|
Jwalant Natvarlal Soneji wrote: Calm down; its just you ISP.
It's my primary email, and I was under the assumption that my data was stored securely.
Jwalant Natvarlal Soneji wrote: In case they were, it will not only you whose account can be hacked. Take it easy.
2 million accounts, and this is not something you can simply shrug of. The information on secure passwords is freely available on the internet, and I'm paying a generous amount for the service. This kind of amateuristic crap shouldn't happen.
Bastard Programmer from Hell
|
|
|
|
|
I'm unable to see your link, because dropbox is not blocked here, but maybe what they meant was that UTF8 is the encoding used to store the encrypted charaters, which leaves 1114111 different characters possible if the UTF-8 specification is strictly followed.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
|
|
|
|
|
It was saved in plain text, otherwise they didn't need to send a mail to 2 million people telling them to change their password.
Bastard Programmer from Hell
|
|
|
|
|
That's not the only reason to send a mail to everyone to change their password. This typically happens in any case of a breach, because encrypted or not the password is compromised.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
|
|
|
|
|
Not if it's merely a hash, with the salt in a different location.
There shouldn't have been a breach, and when there was, the passwords should not have been in plain text format.
Bastard Programmer from Hell
|
|
|
|
|
I agree, if it's just a hash and the salt is somewhere else.
And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof.
Now, if you're saying that it really was in plain text format, well you know better than me about the news.
|
|
|
|
|
Fabio Franco wrote: if it's just a hash and the salt is somewhere else.
..that's been a "best practice" for a few years.
Fabio Franco wrote: And breaches happen, even hotmail has been breached already, it happens, nothing is breach proof.
Ah, but hotmail never had to mail me because of some simple f***-up that could easily be avoided. Neither did GMail.
I wouldn't be pissed if this were a zero-day hack, but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Fabio Franco wrote: Now, if you're saying that it really was in plain text format, well you know better than me about the news.
..even if you didn't follow the news, that would be one that should be easily deducable from the given facts.
Bastard Programmer from Hell
|
|
|
|
|
Eddy Vluggen wrote: ..that's been a "best practice" for a few years.
Best practices does not mean they are always followed.
Eddy Vluggen wrote: Ah, but hotmail never had to mail me because of some simple f***-up that could easily be avoided
Thousands of hotmail users were contacted by hotmail to change the password because of a range of users had password breach. I remember that in the mail they mentioned that it was not an eminent threat (I supposed because all they got were hashes), but still encouraged the users to change the password.
Eddy Vluggen wrote: but this is something that could be avoided easily, and would have been caught at the first serious security-audit.
Agree
Eddy Vluggen wrote: that would be one that should be easily deducable from the given facts
Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
|
|
|
|
|
Fabio Franco wrote: Best practices does not mean they are always followed.
We're not talking about some obscure website; this is the "royal" Dutch phone-service, and one might reasonably expect that their data is safe there. It would also not be unreasonable to think that they have their security checked by outsiders.
Fabio Franco wrote: Nope, that was the reason of my first post. If you could provide a link that actually states the facts (web news or something), then it would be deducible. And like I said, with the information I had, it could simply be a misunderstanding as I proposed. Plain text is your statement alone and again, like I said, I can't see the dropbox link because dropbox is blocked where I am.
The link merely shows a picture of a tweet from a spokesman of the company with said text on UTF-8. It would also be illogical to have two million subscribers change their password if it weren't leaked in a usable format.
Yes, I'm furious; as said, should I be assuming that the bank doesn't implement the best practices either?
Bastard Programmer from Hell
|
|
|
|
|
Eddy Vluggen wrote: Yes, I'm furious
I guess I'd be too.
Eddy Vluggen wrote: should I be assuming that the bank doesn't implement the best practices either?
You'd be surprised and I'm not saying that out of complete ignorance.
"To alcohol! The cause of, and solution to, all of life's problems" - Homer Simpson
|
|
|
|
|
Fabio Franco wrote: You'd be surprised and I'm not saying that out of complete ignorance.
