in my college that can't use the college system to put grades on the internet.
Hoffmann on June 26, 2008 9:59 AMThe real problem is that this page is unnecessary, so no code should have been written to support it. Because we all know the best code is no code.
MENSA members shouldn't forget their passwords.
Ah, that's the trick, the real mistake with this page is that it reminds MENSA members that they are human just like everyone else.
@BugFree - of course you mean shall I lose my phone (which I haven't done, yet.)
df5 on June 26, 2008 10:03 AMWell, for any members who used something other than their primary email address when they registered with Mensa, the instructions are wrong.
And really, a guess the next auto-generated password in sequence would be thematic.
What's the current thinking on the OWasp recommendations?
http://www.owasp.org/index.php/Guide_to_Authentication#Automated_password_resets
Argh, I can't believe I missed that, especially since I was working on back-end logic around passwords and confirmation emails not long ago, and had to take account of the fact that we don't store passwords in the clear.
Andy Lee on June 26, 2008 10:09 AMHere's how I do password retrieval:
1. Store a salted hash on the server, where the salt is unpredictably different for each account.
2. In order to retrieve the password, the user must enter the correct account name and e-mail address, and no indication should be given of whether or not it was correct.
3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user's account name and e-mail address can be used by others to harass the user (or even deny him service if he's lost control of or access to his registered e-mail account).
4. When logging in with the link, immediately force the user to choose a new password.
Mark Tiefenbruck on June 26, 2008 10:13 AMI don't know what the answer to the quiz is but I just got Bob his password sent.
eclw on June 26, 2008 10:21 AMJust kidding.
eclw on June 26, 2008 10:21 AMDear Jeff -- Why can't all you fancy programmers understand that sometimes really dumb security practices are perfectly fine! I mean, it's not like everything's networked this day and age. Or that technical skills are distributed amongst millions of people. Or like the internet even matters! And heck, why you gotta hate so much on web designers? Why you gotta expect that good web designing is part of what they know how to do? They're just people! That's like expecting waiters to bring your food to you warm or cooks not to spit in your food. They're people, after all! Cut them some slack!! Jeez so anal retentive. The future's up to you, so whatchoo gonna do?!
Shmork on June 26, 2008 10:21 AMWow. So much venom!
David A. Lessnau: As far as I could see, they're all idiots.
Paul: Mensa is full of people that like to THINK they're clever, not those that actually are.
PaulG: Mensa is full of idiots. Loathsome, arrogant, condescending, zero-people-skills idiots. Just because you're intelligent doesn't mean you're 'smart'.
Last time I checked the world had a multitude of arrogant, condescending idiots. Multiple posts appear to confirm this.
Mensa tests check the tools in the toolbox, not the skills one shows when they are used. One should expect people of varying degrees of humility, knowledge, compassion, wisdom, social background, technical skill, etc. It is as if one created a group for people over 6 feet tall - you certainly couldn't expect them all to be great Basketball players.
That noted, I am in Mensa, am over 6 feet tall, and can't play a good game of Basketball if the fate of the world depended upon it. I was also not consulted regarding the website. ;-)
Demi on June 26, 2008 10:24 AMAccording to the site, the password was mailed to the member.
In other words, the Mensa organization assinged the password to their members. And some may not even have received them yet.
If such is the case, how can someone forget a password that they have never remembered?
RandyW on June 26, 2008 10:25 AMFUN WEEKEND CODING TASK
(gotta keep pushing the envelope!)
Write a program that will gather e-mail addresses of MENSA members! At the same time, annoy and alert them -- by the same mechanism by which you have learned their e-mail address -- to the downsides of a system that tells you when you've entered in a valid address! Imagine the tingle of unhappiness they'll feel as they are informed that someone tried to reset their password -- which will then be displayed in their e-mail! Visualize the shudder they'll feel when they see that forbidden, secret word written out in something other than stars! Yes!
Then, sell the addresses to spammers! Everybody loves a targeted audience! Yaay!
Shmork on June 26, 2008 10:30 AMTo Mark T.
