Login / Sign up
> > > Security


Messages in topic: Security
Darkelo
Registered User

Nbr post: 2
Register: 2/2/14
Posted: 4/29/14 6:45 PM

I thought I'd check this site out, but am unwilling to proceed further than creating a simple account. Why?
  • You do not use HTTPS, not even on the login page or 'change password' page.
  • When changing password, you send the new password out in an email!
  • You store our passwords in plain text.
Jelan
Admin

Nbr post: 10801
Register: 5/4/01
Posted: 4/29/14 11:33 PM

Hi Darkelo and welcome to Magelo.
  1. There would be not point of using https over the website as we don't deal with sensitive data. Arguably the login phase could use some form of encryption (leveraging https or something else) to protect from a man in the middle attack but at the same time, given the low value that it would have, for now, we decided to keep it simple.
  2. Kinda same logic as point 1,it's convenient to have your password in the email, should you forget it so you dont have to regenerate a new one all together. Sure, if your email is compromised, then so is your magelo account but again, it does not matter much.
  3. All password are stored in our database are hashed using bcrypt, there is no plain text storage. We are able to send you an email with your password in clear because this is happening as we receive it from your end. So when you submit your password, we immediately send an reminder email with it, then we hash it and store it. At this point, the password is not present in plain text anymore on the server.

Point 1 & 2 are not set in stone, we might change our policy on this in the future. We understand that security and identity theft are a pressing concern nowadays and we keep an attentive eye on this.
Darkelo
Registered User

Nbr post: 2
Register: 2/2/14
Posted: 5/5/14 12:52 PM

Thanks for the reply and for welcoming me to Magelo, although it sounds like I won't be staying just yet.

I'm glad to hear that you keep an attentive eye on security, so I'm sure you're aware that there are people who use the same password in multiple places. Indeed, there are people who use one password for everything. As such, it is extremely naive to assume that all users of Magelo use a unique password just for Magelo, regardless of suggesting it in the Terms Of Use. Therefore, any credential information IS sensitive, regardless of how you view the importance of this site.

Leading from that, those users now have their sensitive (even more so than a unique Magelo specific password, since they use it for more than just Magelo) password stored in not only their own email account, but who knows how many records in which all our emails are stored, analysed, etc., during transit.

Most good systems these days send out a password reset URL. I can't think of any sites I'd use that send the user their own password in plain text at any time.

I see that your Terms Of Use put the onus of responsibility for the account solely on the user. How is the user supposed to do that when you've emailed the password out?

I have to wonder, since you place such low value on our account credentials, why bother hashing the password at all?

PS. The links to your privacy policy don't work.
Jelan
Admin

Nbr post: 10801
Register: 5/4/01
Posted: 5/5/14 1:02 PM

Well like I said, your post is not without merit and I do understand your point of view. We will make some changes so that we dont confirm back your password anymore.

For your information, since we only store an hash password, we already implement a reset password url logic.

Thanks for pointing out the issue with the privacy policy page, will get that fixed asap !