Submitted by twovests in just_post

I sign up for a conference that uses a software that stores and transmits passwords in plaintext and will happily email it to you if you forget it.

In my mind, this screams incompetency and destroys my trust in the vendor and in the conference who uses their software.

It makes me think that whatever is going on their backend is probably similarly insecure throughout, and that it'd probably be Super Easy To Hack if I didn't care about breaking Laws.

Am I wrong here? This is a big engineering conference too, shame on them for fucking up so badly, right??

11

Comments

You must log in or register to comment.

Dogmantra wrote

doing passwords right is really hard from what I understand but I think if you're not even going to bother that says a lot about your business

6

cute_spider_ni_srsly wrote

Doing passwords right is very very hard, and that's why they have published libraries and frameworks which do passwords right for you.

7

emma wrote (edited )

i only trust vendors who've taken the enlightened, moderate approach of hashing half the password, and letting the other half remain in plain text.

but yeah, it's bad

6

jaidedctrl wrote (edited )

the enlightened, moderate approach

I can't tell if that's sarcasm or not, jajaja.
is it better to hash only half, than to hash the whole password?

EDIT: okok it was obviously a good gag. :P

4

musou wrote

yeah that's really bad. there are solid password handling libraries for pretty much every popular language out there by now. many of them aren't perfect by any means, but anything is better than doing absolutely nothing. i wouldn't trust that vendor either.

5