I guess the one you were thinking of is that they would have to keep the raw password somewhere, instead of only keeping a hash.

The other problem is that anyone could cause someone's password (or the means to reset the password) to be sent out in an unencrypted email, but a awful lot of websites do exactly that.

Roll on open-id.

I don't know if this is related. But check out this article:
TypeKey stores your passwords in plaintext
http://www.diovo.com/?p=55

The mistake I see is that the password seems not to be hashed.
The password should be hashed using SHA or MD5 and salted.
Else once a hacker manages to dump the database he has everyone's passwords.

It should be "enter your email and you will be sent a new temporary password"

I used to belong to MENSA. As far as I could see, they're all idiots. The password snafu on the website is just another indication of that.

"Any developer worth his salt wouldn't make such a hash of authentication" - DailyWTF comment

The problem is that they send out the old password rather than generating a new or providing a link to do so. If they can send out the original password, by inference they must be storing it without hashing it first.

On a lesser note:
They also claim to have mailed the login info on printed cards, and then admit that losing the cards is highly possible.

Thus, any one finding the cards would have access to the account.

Actually, they're only storing a salted hash. But due to their vastly superior intellect they're able to figure out the original password on the fly anyway.

So there.

Many sites send the password in unencrypted emails, even just to confirm that you have registered. It always make me scream.
I don't understand why people do that : they are supposed to be programmers, and known about this kind of problems. At school we all have launch a wireshark and sent an email don't we ?

The plaintext passwords are bad enough, but I think the biggest WTF here is that they give you the "Sorry, we don't recognize that email address." error if you enter an address not in their database.

I hit it about 20 times and it doesn't lock you out or add a delay. It would be trivial to write something to datamine valid addresses. Seems like a valuable mailing list to build!

Although I know that it's one of the dumbest things to store passwords in plaintext.
But I actually worked on a project, where a requirement was that the password should not be changed when forgotten. This was because our users weren't tech savy and had problems with everything that exceeded writing mails.
So we decided to store the passwords in plaintext but generating the passwords for the users. We didn't include any possibility of changing the password. In that way we at least managed to prevent loss of "valuable" passwords.
Anyway, if I were to implement that particular project again, I'd surely stick with encrypted passwords, no matter what management thinks.

If the password issue is supposed to be The Real WTF &tm;, of course there's no need for a retrievable password to be stored in plaintext. Encryption is a wonderful 2-way system that doesn't require the intermediate result to be readable.

Of course the method of decrypting the password also has to be stored *somewhere* but again, there's no need for that to be "nearby" the database with the encrypted passwords.

Remember that security is all about layers, the existance of any particular layer doesn't necessarily tie to any other layer. "We can get your password back" is not indicative of "we store plaintext passwords"

Is it lacking a captcha like "orange" :) ?

Why does Mensa even need to password protect their site? Couldn't they just use a ridiculously hard IQ test to see if people where worthy of access?

Sending a password means they store it as has been mentioned already.

And yeah, not the first time you mention this ;)

Shoo!

One quote that always sticks in my mind:

Mensa is full of people that like to THINK they're clever, not those that actually are.

How do you know that "send me my password" doesn't in fact send a temporary password, with instructions to reset the password?

You cannot assume from this screen that the password isn't encrypted/salted. You cannot assume that the email to the user isn't encrypted either.

this captcha is always "orange", and here we are bashing something else

The mistake is that the "Events" tab is chosen when you're on a "forgot password" form. It means they are not using any cool framework for development, or at least misusing some framework.

I wouldn't work for them either.

#Jo

» If the email address you submit matches the email address in our system, you will receive an email that contains your current password.

YOUR CURRENT PASSWORD

whats not so clear, you dumb mensite.

if you know an existing mensa member's email address it might be kind of fun to spam them by hitting the 'Send me my password' button a couple hundred times ...

I've always found it funny that Mensa means stupid in Spanish.

*yawn* who cares? I'd have preferred to have you mention the WTF and then perhaps expound on a few alternatives.

Well, it's Mensa which means many, many smart people. Maybe their coders were able to break SHA, MD5 or whatever hash alg they are using... The only question is why they keep it secret?

Everyone seems to be missing what was blindingly obvious to me...

Know someones email address? Find out if they are in mensa....

Not particuarly...... private.

So many websites are culprits of this.

It's not a good idea to tell we don't have the entered email address in our system, easier and safer to give the same response whether we sent an email or not.

I was in MENSA once. I got tired of hanging out with those people. I was stunned at how many of these supposedly briliiant people either held down the lamest jobs you could imagine (one guy was the nightime cleanup guy at a dive bar). And those were the ones that could hold down a steady job! Most of them dressed like a bunch of slobs and smelled like they never showered

Silly people, the real issue is that you don't put the word "Colloquium" on a website. I mean, what the heck does that mean... stupid fancy Latin word users! ;-)

Never like the password being sent to me. Better to have a reset password link, I think.

It isn't some hidden "password" trick, it's that they are on the events tab (look on the side bar) and up pops the password retrieval page.

I didn't get the whole idea of the post. I am in a puzzle.

Owh i know, the web colours are mistmatched!

So which one were you thinking of? Not storing the password as a hash, or sending the email through an insecure communications method?

@Startlogic Review
Nobody got the idea of this post. We are just pretending.

... and it doesn't take too much googleing to figure out the email addresses of some mensa people.

'Your password has been sent to you via email.'

colloquiUm?
I'm not native english, but in latin IIRC it was spelled another way...

Some miscreant could send any known Mensa member (if they know their e-mail) a constant stream of e-mails.

As a developer who works for a company that sends out plain text logins and passwords in both emails and mailings, I'd like to defend the intelligence of at least some portion of the developers who are doing this...

It's not our choice. Really.

Sometimes, in spite of our best arguments and all evidence to the contrary, we are forced to do really dumb things by the powers that be. Usually this is done in a misguided attempt to provide more "customer friendly" solutions to a problem. And we hate every minute of it.

Sometimes we even go to extra-ordinary lengths to do the smart thing while making it *appear* that we are doing the dumb thing mandated by the powers. If they notice that we aren't doing what they ask, we argue that it is a limitation of the technology. Or we log it as a bug in a long list of low priority bugs that will never see the light of day. Or we make the smart thing smarter so it can appear dumber.

And sometimes we are forced to do the dumb thing anyway. Then we can only make a note of our protests, reiterate them every chance we get, make snarky remarks in code comments, and - when it comes around and bites them in the posterior - gently remind the powers: "We told you so".

So, please, take a moment and reserve judgment on the myriad of "dumb" programmers in the trenches - at least until you see their snarky comments in the code.

Aside from the obvious privacy and security problems that everyone's already mentioned...

- ColdFusion.
- "<!-- Source Code Copyright © 2001 Active Matter, Inc. www.activematter.com -->"
- Above domain is dead.
- Occasionally, it's © 2003
- Name-based browser checks.
- 200 lines of hardcoded switch-case lists for simple image swap code.
- Spacer GIFs.
- Can't make up their mind whether they want www. prefixes in their subdomains or not.
- "<!-- saved from url=(0022)http://internet.e-mail -->"

@Ilia Jerebtsov
I think you are making your point clear more than enough.

...and the function _CF_checkCFForm_1() always returns true.

...and the function:

function exeMailTo(thisUser, thisServer, thisExt)
{
var sLink = "ma" + "il" + "to" + ":" + thisUser + "@" + thisServer + "." + thisExt;
//Check for a 4th, optional argument for default email subject
if(arguments.length > 3)
{
sLink += "?subject=" + arguments[3];
}
window.location = sLink;
}

just to hide the email address from spammers.

For Mensa, it should suffice to have "Forgot password? Click here", without an input field. Anyone who can not memorize the automatically generated GUID-like password clearly has no business signing in there anyways.

@Ilia Jerebtsov

Yes. Every single web developer with an IQ > 0 should know that they can swap images in CSS.
If you are using JavaScript for that, you are out of business(and certainly out of your mind).

...and don't throw tables at me.

It doesn't matter that they store the passwords in plaintext... every member has the same password: imagenius_notu

-m

Maybe they just send the hash - you're in MENSA, figure it out from that.

Are they supposed to forget passwords?

@chris
That is clever.

There is one good cause for storing plain-text passwords, and that is that it allows for more secure authentication methods.

If the attacker can listen on the wire but can't get access to the password storage, storing hashed passwords will allow the attacker to read the passwords on the wire, because storings hashed (and optionally salted) passwords means you also have to send a plaintext password, or a hash of it. Both are open to replay attacks.

Now, if you store the plaintext password you can use replay-safe authentication methods by having server and client agree on a one-time salt for sending a hashed password over the wire.

Most protocols (including e-mail submittal and retrieval, and HTTP) support both paradigms of authentication in one or more ways.

But as long as you're on an unencrypted connection, you can't have it both ways.
If you want both, using some public key crypto for the connection itself, establishing the crypto before authenticating the client. That way you can store a hashed and salted password and still be secure on the wire.

So if eavesdropping is a risk and SSL/TLS isn't an option, storing plaintext passwords might not be that bad an option.

Send me my password doesn't imply "send me my old password" they can just generate a new one on the fly and send it to you.

I don't see anything wrong with it. What I found most curious about this post is the "maybe I'm not smart enough to be in Mensa but..." Looks like jealousy or something...

It's simple really, they all pre-hash their passwords in their heads and enter those as plain text, so no-one can guess their "real" passwords.... Yeah :-)

Intelligence and knowledge are two different things. The most inteligent people on the planet may not have that particular knowledge about building web sites so they hired someone who did the site the way it looks. Saying that mensa people are dump because you geeks found some mistakes in their site is weird and you pepole make fools of yourself.

Mensa site:
I am a member of British Mensa.
I wouldn't worry in the slightest if someone got hold of my password.
There's damn all of any use to anyone on their website.
If American Mensa is like UK Mensa, there won't be any need to hide your password there either!

@Niels: Even with agreement on a one-time salt, that doesn't mean they have to store it in plain text. They could apply the same technique to a hash.

I think the biggest issue, is that if you didn't get your card yet, how do they have your e-mail address registered? Does that mean that if you never get your card you will just never be able to log in? Its not like there is a "contact us" link that you can explain your situation with.

they should never store passwords in plain text, or in any other way that makes it possible to be read in plain text (eg, encrypting). the password should be hashed (using salt) and stored in a database.. to be able to access your account even though you forgot the password, they should create a new password on the fly (eg. 1n23asds), send that in the email, hash it and store it as the new password in the database.