I wouldn't use your site.
If I need to remember emailadress and username to get back my login information something is wrong and unnecessary complex.
If it is not user friendly, I won't use it again.
gooofer on June 26, 2008 10:33 AMPeople, c'mon, you should all know by now that Wisdom and Intelligence are separate characteristics. For instance, your Elven Cleric needs a high Wisdom score, where as your 8th Level Wizard needs an above average Intelligence.
It would also help if they both had a high Charisma so they can pick up on the chicks you will never get if this joke is actually meaningful and funny to you.
Peter on June 26, 2008 10:38 AMHI guys,
B4 we cont. on this debate that Jeff has spread amongst us..
Just have a look a t the site again...
https://www.us.mensa.org/AM/Template.cfm?Section=LoginTemplate=Security/NoPassword.cfm
This page is looking lot different now...(content wise not the way JEFF is pointing to it)
May be coz of Jeff or the Mr. TIPPER Bob Kaufman.
and ya i m still confused with the problem...eager to know abt it.
...why you'd desperately want to avoid visiting websites that make this mistake?
To reduce the odds of visiting the MENSA site?
Therac-25 on June 26, 2008 10:41 AMThe Starship Troopers style logo?
Ferruccio on June 26, 2008 10:41 AM@Matt
SATs != IQ test. They are more of a knowledge test. There is some correlation, but you can't qualify for Mensa with a high SAT score. The whole concept of an IQ test is that it's supposed to be something you can't study for (although you can). It's supposed to be something you either have or don't.
@Peter. Do thieves have street smarts? Is that the cleverness attribute?
Jeff Davis on June 26, 2008 10:49 AMFrom the UI of the page, it looks to me like we should be viewing the Calendar in the Event category. Not resetting the password.
MattH on June 26, 2008 10:51 AMYes, hashing or encrypting in one form or another is a good start. The next, and I only read it once in all these comments, is to have a secondary authentication form. One of the type that asks a question only the user would know, such as What is your first dog's nickname? or What was your next door neighbor's shoe size when you were in the second grade? Totally random and only known by the user.
Even the responses should be encrypted.
And fix the menu. It's in the wrong spot.
And blue? Ugh. Make the whole web site dark red text on a black background with ample amounts of flashing magenta text. That should do it. Everyone knows that those colors are most appealing to readers! Or a bright yellow on white. Warm and fuzzy feelings start flowing then!
More tables and add about 2GB of uncompressed JavaScript! Those things would prevent a hacker. Or at least slow them down to where they would want to give up. Would that fall under physical security?
And the letter would actually be in an encrypted form that would reveal a formula that only a MENSA would be able to solve. And upon decryption, the card would self destruct in 30 seconds. The answer to the formula would be their password. (The answer would just end up being 42.)
John Baughman on June 26, 2008 10:53 AM@Peter: Dude, I totally already made that joke.
Adam on June 26, 2008 10:53 AMThe mistake is that the Events tab is chosen when you're on a forgot password form.
Maybe for a MENSAn, forgetting your password is an event...
blm on June 26, 2008 10:54 AM1. Jeff, this post seems kind of pointless. As you did point out yourself, there are many websites who make that mistake. Mensa site is very unlikely to have been created by Mensians.
2. People who write about using a bot to brute-force farm this form for member e-mails: try estimating the number of tries required to brute-force a string of 10+ characters and the time those tries would take.
3. People who write about using the form to spam someone who's e-mail address you already know: if you know someone's e-mail address you can spam them much more effectively by using any scripting language, or any e-mail client for that matter. Hint: use different from addresses and subjects.
While I understand that some people like to make fun of people who are supposed to be intelligent, some of you are acting really silly.
Pies on June 26, 2008 10:58 AMThe reason the Events tab is highlighted in the screen shot is because if you click on Events, then Calnedar, you get an error that says The page you have attempted to access is restricted to current members..
From there you can get your current password mailed to you, all while still trying to view the events, so I don't see that as an error.
I feel the error is sending your current password in an email. They should send a link out to you that can be used to reset your password, or at the least a link to retrieve your password over a secure connection.