Not the kind of suprises one likes to contemplate
|
|
|
|
|
one can only hope this is the mistake of the internal communications team and not the Infrastructure Team writing this.
My guess is the marketing group heard a acronym and confused the DB codepage with the encryption type... marketing people eyes tend to glaze over when technical jargon is slung around. Thats why we keep the pretty people away from the smart people.
|
|
|
|
|
On the plus side, anyone who actually reads the notice will take the best security step possible. They will move to another ISP. This protects their password by putting it into the hands of people whod have not proven they are incompetent.
Hopefully, this will cause a large number of marketing types to quit in disgrace and seek careers in the hospitality or food services industry.
The early bird gets the worm, but the second mouse gets the cheese.
|
|
|
|
|
It was actually saved in plain-text. I wouldn't post an accusation on them storing a plain-text password if there was only that tweet.
Bastard Programmer from Hell
|
|
|
|
|
Dude, you should be viewing this as an opportunity to show them how to encrypt their data using UTF-16. And then when that fails, UTF-32. They should be out of business at that point, but on the bright side you'll have all their money (provided they haven't decided they need to implement NFC access directly to your bank account by that point).
|
|
|
|
|
No need for worry, the UTF8 encryption is only the first layer of security, they have also applied ROT13 encryption, not once but twice, for maximum security.
|
|
|
|
|
Might be a badly communicated way of saying that they base64 encode the (now?) encrypted password so it can go into a UTF-8 database field.
I agree with you though, given that they've been compromised, they need to be forced to clarify their meaning before they can be trusted... especially because it could be an indication of cluelessness on their part. If they refuse and give some compromising-security excuse, drop them if you can -- those kinds of excuses are nothing more than a way of saying that they believe obscurity is the same thing as security.
We can program with only 1's, but if all you've got are zeros, you've got nothing.
|
|
|
|
|
It's obvious that all of you have missed the reason for the UTF-8 encryption. Do you realize how hard it is to process the new passwords for mailing if they are encrypted? Do you realize how much effort is involved to get that information?
Heavens!
Why next, you'll be wanting to secure your on-line financial dealings!!!!
/sarcasm
Cegarman
document code? If it's not intuitive, you're in the wrong field
|
|
|
|
|
LOL.. they r using UTF8 to encrypt pass..
============================================
The grass is always greener on the other side of the fence
|
|
|
|
|
One free interwebs, you just won it!
|
|
|
|
|
I begin to understand where redundancy in code comes from. The following example is from the Windows Phone Development material on MSDN:
popToSelectedButton.IsEnabled = (historyListBox.SelectedItems.Count > 0) ? true : false;
OK, its harmless enough, but why on earth do people feel it necessary to explicitly state the result of a logical expression. If a programmer doesn't get logic, it's probably time to consider another career choice.
|
|
|
|
|
Sure you've got the correct end of the horse?
Cheers,
Peter
Software rusts. Simon Stephenson, ca 1994.
|
|
|
|
|
The programmer was so proud he knew how to use the ?: operators...
|
|
|
|
|
Rob Grainger wrote: If a programmer doesn't get logic, it's probably time to consider another career
choice.
Do you know him? Perhaps he already had more of a career than you think. What if he's just an old C/C++ veteran and never got used to having the conditions result in boolean values (instead of 0 and something non-zero)?
Without having looked at the disassembly: Does the compiler not eliminate such simple things? In that case I would usually say that a difference, which makes no difference, is no difference. 'Real' redundancy usually occurs in heaps of spaghetti code where the programmer was unable to separate the tasks at hand and started to copy and paste code blocks where when he became unable to untangle his own mess.
I'm invincible, I can't be vinced
|
|
|
|
|
CDP1802 wrote: What if he's just an old C/C++ veteran and never got used to having the conditions result in boolean values (instead of 0 and something non-zero)?
By definition, if you can use something in that form in a ?: clause, you can also use it anywhere else the language expects a boolean.
|
|
|
|