@Niels
Whatever you can do with plaintext password you can do the same with hashed versions also. right? Tell me if I am missing something.

in the case of hashed passwords, even if someone is eavesdropping only one password is lost. But if the database is in plaintext and the database is lost, everything is lost. Right?

I would never join an institution that would have me as a member. ;-)

@Luke

I think the point is that they should have the intelligence to become knowledgeable about the correct way of making a secure website.

@Luke
They (Mensa) must be intelligent enough to hire the RIGHT people to do their website.

@Ian: Excellent point, and one I was refraining from making to Niels. There are tons of far more secure solutions... but which of them are trivial enough to be worth bothering with, to protect the particular asset in question? Even the already-mentioned no-no of sending plain text passwords via email, often along with the corresponding user ID, is perfectly tolerable for some sites. How much do you want to invest in the site's security, and how many hoops do you want to make the user jump through?

Seems to me there are (at least) three stages of security awareness:

1) Ignorance: "I don't have anything to protect! Nobody would bother to attack me!"
2) Paranoia: "OMG, there are h4x0rz! Lock everything down tight!"
3) Rationality: "Don't invest in a $100 lock to protect a $10 bike."

-Dave, life member, American Mensa

From one of the first comments: "The password should be hashed using SHA or MD5 and salted."

PLEASE STOP SAYING THIS! In this day and age that's barely any more secure than storing it in plain text.

Why do people still insist on weak password-hashing schemes like MD5 when it takes all of 10 seconds to find and download a secure industry standard like bcrypt? MD5 was meant for message signatures, and even in that area it's sorta broken. And SHA-1 has been broken for almost a decade.

You're all only half right. Not only is there a blatant security issue, they used TABLES in their markup.

TABLES! Burn them with fire!

Which is what I'll have to do to Jeff, judging by his latest twitter!

Dave, that's not very bright for a Mensa member. You're not protecting a $10 bike, you're very likely protecting the same password they use for their e-mail, PayPal, online banking, etc. It's plain irresponsible to store a password in plain-text or fast-hash when it takes almost NO effort to do it securely.

The problem is hard to see until you go to the actual website, they used Cold Fusion!

Dave, about your point 3: You underestimate the value the passwords themselves have. Few people use different passwords for all their online accounts. I don't believe for one second that Mensa members are any different. The lock might not be worth protecting a $10 bike but on the other hand don't hand out the key if it also opens your high-security vault.

So, yes, storing passwords in plain text is *always* a problem, even if it's only used to secure trivial content.

@OS / @Cybercat - You guys have it right.

Everyone: Look at what is highlighted on the top tabs and sidebar.
Events - Calendar

But you're on the password reset page?

The funny part is that this is the Mensa website, so they're supposed to be sooper smarrt.

I love this quote: "I thought you were a member of MENSA, until you spelled it wrong."

But I actually disagree with that. There was a guy here at work who was actually a member, but he was the weirdest guy. Very quirky, very annoying, very bad speller.

This is *not the real* Mensa site, just a clever deceit to delude us into thinking that this Mensa thing is nothing but some kind of chess club for dorks. The actual Mensa site is rigorously secured, runs on UFO technology and is their discussion platform for the secret world government.

The message should say, check under your keyboard first. lol

NO CAPTCA

I think the first error is in spelling out to the user (or potential hacker) that the password was written out on a plain sheet of paper and mailed.

Some cheap social engineering could have them mail the password out to a new address. 'I just moved. I work at this other institution now. etc.'

Or you could just dumpster dive.

The second error is saying that the stored password will be emailed to the stored address. If the email is compromised, that's an issue. Another vector would be to sniff the traffic.

Lastly, sending the password. They should send a confirmation link which the user then clicks on. The page should log the time, their IP, and have them create a new password.

@Gareth
You honestly think that if someone can get a copy of your database, they won't also get the key? It would be especially easy in this case since the password recovery page needs access to the key somehow.

@Aaron G:
Unless I'm sorely mistaken, the best attack on SHA-1 is 2^69 ops to find a collision. Seems just a bit safer to me than storing in plain text. Still, your point is well-taken -- there's no good reason not to use a hashing algorithm that is currently considered more secure.

I seriously think that high IQ programs ruin people. Suddenly they think they deserve everything and shouldn't have to work and study anymore because they were "gifted" with high intelligence.

Yes, I was in one, and I have had to spend a large portion of my life learning that you still have to stick your nose in the dirt and work to get ahead (Of course, we all have to learn that).

I would have been better off without it. However, at the same time, it would have been nice if we had more accelerated regular classes. But those classes would simply reward those who moved quickly. They could get their by talent, or by studying hard, or by asking the right questions—it doesn't really matter. Then I would have learned that working hard got me ahead, rather than thinking it was some kind of birthright.

Not everyone in such programs has this problem. Some of them are actually smart enough to realize early on that they aren't actually that smart and not get all caught up in their own intelligence.

Anyway, that's why those people are so quirky and weird and don't bother doing anything the way they should—they believe they don't have to, they are entitled to do as they please.

The decision to store raw passwords would typically be based on requirements for privacy. For instance, is there information associated with the user account that would be considered sensitive? Without knowing the properties associated with each account, it is difficult to say if this is a mistake. Does my online Mensa account exist only to manage my public user profile? If so, encrypting the passwords might be overkill for this appication, assuming budget limitations.

Adam hits the nail on the head in his comment above. This system is essentially a lookup tool to determine Mensa membership, with no CAPTCHA.

Oops, looks like I was sorely mistaken. The attacks on SHA-1 are a bit better than I had indicated -- Wikipedia says 2^63 ops for a collision, which is actually a bit troubling. There also seem to be a couple other interesting attacks on it.

Still, I'd feel safe enough if my passwords were stored as a salted SHA-1 hash in remote databases, as none but the most determined attackers will go though the trouble to break that.

@Steve
"If so, encrypting the passwords might be overkill for this appication, assuming budget limitations."

WHAT? I don't even know where to begin with this one.

All I'm going to say is that if you're spending a significant amount of money on your hash algorithms, you're doing it wrong. Really, really wrong.

> Send me my password doesn't imply "send me my old password" they
> can just generate a new one on the fly and send it to you.

How about: "If the email address you submit matches the email address in our system, you will receive an email that contains your current password." What does that imply?

I understand normal users forgetting their passwords, but shouldn't MENSA members compitent enough to remember their passwords? This page is totally unnessassary!

I was about to add password retrieval functionality to my app. Is it normal practice to use an extra password field to store the temporary password. I don't want to destroy their original password because then someone could keep screwing them over by resetting the password constantly.

Why do so many people mention the fact that you can spam any Mensa user if you know their email? Yes, you can. You can also use SmtpMail.Send() - it's much more efficient. :-)

@Eam

As you probably know, encrypting the passwords means more than just implementing a hash algorithm. You can no longer simply send the existing password to the user, there must be additional functionality to create a temporary password, send the new password, allow the user to reset the password, etc. Mensa does not have any of that built currently, to my knowledge.

By the way, your arrogance is ugly.

Steve, this "additional functionality" would take a few hours to throw together. There's no excuse for cutting corners on security, no matter how insignificant the data is.

Are you really saying that the site does not presently allow you to change your password? Wow.

Yeah, without bringing the security of email into this, you're basically saying, hey.. if you can code something that brute forces the server with random combinations of email addresses (*.gmail.com, *.yahoo.com) you can find out which ones are mensa members.

Of course you know, though, Mensa is a pay membership organization so they didn't do it themselves.. they probably contracted it out to a web design company and were advised to go with ease of use over security. At least they aren't storing the un/pwd in a text file. :)

That reminds me of the time I tried to sign up for ACM's Student Membership. Ugh.

Pardon the self-linking, but the story's a bit too long to write in a comment box: http://www.skrud.net/articles/2008/03/05/acm-and-the-canadian-province-of-alabama/

@Steve

Budget or no budget, properly protecting passwords is essential as this same password could be used for other services e.g. paypal, e-mail, banking, etc...

It is completely irresponsible to run a website that stores passwords insecurely and I think that anyone responsible for a security leak with plain-text passwords stored in the database should be liable for every penny of damage done.

1) No CAPTCHA
2) No user set question to verify the authenticity of the user.

from a standpoint of taking over somebody's identity by simply gaining access to their email..,

this makes it that much easier to have access to their other websites they visit and be hidden, simply send the email get their password, delete traces of it and enjoy their account while they remain completely oblivious to the fact you have taken over their internet identity. Unless of course they are smart enough to forward all their inbox to a redundant Gmail to watch for stuff like that ( I wonder if there are people out there that do that? )

Then again knowing how good people are at security and passwords, most likely if you have their email password you have all of their passwords.

@ian williams: if there is no content of any use, why password it at all then?

1) No CAPTCHA
2) No user set question to verify the authenticity of the user.
3) At no match, it gives "Sorry, we don't recognize that email address."
almost instantly.

one can easily sniff out valid email addresses by using automation(bots)
= SPAMM!!!!!

Um. Spambot anyone?

Mensa is full of idiots. Loathsome, arrogant, condescending, zero-people-skills idiots. Just because you're intelligent doesn't mean you're "smart".

I'm with Dave: the system should never tell you whether the email you entered was a valid user.

Not just for privacy... if you go to the user login page, you'll see that it accepts EITHER the username or the email address, along with the password.

It's been a long time since I've seen a system that differentiated between "failed login due to invalid username" and "username valid, but you failed because of the password." That's a way-back no-no.

Why? Well, they either have a lockout after some # of failures, or they don't.

If they do, you could abuse this by brute-forcing the "send me my password" thing until finding a bunch of valid emails, then you could lock them all out of the system by trying to log in as them too many times.

If they DON'T have a lockout, then you could brute force their passwords and log in as them and learn the secrets of the mental universe.

Then, of course, you would check to see if they used that password for their actual email account, or that email/pwd for any number of other sites.

The first mistake I noticed was that they left the hyphen out of "e-mail." Six times.

...doug

Hah! If they are so smart why do they even need a forgotten password tool?

I call this putting your own ignorance on display for the whole world to see.

I would call mailing login information a pretty big and stupid mistake. It reminds me of a Web site some kids at my old fraternity set up. They printed the password on business cards they gave alumni.

Aaron -- I don't know for sure if the Mensa site currently allows for changing passwords. And I certainly would never recommend cutting corners on security.

I do estimates and proposals all the time for various implementations of secure transactions and I can tell you that the difference is more than a few hours for enabling password change functionality.

Our firm has strict guidelines in place for protecting privacy, and we have our customers sign a waiver whenever these guidelines might not be met. From my limited knowledge of the Mensa application, I would guess that a waiver would be required, along with all the written and verbal disclaimers regarding security.

But it is also possible that this application would not require a waiver. If the password is assigned by Mensa, and not changed by the user, and the password is randomly associated with an email address, and the login process simply enables the management of the users public profile, what is the risk?

Check the page source...there is a Javascript function 'exeMailTo' with some useful comments...one of which is:

Use function instead of mailto: in href attribute. ex: exeMailTo('bryanm', 'americanmensa', 'org');

Guess who has a valid email address that might want a password reminder...yep you guessed it... bryanm@americanmensa.org

Alright, well I'll be the first to admit I'm not a up on password hashing etc. But, Couldn't they still be encrypting the passwords in the database? I mean, if all you have to do is enter you email they could just be decrypting it and then sending it using some proprietary encryption to just secure the database without inconveniencing the user. They could even be using the email address as some sort of hash or key.

It's impossible, IMHO to really tell what's going to behind the "front" without seeing the code. Just because they can send you your password doesn't mean the database is insecure. While it may not be the best scheme it could definitely stop a hacker from the outside, but not necessarily one on the inside. ;)

Call it base irony, but I'm of the impression that if you are smart enough to be in MENSA (and I've tried and failed), you would be smart enough to remember a password.

@Ben

I believe the password is randomly assigned by Mensa, so there is no concern that the password could be used to gain access to other external accounts.

Never having used it before, I could be doing this wrong. But, I went to:

http://validator.w3.org/

and submitted that MENSA URL:

https://www.us.mensa.org/am/template.cfm?section=Calendar&Template=/Security/Login.cfm

for validation (and that page looks different from Jeff's image). The validator came back with:

"This page is not Valid XHTML 1.0 Transitional!
Result: Failed validation, 222 Errors
Address: https://www.us.mensa.org/am/template.cfm?section=Calendar&Template=/Security/Login.cfm
Encoding: utf-8
Doctype: XHTML 1.0 Transitional
Root Element: html
Root Namespace: http://www.w3.org/1999/xhtml"

On the other hand, I'll bet anyone who works at MENSA and has access to the table where the passwords are stored would get quite a kick out of browsing the passwords that "geniuses" select (the token 'IQ180' is probably rather common).

> Hah! If they are so smart why do they even need a forgotten password tool?

The two have absolutely nothing to do with each other. Memory and intelligence are two completely separate things.

Wisdom and intelligence are two completely separate things too. If you hadn't figured that out by this time in your life, perhaps this password email thing will prove it to you.

Being mensan does not imply being a security expert nor a skilled web developer. For instance the website was no designed by mensa, but a company that seems to be out of business now.

@ T.E.D.

"Memory and intelligence are two completely separate things."

So a person with no memory at all could score as a genius on an IQ test?

Your fundamental mistake is thinking that Mensa is a society for wise or intelligent people

Mensa members do not need to be Wise
Mensa members do not need to be intelligent
.... they just need to be good at IQ tests ....

@Samrat: The email takes care of user authentication much better than any other questions would. Those "where were you born and what was your first pet" questions just test how much someone knows about you, and turn into back-door passwords. They're evil.

@doug: "email" without a hyphen is quite well-established by now. Language evolves.
http://www-cs-faculty.stanford.edu/~knuth/email.html (see the bottom)
http://www.webpronews.com/topnews/2003/09/05/email-vs-email
http://motivatedgrammar.wordpress.com/2008/04/11/stupid-grammar-rules-email-vs-e-mail/
http://www.thefictiondesk.com/blog/spelling-email-vs-e-mail/

Dear Hackers,

Here is how I store my passwords. Let me know if you have any issues.

Regards,

Idiot Web Developer

They provide a "print this page" link, but no mailing address for where I should mail this forgotten password form. I wanna log in and play my Mind Games, damn it!

Aaron and Konrad.

Think before you write. The password for mensa is auto generated. It is not likely that you use it at another site. you don't protect anything on the site with the password like banking. It's not worth to even think about encrypting that password.

Even worse: If you use something like ethereal or wiresharl it is totaly irelevant if your password is stored as hash or plain text. You see the plain password when accessing a site.

Jaster nailed it:
"Mensa members do not need to be Wise
Mensa members do not need to be intelligent
.... they just need to be good at IQ tests ...."

I'm about to join. It looks impressive (to some people, not all) on a resume. I qualified because I scored highly on my SATs. Am I smarter than you? Maybe, maybe not. I do smart things sometimes, and dumb things sometimes. I'm normal. I just did very well on my SAT test.

An organization whose members include Jodie Foster, Geena Davis, James Woods, Norman Schwarzkopf, STEVE MARTIN!, Asia Carrera, and Scott Adams can't be all bad. Oh yeah, and soon, me, which can't help but to raise the spiffitude quotient a bit.

@Steve fair enough, but that is a yet-another-password-to-remember problem.

@AT - calling me "dumb" when you don’t understand basic grammar is rather rude.

Just to let you know, "whats" should have an apostrophe.

Anyway, the point remains - until someone actually tries to reset their password on this site all the criticism is hot air.

>Wisdom and intelligence are two completely separate things too.

This is an important distinction, especially if you are a cleric or wizard!

@Skrud: That post about the ACM site is fantastic.

It's fun to pick on MENSA - Gawd knows they set themselves up for it - but give credit where it's due.

MENSA owns the site, but they likely hire pros to run it. I can't imagine they have a 'your code monkey must be a MENSA member' provision when they hire folks so ... an organization of Really Smart Guys ...

Who hired a code monkey who is not so hip on how we do things in the 21st century.

WTF does it really matter if the password is in plain text or not? If you encrypt the password then you need to include some security routine that would allow the user to change their password. I get sick of websites knowing my fathers name, my city of birth etc. If I hacker got the database they may not know my password that I created specifically for that site, but know they know my personal information to use on other websites that ask the same stupid security questions.

1. Protect your database by not leaving it out in the DMZ or at a hosting company

2. Protect the forgot password page by only allowing that IP to use it two times in a given period of time.

3. Audit the use of the forgot password to ensure that it's not being misused.

4. All your base belong to us.

um, you don't have to hash the password. you can encrypt it too, which would allow you to resend them the original.

call me crazy.

@Tim

1. Protect your database by not leaving it out in the DMZ or at a hosting company

The former, sure. The latter - some small companies I know .. all they _have_ for servers is gear at a hosting company.

Are you suggesting a dedicated server in the company office that sends data back and forth to the hosting company? Not being argumentative, seeking to expand my knowledge.

>WTF does it really matter if the password is in plain text or not?

Remember Reddit?

Hi Jeff,

Can you please enlighten us? I have a feeling that this thread is going off on too many different directions :)

> "This page is not Valid XHTML 1.0 Transitional!

Oooo Noooo!!! How can people use it now?? *cry*

The strength of security for any given web site should be based on the importance of the data you are protecting. The Mensa site may contain some personal profile info, but it can't be anything important enough to require hashed passwords.

Really, if someone can get to your database, they don't need plain-text passwords, they have access to all your data! Game over. Encrypted passwords won't save you.

And for those worried that someone can mine for email addresses of Mensa members, give me a break. If you're so worried, use an anonymous email address when you sign up.

I would have thought that commenters here would be smart enough not to trust any website with their important passwords and primary email addresses. You all have throwaway passwords for sites like these right?

Email addresses on a file! With possibly the corresponding passwords in the same file!! Can someone share the link to that file?

@Sal

Of course *we're* too smart for that, but are the blokes at Mensa?
:-P

Jeff,

I sense some nitpicking here. First off, Mensa is a bit trite for an organization where smart people go. I happen to be eligible (by their standards) but refuse to pay for useless membership.

Mensa and tons of other sites out there do not (and I repeat: they do not) have a whole lot of sensitive information. They basically have what you give them. Case in point. My moniker here is 'BugFree' because I have no idea what Jeff (or someone who manages to steal his blog and hard drive it lives on :) may do with names, emails and even my somewhat controversial posts.

Your privacy begins with you. Couple of points of interest:

- Use an email address different from your personal email address. That will contain spam if it occurs and make it easier to sift through notifications from "social" sites

- use a funky username / password, something that even dictionaries could not guess, combination of letters, numbers, words from different languages. Have fun with it.

- accept that anything entered in an online form somewhere is recorded, potentially sold, abused. Make it really hard for others to have fun with your personal information

- Do not nitpick. Maybe Mensa's site is not the best, but it probably works for their members. Many other sites allow you to send yourself a password reminder. Big deal. If my personal info is obfuscated (and it always is when I am online), I have nothing to worry about, let alone if some programmer read security best practices. If you cannot come up with a constructive solution to a problem (if it exists at all), do not nitpick. Criticism for the sake of criticism is not very useful.

- Too much security is overkill for 99.9% of sites. I have a profile at too many forums with passwords that I had to write down before I could change them. Come on.

- I do not have a password on my voice mail. Anyone with enough spare time is welcome to listen to my voice mails, shall I lose my phone (which I never do) :). Security begins with me, not with the password.

Hope this helps relief some anxiety about online profiles.

@ HB

I know. I fainted here three times myself. Need oxygen now.

Bad, bad html.

One more hint I forgot to add to the list. If a site is asking for donations, they WILL sell your info to spammers. Give them a donation, along with an email address (gmail?) where you can sift through spam easily and control/change your online identity as you see fit.

The problem is that they do not reset the password. When you open the email that they send you will receive your current password. Instead you should receive a email with a link that (if you want to) gives you a new password. This is better because if someone stole your login information, only you have acess to your own email. While the thief would still have acess to your account until you changed your password manually. Also because of the password in plain text in a email file and all that other people spoke of.

To Sal:

Mensa if for people with high IQ, not with high computer knowledge. In fact I have plenty of really smart math professors in my college that can't use the college system to put grades on the internet.

The real problem is that this page is unnecessary, so no code should have been written to support it. Because we all know the best code is no code.

MENSA members shouldn't forget their passwords.

Ah, that's the trick, the real mistake with this page is that it reminds MENSA members that they are human just like everyone else.

@BugFree - of course you mean "shall I lose my phone (which I haven't done, yet.)"

Well, for any members who used something other than their primary email address when they registered with Mensa, the instructions are wrong.

And really, a "guess the next auto-generated password in sequence" would be thematic.

What's the current thinking on the OWasp recommendations?
http://www.owasp.org/index.php/Guide_to_Authentication#Automated_password_resets

Argh, I can't believe I missed that, especially since I was working on back-end logic around passwords and confirmation emails not long ago, and had to take account of the fact that we don't store passwords in the clear.

Here's how I do password retrieval:

1. Store a salted hash on the server, where the salt is unpredictably different for each account.

2. In order to retrieve the password, the user must enter the correct account name and e-mail address, and no indication should be given of whether or not it was correct.

3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user's account name and e-mail address can be used by others to harass the user (or even deny him service if he's lost control of or access to his registered e-mail account).

4. When logging in with the link, immediately force the user to choose a new password.

I don't know what the answer to the quiz is but I just got Bob his password sent.

Just kidding.

Wow. So much venom!

David A. Lessnau: "As far as I could see, they're all idiots."

Paul: "Mensa is full of people that like to THINK they're clever, not those that actually are."

PaulG: "Mensa is full of idiots. Loathsome, arrogant, condescending, zero-people-skills idiots. Just because you're intelligent doesn't mean you're 'smart'."

Last time I checked the world had a multitude of arrogant, condescending idiots. Multiple posts appear to confirm this.

Mensa tests check the tools in the toolbox, not the skills one shows when they are used. One should expect people of varying degrees of humility, knowledge, compassion, wisdom, social background, technical skill, etc. It is as if one created a group for people over 6 feet tall - you certainly couldn't expect them all to be great Basketball players.

That noted, I am in Mensa, am over 6 feet tall, and can't play a good game of Basketball if the fate of the world depended upon it. I was also not consulted regarding the website. ;-)

According to the site, the password was mailed to the member.

In other words, the Mensa organization assinged the password to their members. And some may not even have received them yet.

If such is the case, how can someone forget a password that they have never remembered?

To Mark T.

I wouldn't use your site.

If I need to remember emailadress and username to get back my login information something is wrong and unnecessary complex.

If it is not user friendly, I won't use it again.

People, c'mon, you should all know by now that Wisdom and Intelligence are separate characteristics. For instance, your Elven Cleric needs a high Wisdom score, where as your 8th Level Wizard needs an above average Intelligence.

It would also help if they both had a high Charisma so they can pick up on the chicks you will never get if this joke is actually meaningful and funny to you.

HI guys,

B4 we cont. on this debate that Jeff has spread amongst us..
Just have a look a t the site again...

https://www.us.mensa.org/AM/Template.cfm?Section=Login&Template=Security/NoPassword.cfm

This page is looking lot different now...(content wise not the way JEFF is pointing to it)
May be coz of Jeff or the Mr. TIPPER "Bob Kaufman".

and ya i m still confused with the problem...eager to know abt it.

> ...why you'd desperately want to avoid visiting websites that make this mistake?

To reduce the odds of visiting the MENSA site?

The "Starship Troopers" style logo?

@Matt

SATs != IQ test. They are more of a knowledge test. There is some correlation, but you can't qualify for Mensa with a high SAT score. The whole concept of an IQ test is that it's supposed to be something you can't study for (although you can). It's supposed to be something you either have or don't.

@Peter. Do thieves have "street smarts"? Is that the "cleverness" attribute?

From the UI of the page, it looks to me like we should be viewing the "Calendar" in the "Event" category. Not resetting the password.

Yes, hashing or encrypting in one form or another is a good start. The next, and I only read it once in all these comments, is to have a secondary authentication form. One of the type that asks a question only the user would know, such as "What is your first dog's nickname?" or "What was your next door neighbor's shoe size when you were in the second grade?" Totally random and only known by the user.

Even the responses should be encrypted.

And fix the menu. It's in the wrong spot.

And blue? Ugh. Make the whole web site dark red text on a black background with ample amounts of flashing magenta text. That should do it. Everyone knows that those colors are most appealing to readers! Or a bright yellow on white. Warm and fuzzy feelings start flowing then!

More tables and add about 2GB of uncompressed JavaScript! Those things would prevent a hacker. Or at least slow them down to where they would want to give up. Would that fall under physical security?

And the letter would actually be in an encrypted form that would reveal a formula that only a MENSA would be able to solve. And upon decryption, the card would self destruct in 30 seconds. The answer to the formula would be their password. (The answer would just end up being "42".)

@Peter: Dude, I totally already made that joke.

"The mistake is that the "Events" tab is chosen when you're on a "forgot password" form."

Maybe for a MENSAn, forgetting your password is an event...

1. Jeff, this post seems kind of pointless. As you did point out yourself, there are many websites who make that mistake. Mensa site is very unlikely to have been created by Mensians.

2. People who write about using a bot to brute-force farm this form for member e-mails: try estimating the number of tries required to brute-force a string of 10+ characters and the time those tries would take.

3. People who write about using the form to spam someone who's e-mail address you already know: if you know someone's e-mail address you can spam them much more effectively by using any scripting language, or any e-mail client for that matter. Hint: use different from addresses and subjects.

While I understand that some people like to make fun of people who are "supposed" to be intelligent, some of you are acting really silly.

The reason the Events tab is highlighted in the screen shot is because if you click on Events, then Calnedar, you get an error that says "The page you have attempted to access is restricted to current members.".

From there you can get your current password mailed to you, all while still trying to view the events, so I don't see that as an error.

I feel the error is sending your current password in an email. They should send a link out to you that can be used to reset your password, or at the least a link to retrieve your password over a secure connection.

Plain text passwords
No ssl enforcement
Nice harvesting target
Mensa uses cold fusion?

BTW, I think intelligent people have nothing else in common. This makes joining Mensa just as pointless as joining a society of people that share your blood type.

Good news! All who have picked apart the design of this fictitious password request form have passed Mensa's new test for membership -- congratulations to all of you astute coders!

Please watch your mail for your membership IDs, passwords, and billings for membership dues. Welcome!

Two fallacies:

1. Being MENSA-eligible (having a high IQ) != good with computers. I know some amazing-smart people whose skills lie in other areas (either due to lack of opportunity or lack of interest).

2. Being MENSA-eligible doesn't mean they hired a MENSA member to build their website.

You're screwed if you change your email address.

why would they have ur pw on file (and, presumably all ur other info) but not ur email addy? that is stupid

On the point about using the form to farm e-mails, it's actually not the same as trying to brute-force a 10-character string, because (a) the pool of TLDs and even full server addresses is limited and well-known, and (b) there are billions of possible "right" answers, not just one.

However... if you refuse to inform users when an action they attempted has failed, then your service is unusable. You don't have to tell them WHY it failed (i.e. "user name and password do not match" for any login error), but telling them "an e-mail has been sent with instructions on how to reset your password... or maybe not, haha sucker!" just doesn't inspire a lot of confidence.

Even if you opt for the most secure five-question system, you still have to look up the questions based on a user ID/e-mail address. There's no way not to validate the e-mail address. It's easier just to restrict usage of the form, i.e. don't allow the same IP more than 5 attempts in half an hour. Good luck trying to farm e-mails at a rate of 0.003 guesses per second.

If you're 'primary' email is no longer valid, because you changed ISP's, you would never receive your password, and thus have lost your account and would need to reregister. I made that mistake, when linking a number of sites to my xxxxxx@att.net and switched to Verizon. Ouch. Lost a number of similar log-in/notification.

so...am I right, or what's the answer?

Is the gotcha here the fact that if you have a lifetime membership, you won't necessarily have told them what your email address is? How do you let them have the email address if they don't have it?

Perhaps we're over-analysing. Wood, trees, etc.

I haven't read all the comments, so if someone has mentioned this already consider this a second motion.

One doesn't seem to need a password to access any page of the site. I clicked on every link and was never asked for a password nor refused access to the page.

Jeff, it is disappointing that you have to resort to censorship to defend your views on your own blog.

@Pies "As you did point out yourself, there are many websites who make that mistake. Mensa site is very unlikely to have been created by Mensians."

Yes but Mensa members use it, and so should have complained that it is badly designed, and so it should have been fixed by now ....

Having said that to be a member of Mensa just means you are good at IQ tests, you are not intelligent, smart, wise, skilled, knowledgeable, clever.... just good at IQ tests! This is an ability that is more common in people who are intelligent but does not mean you are ...

I have yet to see an IQ test that does not make language, cultural, or conventional mathematical/numerical assumptions ...

you do know what MENSA means in Spanish, don't you?

@Jeff Davis:

JD> SATs != IQ test. They are more of a knowledge test.

Nowadays, yes. But until 1994, it was quite different, similar to what is now just the "Reasoning" part. Back then, SAT scores correlated very well with IQ. Mensa does accept SAT scores from those years. See:

http://www.us.mensa.org/Content/AML/NavigationMenu/Join/SubmitTestScores/QualifyingTestScores/QualifyingScores.htm

Left of the textbox it reads: "please enter your email address".
That's WRONG because only if you read the text below the box you would know that you have to enter your PRIMARY email address.

It is possible that this is actually cleverer (pretty sure that's a word) than we thought. See, this might only work before you've <i>ever </i> logged in. That means your profile is free of any sensitive data. Once you've logged in for the first time, you'd get a different option. (i.e. there'd be a "Forgot my Password" and a "Never got my Password" option, after all, you didn't forget it)
This would neatly solve the issue of someone hunting down the letter, after pressing that button, and then trying to log in using the letter. Also, it would prevent someone from pressing the button without your knowledge, and thus invalidating the password in the letter you received.
Granted this is a problem that needs no solution, but it's MENSA, an organisation devoted solely to showing off. They're exactly the type of people to complain "I didn't forget it, I never received it" for 1000 lines of single spaced text.

Pffft!! Mensa webmasters just look at the password hash they keep, and figures out your password in a minute. No need to worry.

@Jeff Davis

As Dave Aronson just pointed out, prior to 1994 those kinds of tests did qualify. And since I took mine in 1989 or 1990, can't remember exactly, I do qualify.

@Pies
<quote>BTW, I think intelligent people have nothing else in common. This makes joining Mensa just as pointless as joining a society of people that share your blood type.</quote>
You mean you haven't?
Go Fightin' O-Negs!

@BugFree
"Jeff, it is disappointing that you have to resort to censorship to defend your views on your own blog."
What did he censor?

This a way for Mensa to weed out the non-genius people. If you forgot your password, you are permanently barred from the group.

Of course, some devious Mensain could type in another Mensian's email.

Oh, well. No one's perfect (this from a nonMensian).

Yesterday I got registered in a web forum (phpBB) that sent me the following message by email:

[...]
Your account information is as follows:
----------------------------
Username: rbonvall
Password: <my-plain-text-password>
----------------------------
Please do not forget your password as it has been encrypted in our database and we cannot retrieve it for you.
[...]

Yeah, it makes me feel a lot safer that they encrypt the password that they've sent me in plain text by email.

Just search for a known member of MENSA with a website... With a bit of luck you might have directly his/her mail address. Or maybe just try with several combination with his name, first name and birth date, because he/she might have a gmail, yahoo or hotmail account.

Just on the off chance that anyone coding a web site anytime in the future might read down this far:

HOW WELL YOU SECURE YOUR PASSWORDS AFFECTS MORE THAN JUST YOUR SITE.

I don't care if your site does nothing but display a dancing orangutan after logging in. If you are not protecting your users' passwords then you are committing a gross public disservice.

Like it or not, most users re-use their passwords, so a breach of security on your site will affect that user on every other site they log into as well.

As a public service: put the $100 lock on your $10 bike. It's not the bike you are saving, but the combination of the lock.

How do I change my email address if I have no access to the old email address?

Nugget learned today: my SAT score from 1990 qualifies me for Mensa membership. So did my PSAT from the previous year, if memory serves. My God, I never suspected their standards were so low!

Okay, here are two reasons that I could find:

1. We desperately want to avoid visiting websites that are a "Walled Garden."

http://www.codinghorror.com/blog/archives/000898.html

2. Access to "Calendar Events" from January 30, 2004 - March 6, 2009, can be viewed without login via Google?

If you have access to someone's mail, you have access to so many other member sites like this. social engineering. it is like crack one get one free.

Just to throw some fun facts into the mix...

American MENSA has a full-time webmaster/developer on permanent staff, plus an assistant. He is not a member; they do not permit members to be on the national office staff. The web developers in MENSA and the technologically proficient members are constantly criticizing the pathetic excuse for a website. By and large, the vast majority of members don't even use it, and with good reason. The members-only web forum is much worse than the public pages. This is also why most of the MENSA special interest groups (SIGs) and local chapter communications are still using private Yahoo Groups. I can't believe this is someone's full-time job.

Oh, and in an astounding display of stupidity, your login for the MENSA members only sections is your MENSA membership number (the user's email address can be used to login, IF one is already specified in their profile, but the membership number always works as your login ID). The membership numbers are formulaic. Your password is initially generated by MENSA, then on first login you are prompted to change it to your own password. You can change your registered email address and your password from your member profile.

But hey, if you've got comments on their work, here's the contact info from the MENSA Contact page:

http://www.us.mensa.org/Content/AML/NavigationMenu/AMLContacts/NationalOfficeStaff/National_Office_Cont.htm

Forget MENSA, *MySpace* does the same thing!

To "Mark Tiefenbruck":

...
"3. Generate a link containing the hash and some other information needed to log in. DO NOT generate a new password; otherwise, knowledge of a user's account name and e-mail address can be used by others to harass the user (or even deny him service if he's lost control of or access to his registered e-mail account)."

I only would sent a link with a generated random guid. Only when this link is clicked, a new password could be created on the landing-page.
The link is only allowed to work once.
And only once in 24 hours such a mail could be generated.

ps: i feel jeff doesn't have a clue what's wrong there, but he wants us to give him ideas for his latest project for cheap :-)

Haven't posted here an a while, but...

Isn't it possible that the email some random 'new' password?

Well, I guess you tested for that. Either way, that isn't so obvious based on the screen shot. It could be that they just have the wrong verbiage on the button

I am going to create a site the requires a username and password - and I will not only store that info in clear text, I will make all passwords accessible to everyone. I am going to use ColdFusion. I will use a hash on user profile create/update for the view.

You've all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on "facebook" - in my opinion, deserves to be shamed.

Take the advise of our host and use passphrases instead - and if you have an account on Mensa - I would suggest using the following phrase: User Not Found.

I dont see any mistake. I think the mistake is this post.

Even the "smart" people of MENSA will taka advantage of Card Space...it's not only for mere mortal ñ_ñ

You can get to the page in Jeff's screenshot by going to:
http://www.us.mensa.org//AM/Template.cfm?Section=Home
click Events
click Calendar
click the "click here" to log in (since it asks for log-in)
click "forgot password" on the login page.

see that the Event tab is highlighted? And in the sidebar Event and Calendar are bolded, just like in his screenshot.

As to what is wrong with this page. All assumptions about unencrypted passwords are not supported by concrete evidence. Unless you can show an email from them with at plain text password, you don't really know. You can't prove it. So let's not go down that path.

I am very curious to know what is wrong with this page. Sometimes, it's better to admit we don't know if we can't support our answer with absolute concrete evidence.

@df5, the grammar policeman. I think your time is better spent tracking down Bob Kaufman. He must be somewhere with Carmen Diego.

SO what is the answer?

American MENSA
Oxymoron ?

@Jeff Atwood,

I am not quite sure why did you pick this particular topic today. If it is really because of how Mensa goes about treating its members' passwords.... well, it is not that interesting. However, if you posted this blog to get a bunch of your readers to poke fun at Mensa, then, my friend, you have done well.

A society of people who can do well at certain kind of standardized tests .... yes, they are asking to be ridiculed. On top of it all, there is actually a membership fee. What? Being a brilliant test taker is not enough? I say Roland Berrill and Dr. Lancelot Ware were a couple of hustlers.

@Luke

Making fools of ourselves by making fun of an organization rather a society of brilliant test takers? No.

Apparently there are a lot of people here who are bitter about not being able to get into Mensa :P

@james

Hey now, there are plenty of brilliant test takers in America.

What if you're an Americain Mensa member and you have changed your mail provider since you register with them 6 years ago ? No way to get your password !

Hey, I was billx@bigcorp.com and I'm now billx@hotmail.com, don't you remember me ?? I scored 212 back then... Hey ? Help !

They should provide a "Forgot your email ?" button, I think.

@Mattkins

Yes, lots of bitter people!

This blog entry can't be serious. Being a member of Mensa doesn't mean you excel in everything. OMG, there are some Mensa members out there who can't code a website! Who knows if the person who made the website is a Mensa member? I'll shut up know and get a life.

know->now.
As you can see, I'm not a member of Mensa either. But I'm not bitter!

Jeff,

a) on nowadays is common usage to strongly crypt passwords and optionally email addresses on database.

b) for password remembering processes is common usage (also nowadays) to check a security question then send a temporally link for password re-setting.

c) this kind of architecture seems to not to use sessions in user validations. instead it seems to use some kind of: Template/Section combination
http://www.us.mensa.org/AM/Template.cfm?Section=Events&Template=Calendar.cfm

d) just checked gmail.com and they say they send me instructions on my secondary email (which I never provided to them). now It seems I have to wait 24h ! for having a security question to ask available to me !!
http://mail.google.com/support/bin/answer.py?answer=46346

Teixi

"Everyone seems to be missing what was blindingly obvious to me...

Know someones email address? Find out if they are in mensa....

Not particuarly...... private.

So many websites are culprits of this.
Adam"

Err... the email only goes to the address, and we don't know enough to assume that the "send password" button gives any indication of success or not.

As for the encryption thing, I don't get it. To send the password you just decrypt it, being able to send it doesn't prove it isn't encrypted.

I don't see the problem here...

The design of the site is not co-MENSA-rate with the nature of the organization.

@Xianhang Zhang you beat me to it. I couldn't believe it when MySpace sent me my password when I went to recover it. I can't believe anybody is stupid enough to do that.

Obviously we're all a bunch of stooopid high-IQ'd geeks, and no one have got a clue of what Jeff is trying to point out.

So, Jeff, could you please enlighten your follower's brains and tell us?

Thanks.
Rod.

Maybe I'm missing the point, but does MENSA hold your credit card details on file? Risk management:

- What personal information, valueable information, or otherwise does the MENSA site provide access to?
- Was the password provided by the member?

If the answers were "none" and "no", then resending the old password isn't as big an issue as made out here.

And no, OpenID is not some silver bullet. It has a whole set of new problems that as of today are still unsolved (see various articles at links.org for more information).

Blindly following The Security Book often results in useability nightmares (logging onto $MostOnlineBankingSystems, anyone?) and may exacerbate real problems by diverting the already overloaded programmer's attention.

Personally, even if the MENSA site has a forums facility, I wouldn't be using it to pass confidential information to my extra-marital lover, nor really care if someone sends a few spoof posts from my account (a quick email to the admins would sort that out).

But since I'm not smart enough to be a member of MENSA either, I guess I don't know. :)

For those people who are oblivious to the fact that people re-use their passwords (and LeftHere, 23 posts above, indicates that MENSA passwords are user-changeable and, thus, re-usable), I recommend the following article:

http://technet.microsoft.com/en-us/magazine/cc626076(TechNet.10).aspx

The whole article is interesting, but the part about different passwords for every site is somewhere around the middle.

It pays to consider the level of security in the context of what's being protected. Quite frankly, I could care less if any of many of the web sites I have accounts on were compromised. The password more often protects their interests, not mine. Of course, if the account is at all sensitive with membership information (as is likely the case here), there may be a problem.

Since you've sent readers on a wild goose chase by not explaining the problem that we should be discussing, I'll withhold any further comment. Depending on which can of worms you actually open on us in a later post, I'll be able to better elucidate in context.

Does this site have a virus? I can see telling people not to register with a site, but usually you tell others not to visit a site because it runs some type of exploit.

Submitted to: http://www.plaintextshame.com/

Err.. They blather on and on. Why not just have a 'forgot my password' button? Oh, all the other stuff too.

The web site, like everything else in the national office of American Mensa, Limited, is operated by paid staff who are not members.

Mind you, many of them could be members, were it not for a rule disallowing it. But they operate mostly with off-the-shelf software and limited staff and funding. Just like a lot of you.