Tom on June 26, 2008 11:03 AMPlain text passwords
No ssl enforcement
Nice harvesting target
Mensa uses cold fusion?
BTW, I think intelligent people have nothing else in common. This makes joining Mensa just as pointless as joining a society of people that share your blood type.
Pies on June 26, 2008 11:07 AMGood news! All who have picked apart the design of this fictitious password request form have passed Mensa's new test for membership -- congratulations to all of you astute coders!
Please watch your mail for your membership IDs, passwords, and billings for membership dues. Welcome!
Brendan on June 26, 2008 11:12 AMTwo fallacies:
1. Being MENSA-eligible (having a high IQ) != good with computers. I know some amazing-smart people whose skills lie in other areas (either due to lack of opportunity or lack of interest).
2. Being MENSA-eligible doesn't mean they hired a MENSA member to build their website.
Allen on June 26, 2008 11:15 AMYou're screwed if you change your email address.
Mark on June 26, 2008 11:24 AMwhy would they have ur pw on file (and, presumably all ur other info) but not ur email addy? that is stupid
not hello on June 26, 2008 11:30 AMIf you're 'primary' email is no longer valid, because you changed ISP's, you would never receive your password, and thus have lost your account and would need to reregister. I made that mistake, when linking a number of sites to my xxxxxx@att.net and switched to Verizon. Ouch. Lost a number of similar log-in/notification.
so...am I right, or what's the answer?
bishop brady on June 26, 2008 11:38 AMIs the gotcha here the fact that if you have a lifetime membership, you won't necessarily have told them what your email address is? How do you let them have the email address if they don't have it?
Perhaps we're over-analysing. Wood, trees, etc.
ColinYounger on June 26, 2008 11:40 AMI haven't read all the comments, so if someone has mentioned this already consider this a second motion.
One doesn't seem to need a password to access any page of the site. I clicked on every link and was never asked for a password nor refused access to the page.
Cyrious Garnetski on June 26, 2008 11:47 AMJeff, it is disappointing that you have to resort to censorship to defend your views on your own blog.
BugFree on June 26, 2008 11:49 AMThey send you the current passsword that has been assigned to you on the membership materials. And the first thing you have to do when you log on is to change that password.
I suspect the password itself is not stored anywhere, but rather a hash generated by possibly ones birthdate, membership number, or other information.
There's nothing on the sight particularly sensitive or secret -- I suspect the restriction is to keep snoopers and data miners out.
Joe
(Mensa member)
@Pies As you did point out yourself, there are many websites who make that mistake. Mensa site is very unlikely to have been created by Mensians.
Yes but Mensa members use it, and so should have complained that it is badly designed, and so it should have been fixed by now ....
Having said that to be a member of Mensa just means you are good at IQ tests, you are not intelligent, smart, wise, skilled, knowledgeable, clever.... just good at IQ tests! This is an ability that is more common in people who are intelligent but does not mean you are ...
I have yet to see an IQ test that does not make language, cultural, or conventional mathematical/numerical assumptions ...
As some people mentioned, it is bad to store the password in a retrievable way. But as other people mentioned, it is also bad to store email addresses that can be easily found by hackers.
Mensa solved both problems this way: The email (used as login only) is not stored, the password is encrypted (with, say, AES) with the email address as key. That way, if some hacker got access to the database, he/she neither has access to the passwords, nor to the email adresses!
The flip side of the coin is that you can never send announcements to your members, since you do not store their email addresses. (Well you can, at the moment they login.) And you need to check the login email address against every stored (encrypted) password.
you do know what MENSA means in Spanish, don't you?
Eber Irigoyen on June 26, 2008 11:52 AM@Jeff Davis:
JD SATs != IQ test. They are more of a knowledge test.
Nowadays, yes. But until 1994, it was quite different, similar to what is now just the Reasoning part. Back then, SAT scores correlated very well with IQ. Mensa does accept SAT scores from those years. See:
Dave Aronson on June 26, 2008 11:53 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |