I sign up for a conference that uses a software that stores and transmits passwords in plaintext and will happily email it to you if you forget it.

In my mind, this screams incompetency and destroys my trust in the vendor and in the conference who uses their software.

It makes me think that whatever is going on their backend is probably similarly insecure throughout, and that it'd probably be Super Easy To Hack if I didn't care about breaking Laws.

Am I wrong here? This is a big engineering conference too, shame on them for fucking up so badly, right??

Comments

You must log in or register to comment.

Dogmantra wrote on March 27, 2019 at 6:12 PM

#6,927

doing passwords right is really hard from what I understand but I think if you're not even going to bother that says a lot about your business

musou wrote on March 27, 2019 at 6:32 PM

#6,928

yeah that's really bad. there are solid password handling libraries for pretty much every popular language out there by now. many of them aren't perfect by any means, but anything is better than doing absolutely nothing. i wouldn't trust that vendor either.

cute_spider_ni_srsly wrote on March 27, 2019 at 6:51 PM

#6,929

Replying to Dogmantra (#6,927)

Doing passwords right is very very hard, and that's why they have published libraries and frameworks which do passwords right for you.

emma wrote on March 27, 2019 at 8:02 PM (edited on March 27, 2019 at 8:05 PM)

#6,930

i only trust vendors who've taken the enlightened, moderate approach of hashing half the password, and letting the other half remain in plain text.

but yeah, it's bad

jaidedctrl wrote on March 28, 2019 at 6:24 PM (edited on March 28, 2019 at 8:07 PM)

#6,941

Replying to emma (#6,930)

the enlightened, moderate approach

I can't tell if that's sarcasm or not, jajaja.
is it better to hash only half, than to hash the whole password?

EDIT: okok it was obviously a good gag. :P