I just wanted to comment on hashing passwords. When I first started in Web Development, when someone told me "we don't hash passwords", I would jump out of my seat and have a massive cry, but since then, I have changed my stance on the subject. People say "if someone gets a dump of your db, they know your password!!". There are a few things wrong with this statement:

1: Why the hell do they have a dump of the database! If they can get access to your db, you already have a serious issue. A plain text password would be the last thing you need to worry about.
2: Why the hell do they have a dump of the database! Yes I know this was point 1, but still.....
3: Now that they have said database, wouldn't the other information be more valuable to them, not just their passwords? Depending on the site, wouldn't someones email be more valuable (as a spammer) that someones password?

Don't get me wrong, in some situations, hashing a password needs to happen. But by reading some of the posts above, some of you are insinuating that it is something set in stone and you shouldn't otherwise.

Keith

You've got it all wrong. MENSA folks are supposed to be really smart.

This insecure password recover system is how they punish the more mentally challenged members that managed to sneak in :p

'Forgot your password' page still under Events tab..

There is nothing implicitly wrong with that page.

Clearly this is a honeypot web site, the real intelligentsia meets in secret.

Keith P:

Again, it's not about the data on your site. It's about the data on all the other sites the person frequents and which (statistically) likely use the same password as the one you just gave to identity thiefs.

The entire world does not revolve around your solitary web site.

why am i still subscribed to this feed.. *blerg*

I just had a quick look at their site. What is there that needs to be protected except, perhaps, their list of members.

The biggest problem is that it needs a password at all.

From the Xml angle bracket tax to this? I can't be bothered reading anymore inane comments. Jeff just post the answer please.

For all the salty hash responses, get a life and goo off and write (or read) a real article that says what best practices are. Too much rhetoric without real communication being made.

Oh, and not every website needs to be fort knox. What per-se does the Mensa website do except maybe allow you to read some member-only pages? What damage can be done when it's lost? Like all those crap bulletin boards that require multi-level authentication because car discussion websites are like soooo critical.

As many others write, if someone can read your plaintext OR hashed passwords direct from the db, you're already in trouble.

Same as everyone else, plus:

- they will confirm if you provide a valid email, allowing you to find which email addresses are already in the system

- they send your password through snail-mail, and you might not have received it by the time you hit this page. Why wait for snail-mail? How to you avoid someone taking the letter out of your mail box and discovering your password?

- they ask for your 'primary email address' rather then the email address you registered with.

Dear Jeff -- Why can't all you fancy programmers understand that sometimes really dumb security practices are perfectly fine! I mean, it's not like everything's networked this day and age. Or that technical skills are distributed amongst millions of people. Or like the internet even matters! And heck, why you gotta hate so much on web designers? Why you gotta expect that good web designing is part of what they know how to do? They're just people! That's like expecting waiters to bring your food to you warm or cooks not to spit in your food. They're people, after all! Cut them some slack!! Jeez so anal retentive. The future's up to you, so whatchoo gonna do?!

FUN WEEKEND CODING TASK

(gotta keep pushing the envelope!)

Write a program that will gather e-mail addresses of MENSA members! At the same time, annoy and alert them -- by the same mechanism by which you have learned their e-mail address -- to the downsides of a system that tells you when you've entered in a valid address! Imagine the tingle of unhappiness they'll feel as they are informed that someone tried to reset their password -- which will then be displayed in their e-mail! Visualize the shudder they'll feel when they see that forbidden, secret word written out in something other than stars! Yes!

Then, sell the addresses to spammers! Everybody loves a targeted audience! Yaay!

They send you the current passsword that has been assigned to you on the membership materials. And the first thing you have to do when you log on is to change that password.

I suspect the password itself is not stored anywhere, but rather a hash generated by possibly ones birthdate, membership number, or other information.

There's nothing on the sight particularly sensitive or secret -- I suspect the restriction is to keep snoopers and data miners out.

Joe
(Mensa member)

As some people mentioned, it is bad to store the password in a retrievable way. But as other people mentioned, it is also bad to store email addresses that can be easily found by hackers.

Mensa solved both problems this way: The email (used as login only) is not stored, the password is encrypted (with, say, AES) with the email address as key. That way, if some hacker got access to the database, he/she neither has access to the passwords, nor to the email adresses!

The flip side of the coin is that you can never send announcements to your members, since you do not store their email addresses. (Well you can, at the moment they login.) And you need to check the login email address against every stored (encrypted) password.

Why do people assume that just because there is a prompt for the PW to be sent, it is stored un-encrypted?

@Kwan
"You've all made me very angry pretending that these things matter so much. When in reality - anyone using the same password for such things as their financial matters, personal email, as they do on "facebook" - in my opinion, deserves to be shamed."
For shamed, read Robbed. And for anyone, read innocent people who don't happen to know some minor details about cryptography, or don't have the time or patience to remember 18 selected phrases and match them to their appropriate websites. For example, my grandfather does not have time for that s**t.

Here's a hint Mr. Genius, unless you can build your own bathroom, run your own businesses, grow and cook your own food (and Pot Noodle doesn't count), and all the millions of other things you rely on other people for during your daily life, you're not allowed to write off millions of people just because they don't share your stupid obsessions. And even if you can, it's a bit of a d**k comment.

Actual forgot-password page: https://www.us.mensa.org/AM/Template.cfm?Section=Login&Template=Security/NoPassword.cfm

Actual events page:
http://www.us.mensa.org/AM/Template.cfm?Section=Events1

The blog author's page:
https://www.us.mensa.org/AM/Template.cfm?Section=Calendar&Template=Security/NoPassword.cfm

Apart from not hashing password or other strictly technical problems, am I the only one who find at least _strange_ that the form for lost password is under the Events -> Calendar submenu?

If you can't figure out by yourself that they won't be able to send your password if the e-mail address you enter is not on file, you certainly don't belong in Mensa.

Very clever ....

"I was about to add password retrieval functionality to my app. Is it normal practice to use an extra password field to store the temporary password. I don't want to destroy their original password because then someone could keep screwing them over by resetting the password constantly."
~Joe Beam

Here's a pretty good explanation of how to do it: http://blog.moertel.com/articles/2007/02/09/dont-let-password-recovery-keep-you-from-protecting-your-users

The comments there are also pretty useful, they give some alternatives.

I don't see the problem. Security needs to be based in the information you are trying to secure.

Check out:

http://query.nytimes.com/gst/fullpage.html?res=9C03E0D8123AF936A15757C0A9629C8B63&sec=technology&spon=

"A man posted outside a London subway station at rush hour offered a chocolate bar to random passers-by if they would reveal the password they used to log on to the Internet. Amazingly, more than 7 out of 10 took the offer.

...so do you want me to point out where the security hole is?

btw: "orange"? ...maybe you should look at your own house before criticizing others - if that is your intention. Development resources are in short supply. ...cant do everything.

Anyone can reset the password with out the knowledge of the original user, if you knows his Email ID.

Well,

I'm not a Mensa member and I don't know or care whether they'd have me, but you guys are assuming the wrong things. Intelligence does not assume knowledge, it's about problem solving skills. Mensa solved the problem of not having a web presence by hiring an external company to build their website and that's just business as usual.

And I can't get over the stupidity that seemingly everyone who is knowledgeable about some subject so easily assumes that what seems logical to them would also be logical to amateurs and interns.

If someone can't accept that not everybody knows what you know then I don't think they're all that smart.

Just my two cents.

@Toby - The purpose of a CAPTCHA isn't security, it's to deter spam.

"If someone can't accept that not everybody knows what you know then I don't think they're all that smart."

The counter argument is that it should be fairly obvious that if they can send your current password to you, then anyone with access to their system can gain access to that password. And the argument isn't that MENSA should be above such idiocy, but that the company they hired sure as hell should.

Who knows that you won't make a typo, and ending up waiting for an email that will never arrive.

@Toby:
From your link; "It was hardly scientific; only 172 people were polled, and it was not verified that people were offering up an actual password"

I think the NYT may have underestimated my countrymen's innate willingness to make stuff up in exchange for chocolate.

Incidentally, my internet password is "wangdoodlyboodle" if anyone wants to send me some Twixes. The address is 7 Palm Island, Freisland, East Dulwich, PS2 BXB. And my real name's Jock McSock.

The "security threat" is a distraction. The real problem is navigational and organization of information.

Starting from the main page, if you go to "Events", and click "Calendar", you will be greeted by a message saying that this is a page restricted to members, and you need to log in to be able to access it. You then click to the link provided, where you will meet "Forgot you password?" link, which will bring you to the page shown here. The problem is, the content of the page is now different from the navigational information, which is still stuck in "Events > Calendar".

One more thing, I must say that I hate the main tabs at the top: "Join", "Events", "Games", "Groups", "Marketplace", "Members", "Programs", "Publications". What is this website supposed to do for me (I mean, if I WERE a member)? What is the central theme of the site? Why do "Games" and "Marketplace" need to be at the most prominent spots? You'd be thinking, "I thought Mensa is something more serious ..."

PS: I got nothing against Mensa. I don't want to start a confrontation against high-IQ people. :-)

@Hari S:

I'm not sure what your post was supposed to mean, but by using the word "actual" you seem to infer that Jeff's screenshot was not real--it is.

Which item across the top is highlighted is dependent on what you were trying to access when it realized that you needed to be signed in order to see the content (e.g. click "Events", then "Calendar", then "Click Here", and finally "Forgot your password").

i think the 'sending out a password as plaintext is a bad thing' argument is overblown.

storing passwords as plaintext, though - bad.

just ask Reddit.

@Toby:

"btw: "orange"? ...maybe you should look at your own house before criticizing others - if that is your intention. Development resources are in short supply. ...cant do everything."

While I understand the logic of this Pot-Kettle statement, there's a substantial difference between one security shortcut and the other.

A bad Captcha for anonymous posting puts JEFF at risk (and our eyes) of spam posts. A bad user security scheme puts the USERS at risk (see previous comments on common passwords across sites). As a user, I know which one I'm more concerned about.

Something I haven't see mentioned yet is that you can tell who is and who isn't in Mensa just by trying e-mail addresses.

That is another security vulnerability quite seperate to the lack of password hashing.

Simon

The AMERICAN mensa. Not the British, Indian, Australian or even Finnish mensa, but THE AMERICAN mensa.

Sorry, could not resist. I only mean that as a joke about how everything is AMERICAN or national for you. In the rest of the world we assume the thing is ours unless country is specified or try to get other countries to join in (e.g. NASA ESA).

Man, I really hate web sites storing my passwords in plaintext and sending it to me in an email. I do not understand why there are so many of them ...

The mistake is actually...

I forgot my email address ;-)

Apart from the fact they may or may not have hashed/encrypted the values in the DB, and that they would be better not sending the current password as people use the same password for everything, I can only see one major issue.

You can type in someone's email address and find out if it is registered on mensa. I.e. you can find out all the email addresses on the mensa systems, if you can be bothered.

Either that's it, or I'm missing something!

@Bloodboiler:

Sigh. If you're going to do knee-jerk anti-American, at least make it valid.
"Australian Mensa": <a href="http://www.mensa.org.au/">http://www.mensa.org.au/</a>
"Mensa India": <a href="http://www.indianmensa.org/">http://www.indianmensa.org/</a>
"British Mensa" : <a href="http://www.mensa.org.uk/">http://www.mensa.org.uk/</a>
"Suomen Mensa" (Finnish Mensa) : <a href="http://www.mensa.fi/">http://www.mensa.fi/</a>

They mailed your credentials through the usps. That's bad enough, but they've made it public awareness, and instructed anyone who might want access to your account to search for a letter from Mensa or just get your membership card.

Nevermind that people loose their wallets all the time, having login instructions with credentials nicely gathered together on an official membership card is amazing.

Why don't the bank's just go ahead and publish your PIN on your debit and credit cards?

Madball, you should read the past blog about captcha and orange. You might then know why.

My boss forbids us from hashing passwords. He demands plaintext "forgot your password" emails like the article complains about. We aren't allowed to generate a new temp password, we aren't allowed to revoke the old one on login. I used to think that all we had to do was outlast the PHB in the world, but he's younger than me.

Its Mensa. They send you the password in some ridiculously difficult cryptographic form.

This entire blog posting plus comments was worth it for the Cleric/Wizard Intelligence/Wisdom jokes.

# The right method
# * Send an email that have a confirmation link
# * Open the email and the link
# * Reset the password and give new temp password

But, how to prevent hacker to listen on the wire to get the link; and follow the link to get the password?

Low security is acceptable for low risk sites. This isn't a bank. Tread carefully through the web and you won't get hurt.

A blog post without a comment from Jeff..

Where did you go? Aren't you going to post on everyone's comments?? :)

Oh, you're probably going to do another blog post about it. It's just weird not seeing a comment from you at all.

I don't think its a matter of whether a site is "low risk" or "high risk". As the developer you have a responsibility to protect your users information as best you can, no matter how valuable that information may or may not be.

Membership in Mensa is based on IQ, and as many others have pointed out - all those IQ points tend to shove everything else out of their brains. So, they can figure out what stupid little box is the next one in the pattern, but they can't seem wrap their brains around taking a shower, or stopping at a red light...

Hello geniuses,

we put this page up with crappy page up to give more meaning to lives of those who used to flip burgers and now call themselves hard-core CSS developers.

And in case you did not know, once you login to Mensa, there is no log-out. There is no forgetting of your password.

Bokay?

Mensan

This is obviously a fake screen shot. The real website doesn't need all the instructions and help text. The real site is a single textbox and a submit button. If you're in the club you already know what to do.

My aswer:

http://en.newinstance.it/2008/06/27/the-passwords-hell/

If they sent your information via snail-mail, that means you don't have an email registered with them. When you first login, they get more information from you. If you forget the password, it sends it to your email address. If you lose your card, there is no email address for the password to go to.

> Where did you go? Aren't you going to post on everyone's comments?? :)

I do read every comment. I'm trying to, y'know, write new blog entries, too! And work on stackoverflow.com!

Jeff, you are killing us! What the heck is wrong with this website?!?
Do you revel in making me check back every f'ing 15 minutes to see if you'd post the answer?

This is MENSA. Maybe they've generated the necessary rainbow tables and can therefore send you back your password, by looking up the hash in the rainbow tables. Or another completely different password that hashes to the same value.

@Gareth (Sorry if this is obvious...)

Actually, if you're storing passwords, you don't ever need to decrypt because you never need to know what the password actually is, you just need to know if it's exactly the same as the password that's provided.

Many people use a one-way encryption/hashing system that's impossible to get the original password from. As long as it's deterministic based on input, you can just compare the persisted encrypted password with the provided password (run through the same algorithm). If the output is the same, the input must have been the same.

titrat:

> I only would sent a link with a generated random guid. Only when this
> link is clicked, a new password could be created on the landing-page.
> The link is only allowed to work once.
> And only once in 24 hours such a mail could be generated.

I've found that only allowing the link to work once leads to user annoyances. A lot of people double click on links in their e-mail and then complain that the link doesn't work. I don't think avoiding a replay attack is the biggest concern when the link is being sent in plaintext to begin with. The problem can be addressed by using security questions when forcing the user to change his password (and of course, don't let him do anything else first).

@[ICR]

thanks for the link.

I can just use a separate table for the recovery tokens.

Not sure if anybody's mentioned this yet, but sending membership passwords to email addresses with no extra form of authentication, depends heavily on an email address never changing hands.

A decade ago when everybody was on AOL, a screen name could be used by someone else 6 months after the account owning it expired. Which means if someone joined mensa (with a lifetime membership) in 98 under a certain address, then bragged about it in a few forums, today you could probably sign up for that screen name on AOL (assuming they eventually let the account go, since millions of users have been jumping ship from AOL in the past couple years), put it in the "forgot password" field, and BAM! You're impersonating a member of MENSA.

Beyond AOL, you could probably Google for forums, mailing lists or blogs with mensa members who at the time had their own domains. Bulk Register the ones you come across in godaddy, set up catch-all emails, enter all the ones you found into the forgotten password page. Once you have login credentials, return your domains within 5 days for a refund (you still pay 20 cents per domain you did this for, but that's 50 domains for 10 bucks. Pretty cheap) Hell, change the passwords while you're at it.

That's the flaw. Just because you have a lifetime membership, doesn't mean you have a lifetime email. There's a huge security hole there.

"Why you'd desperately want to avoid using websites that make this mistake" pretty much amounts to dead-easy identity theft.

... or maybe the stuff waiting to be changed in the URL GET parameters?

Jeff, you're not smart enough to join Mensa?

You forgot your password? :-)

soo... u just wanted to see how many people didn't get into mensa eh??

I think you are all mising the point. It's Mensa (maybe should be Densa) but if they are all that smart they should never forget their passwords so this page is totaly unnecessary! My wife is ex-mensa, says thay are all narcissistic idiots.

I too think you are all missing the point. This is mainly a blog about the human factor, I guess the point is that almost everyone is bashing the site because it's a site of supposed smart people, of high IQ. I bet if it was a site of the national farmer's association you guys wouldn't have so many knee-jerk reactions :p

Haha, the navigator is wrong.

Why I am under "Event" when I reset my password?

Why most of you focus on the "hashing" of password? It should not be known for visitors of that website because it is the internal logic of that website.

-- by Aaron Law (aaronlaw at gmail dot com)

Why do some people assume that because a password is sent in an email that it's stored as clear text also in the database? It could have been decrypted from its encrypted form in the database then sent out.

I would assume the developer(s) who developed the site is not a Mensa member :) and the site wasn't analyzed by the members so don't label the members because of their site. It's just a club for some 'privileged' people. So big deal! Who cares about their passwords.

The mistake is clearly the "print this page" link. Everyone knows you should use print stylesheets instead.

Jeff,

I'm actually a long time reader and usually agree with the content of your posts, if not always the conclusions you draw. I never usually bitch and moan about posts, but this is basically a troll post.

Asking a bunch of programmers to find a problem in a website and then not answering their question feels wrong. Apologies if your next blog post is covering this.

These people forget their passwords?!?

@The People Demanding An "Answer"
Do you really think this page has only one thing wrong with it? Depending on your viewpoint it could range from the terrible plaintext password system to the existence of MENSA as an institution. Why is Jeff's particular bugaboo important?

@Abdu"Why do some people assume that because a password is sent in an email that it's stored as clear text also in the database? It could have been decrypted from its encrypted form in the database then sent out."
Yes, but that means that if you have access to the database, it's relatively simple to break it using a technique like injecting multiple passwords for the same username, and "Dancing Menning" the system.

Using a one-way encryption scheme, you can't easily decrypt from the encrypted result, so even if you have the result, you can't get the username and password needed to plug other sites.
http://en.wikipedia.org/wiki/One-way_function
While this might not matter for this website, because of widespread password re-use, what you describe could allow MENSA admins access to their users bank accounts, the holy grail of password cracking. At the very least, it could allow access to sites like Amazon and eBay.
Or am I totally wrong?

I get a sense of it now. There are a couple things.
1) Don't store my password. Store the hashed salt of it. When I provide you the password, hash it and then send it across from my browser to your server and use it to compare with the stored hash. I can manage my passwords. I do not expect you to save my passwords at your end.

2) When I forget the password, just reset it. Consider the following scenario:
I mistakenly leave my GMail logged in when I left my desk for some work (and I forgot to lock my workstation). My cruel colleague has got access to my GMail and wants to know its password. (S)He logs into Mensa and clicks on 'Forgot Password'. (S)He gets an email with the original password. Apparently, since I am human who forgets, I generally tend to keep same or similar passwords for GMail, Mensa, and a host of other services. I know it is bad to have a single point of failure. I realize that. But many may not.
Once my cruel colleague has broken into my GMail account and I do not know it (he has conveniently deleted the password mail after receiving it), he can know all my passwords. Does not matter if they are of Mensa or my internet banking account.

Is it because this is supposed to be a society for people in the top 2%, but they don't even know how to spell realise?

Granted the standard American may not be able to understand how it is that the letter 'S' in a word can have a 'Z' sound - but members of the High IQ (even American) Society should be able to cope with it...

This is, of course, a joke - so you can all take your fingers of the button because someone said something that you didn't like...

Obviously, there are many issues with the site itself:

- They store your password in its entirety somewhere, rather than a hash
- They include your login details in every newsletter they send out to you

Probably many more, but by this point I would have realised (<- see) that I had typed .com instead of .co.uk and I woulda got the hell outta there ;o)

the error is that the first time they send out a password "safely" in a letter, while if you loose it they just send you and email... ?

Your comments are hilarious. Too bad they aren't based on fact, and you spout off without knowing the facts.

I also wonder about the copyright violation here in duplication of a web page most likely without permission and the violation of the registered trademark.

@ Scot McPherson
"Madball, you should read the past blog about captcha and orange. You might then know why."

Why what? I was contrasting the degree of "sin" between Jeff's CAPTCHA and MENSA's user security methodology (or lack thereof). The MENSA sin is far greater IMHO and thus not a good comparison for "maybe you should look at your own house before criticizing others"

Why is everyone so keen on making fun of other developers? It sickens me, in a way. It's the kind of thing Jeff talks about *not doing*, then he posts something that kickstarts all this negativity.

@Carl:

Check your Oxford English Dictionary, and you'll find that -ize is the preferred spelling in real (i.e. British) English.
Many people believe that this spelling is an Americanism, but in fact the use of -ise, while common and also acceptable, is an over-reaction to that belief.
The -ize suffix is based on the Greek construction often used for converting nouns and adjectives to verbs.

I entered "Webservices@americanmensa.org" and clicked send

"Your password has been sent to you via email."

Actually, we don't know if the password is stored in cleartext, encrypted somehow, or if clicking on the "Send me my Password" button sends an email to the administrator to look it up in a big notebook he keeps in his underwear drawer.

I guess it does point out that the password is not somehow encrypted in some sort of double sided one way hash or whatever, so that even the site itself doesn't know the password. Of course that makes it a bit difficult to compare your password to what you've sent it when you log in.

I also am not sure if resetting the password when you forget it is such a great idea. I can imagine someone putting in my email address, having my password reset, but because I wasn't the one who actually requested it I now don't know my password. Imagine if I changed my email address, but didn't update my personal information on the site. Someone puts my old email address in, and suddenly I can't log in because I don't know what the password was reset to. Sending a new reset request does me no good because it just goes to that now obsolete email address. I am now locked out of my account.

Wow. Just... wow.

First, the article's question for those that didn't get it:

Yes, the obvious answer is that a recoverable password storage mechanism is typically a bad thing. That is most likely Jeff's point.

But so is sending full authentication details for an online service via postal mail. At the very least, I should be able to create my account online through a series of verification steps, rather than having it mailed to me. I mean, come on people... if you are going to don the tinfoil hat and worry about your MENSA account being hacked by someone dumber than you, shouldn't you also worry about your mail being compromised?

Only one or two others pointed that out. Even more amazing were majority of responses that couldn't figure anything out, WOULDN'T figure anything out ("don't make me think"), or just wanted to take a swipe at the organization. Congrats... you look smarter now. I bet MENSA is knocking on your door as we speak to invite you to join based on such witty feedback. (Not aimed at everyone, but applicable to many.)

The fact is, the entire website login process for MENSA is awful, but so are the login processes for many other sites. There might be a bit of irony due to the fact that it is a MENSA site, but the socratic irony of asking supposed web programmers about these flaws and reading the responses far outweighs any mistake that the site has made.

"Of course that makes it a bit difficult to compare your password to what you've sent it when you log in."
Yes, it's not like there's any algorithms to solve exactly that problem.
<a href="http://en.wikipedia.org/wiki/MD5">http://en.wikipedia.org/wiki/MD5</a>

"Someone puts my old email address in, and suddenly I can't log in because I don't know what the password was reset to. Sending a new reset request does me no good because it just goes to that now obsolete email address."
At which point you set up a new account, and if you're a good samaritan, e-mail the site to let them know there's a dead profile.
If the past data in that profile is important to you, then yes, there's a near-insoluble security problem, which can be solved only by carefully discussing with Amazon/eBay/Paypal how retarded what you just did was. But not half as big a problem as if someone got hold of your password(s) for those sites, which they would really, really like to do.
Which is why you should have a list of sites where this matters (e.g. any site where you buy things) and when you switch e-mail addresses, update your profile data immediately.

@DavidR

Cool, I stand corrected, I didn't realise that - I like the way you referred to 'Real' English ;o)

I also thought the same about Aluminum, but it turns out I was wrong about that too, lol

And yeah, Mensa-ns should not have forgotten their password. Lol.

I posted a corrected version of the password page....

http://i273.photobucket.com/albums/jj203/rdrunner74/mensa-forgot-password-form_fixed.png

@Heiko

LMAO - That's some good stuff there

I think we are missing the point.

Mensa people are is not very important here.

Obviously the site hasn't been done in the best way possible. This may be due to:
- a lack of knowledge of who has done it
- they just made the easiest thing for users
- the wanted to spend the least for doing it

What I think is more important is the fact that most users have no knowledge of any of the risks of a plain password sent by email.

I think there should be laws to force websites to handle passwords in certain ways, or to inform the user that the password is not dealt in a safe way.

I'm a little bit late with my comments but...
I see everybody likes only black or white and nobody cares about risk management.

What are the risks of compromising password database of this site?
I cannot see any. And I've seen comment here from a current MENSA member who doesn't care too.

Storing original passwords is very convinient for users.

And it does not make sense to hash passwords until it's really needed for some web site. Consider the case of Delta SkyMiles: when I forgot my password they sent me new password via REAL mail: it took 3+ weeks to reach me. I didn't care but they have this super-security anyway.

Still, I do agree, that most of the web sites out there do need password hashing: most of them are hosted somewhere and/or serviced by 3rd parties.

It features the very tacky "me my" language construct on a button?

In Spanish 'mensa' literally translate to 'dumb female'.

Just a FYI ;)

One other problem (not already mentioned, I hope) is this form won't work if the email address they have on file is no longer active.

Wow, what a waste of a post. For a blog that hopes to give insight to potential programmers, the insight is clearly lacking on this entry. Over a week now and no follow-up from the author, except "I do read every comment. I'm trying to, y'know, write new blog entries, too! And work on stackoverflow.com!" Kind of weird coming from the guy who says that the real value in the blog is the comments. Wouldn't it have been easier just to write the answer instead of "I'm too busy to answer"? Or maybe include the insight about the problem in the original post if following up was to be too much of a chore, and let everyone discuss that. There might have been a great lesson for me to learn, but I don't have time to wait for the answer anymore or wade through every one's opinion of what you think the problem is.

Sorry Jeff, but I'm afraid your blog isn't adding the value it used to and is now becoming a waste of time for me... so it will be gone from my iGoogle page and out of sight. I don't mean that to be rude, but maybe as a reminder that your blog, which is now a gateway to your new business, needs to reflect what people want to learn (unlike this post which has become a cheeky tease). I first came across your blog from your post on RDP keyboard shortcuts (which has literally changed how I work) and stuck around for a while to see what you have to say. But recently I am finding more and more that your posts aren't changing anything I do, so I am going to stop.

Better luck with the next guy that finds your blog...

I don't mean to sound rude, but the first commenter pretty much nailed it. I'm not sure what else I can add that the other 290+ comments don't already say. There's an older post where I explain it as well:

http://www.codinghorror.com/blog/archives/000953.html

I didn't read all the comments (though I could have in a heartbeat, since I'm a Mensan ;)) but you may be wrong about storing the password in plaintext. In my country, and it may be different in the US, you don't choose your password, it's generated by a fancy algorithm, based on your name and membership ID.

It used to be that way some years ago, anyway.

Not hashed?! I've run into one other site that I found doing that, it was Mafia Matrix. Messy indeed.

What I find disturbing is the number of developers that claim the customers made them do something completely insecure. This is the problem Civil Engineers have with Software Engineers using the word Engineer. Civil Engineers are held legally accountable for creating insecure badly designed works. I can imagine what would happen if a customer went to a civil engineer and told them to make a major highway bride out of playdo because it would be cheaper and easier to replace. Simple answer, "no".

the people at MENSA are extremely intelligent, just not all of then are wise. I'll dig up my favourite quote. "Intelligence is knowing the tomato is a fruit. Wisdom is not using it in a fruit salad."

@DarkOpz

By your own statement the difference is based upon legal issues that the engineer has no part in. Civil engineers are held legally accountable—because of laws. How do laws make you more or less of an engineer? That doesn't mean you worked any harder for it, nor does it make you any more responsible.

The fact that software engineers are less regulated by the government is a short site in government, not skill or responsibility.

@Dave Aronson

Thanks for the info on SATs. I was not aware of that.

Pandora isn't much better. Please see this their email and my response below.

-----Original Message-----
From: Peter
Sent: Tuesday, July 15, 2008 2:02 PM
To: 'pandora-support@pandora.com'
Subject: RE: Lost Password

Would you do a favor to everyone using your service and NOT SEND THIR MISSING PASSWORDS TO THEM IN EMAIL! You should be resetting their passwords to a temporary one and asking them to enter a new one when they log on.

By you sending it in plain text means two things:

1. You are storing the passwords as plain text (not encrypted) in your database.
2. Anyone with any clue about internet security knows that email is not secure, so sending a password via email is equivalent to broadcasting it to every hacker sniffing the net.

If you need more input on this issue, please see the following article. Please read the comments.

http://www.codinghorror.com/blog/archives/001140.html

Thanks for single-handedly making the internet a more dangerous place.

Sincerely,
Peter

-----Original Message-----
From: pandora-support@pandora.com [mailto:pandora-support@pandora.com]
Sent: Tuesday, July 15, 2008 1:56 PM
To: Peter
Subject: Lost Password

Your password for accessing Pandora is: *****
Note: Pandora Passwords are case sensitive, such that "password" is not the same as "PASSWORD" or "Password."

After you log in, we recommend that you change your password to something that is hard to guess but easy for you to remember. You can change your password by clicking on the "Account" menu and selecting the option "Edit Your Account Info."

Enjoy the music!

Pandora

I'm a member of Mensa, and can attest to the fact that there doesn't seem to be much on the "members only" side of our web site that needs password protection at any rate. Members have the option of posting as much or little information about themselves as they wish for other members to see. There certainly isn't any critically "top secret" stuff there.

I have noticed, however, that often non-members seem to delight in putting down Mensa members, even though they probably can't make the 2% IQ cut to qualify for membership themselves. If they were just a little bit smarter, they would be able to understand that there is very little correlation between IQ and the ability to write computer code. Being able to spot the weakness in the Mensa password system does not imply that one is smarter than the average Mensan.