locutus
Member of DD Central
Posts: 1,059
Likes: 1,622
|
Post by locutus on Jul 9, 2015 8:33:34 GMT
I don't know if Proplend people still browse the forum but if you do, please let your devs know that they should not be storing passwords as plain text.
|
|
|
Post by proplend on Jul 20, 2015 11:25:48 GMT
Locutus - apologies for the delay. We don't seem to be getting the notifications when a new post is made. Our passwords are not stored and have never been stored as plain text, they are all encrypted. In addition we have recently amended our password policy in that we now require Passwords must be at least 8 characters long, contain a minimum of 1 number, 1 uppercase, 1 lower case and 1 special character (e.g. !@#$%&<) We take security very seriously.
|
|
locutus
Member of DD Central
Posts: 1,059
Likes: 1,622
|
Post by locutus on Jul 20, 2015 14:46:16 GMT
Proplend - I don't what your developers are telling you but that is not the case. When I signed up with a test account and clicked the email confirmation, I was shown my password on the success screen as a reminder. This should not be possible. Passwords should be hashed and should only be known by the end user i.e. not stored in your database.
|
|
|
Post by proplend on Jul 21, 2015 10:00:42 GMT
On the success screen you mention, you are shown your Username as a reminder but not your Password - I have just run a test registration to confirm this. To confirm after speaking with devs the Passwords are hashed in the database.
|
|
|
Post by proplend on Jul 21, 2015 10:01:33 GMT
Please feel free to contact us directly.
|
|
shimself
Member of DD Central
Posts: 2,560
Likes: 1,169
|
Post by shimself on Oct 24, 2016 11:04:23 GMT
Just now I saw this on the reset password page, which was novel, and obviously unintended, you enter the password on the left (and it shows as a load of dots as usual), but on the right it is displayed in visible, which makes no sense Attachments:
|
|
shimself
Member of DD Central
Posts: 2,560
Likes: 1,169
|
Post by shimself on Oct 24, 2016 15:27:42 GMT
And while you're about it can you introduce a 20minute inactivity automatic logout please?
|
|
|
Post by proplend on Oct 24, 2016 15:30:05 GMT
Thank you for you concern Shimself. However, this is the defacto standard for WordPress where the Proplend front end is built. The passwords are not saved as text, they are hashed in the database as soon as you hit the reset button. No one has access to 'unhash' them or recreate a new password, this can only be done through the password reset button by the client. I believe it was built to cut down on typing mistakes but, as I say it's developed by WordPress and not Proplend. I hope that this has answered your question and put any security concerns to bed. I suggest after posting your password on here that you reset again. Proplend.
|
|
shimself
Member of DD Central
Posts: 2,560
Likes: 1,169
|
Post by shimself on Oct 24, 2016 16:04:31 GMT
Thank you for you concern Shimself. However, this is the defacto standard for WordPress where the Proplend front end is built. The passwords are not saved as text, they are hashed in the database as soon as you hit the reset button. No one has access to 'unhash' them or recreate a new password, this can only be done through the password reset button by the client. I believe it was built to cut down on typing mistakes but, as I say it's developed by WordPress and not Proplend. I hope that this has answered your question and put any security concerns to bed. I suggest after posting your password on here that you reset again. Proplend. I've never ever seen it before, and believe me I've been on plenty of website with wordpress front end. (REBS of this parish for one I think see image, not the same). What's more it makes just no sense, what is the point of showing a load of dots in one field and at the very same time, keypress by keypress the actual characters represented by each dot. You could no dount be radical and just show the password as it's being typed, or allow it to be shown by option (as eg zopa) but this just has zero logic to it. Sorry I don't believe the answer and it puts the willies right up me (and being told it's OK and in fact normal more so) Attachments:
|
|
|
Post by proplend on Oct 24, 2016 16:36:05 GMT
The display password feature is the option that Proplend has decided to use. We believe that it helps clients reset their passwords more quickly, as it removes the possibility of mistypes and spelling mistakes and therefore the requirement to reenter your new password. There is absolutely no difference in terms of security between this and any other option on the wordpress password reset. Proplend Team.
|
|
shimself
Member of DD Central
Posts: 2,560
Likes: 1,169
|
Post by shimself on Oct 24, 2016 18:50:43 GMT
The display password feature is the option that Proplend has decided to use. We believe that it helps clients reset their passwords more quickly, as it removes the possibility of mistypes and spelling mistakes and therefore the requirement to reenter your new password. There is absolutely no difference in terms of security between this and any other option on the wordpress password reset. Proplend Team. Well I can think of one - when in a public place my password gets shown to any other person looking at the screen (or as in my case my child, fortunately the younger one not the teen). Maybe that's the only reason, I'm not techy enough to say, but even so I suggest that's reason enough. And if you really insist on forcing this "convenience" down our throats then just have one single unmasked text entry box. This masked entry box with the unmasked contents shown on the right has no logic whatsoever that I can see. Please don't fight it, that's two people have taken the trouble to tell you they were upset by it, the customer might just be right
|
|
|
Post by bracknellboy on Oct 24, 2016 19:23:26 GMT
MOD HAT OFF
Well I'm not a security expert and I am (no longer) any form of IT expert worth the title. But my experience of online password normal practise is pretty simple:
1. Entering a password is masked 2. Creating a password is masked 3. Changing a password is masked
Providing anything other than that especially for anything to do with financials would in my mind be very poor practise. Oh look, that guy in the internet cafe - ok, don't really have that these days so how about that guy on the train sitting next to me - is changing the password on his account: I wonder what it is.
Any business which is dealing with financials which did not mask passwords as above would not see a scintilla of my money: UNLESS it a) defaulted to 'not display' b) had a tick box to opt in to display AND had a warning next to that saying 'do not use if in a public location'. Anything else would indicate to me either a misunderstanding of, or a slapdash approach to security: either way it would not give me any confidence in what lies beneath the surface.
I do however appreciate that hexa decimal keys on routers can be ticked to say 'show password' on my phone. But that rather tells you something in that it defaults to masking, for a key to access a router.
|
|
|
Post by bracknellboy on Oct 24, 2016 19:33:19 GMT
The display password feature is the option that Proplend has decided to use. We believe that it helps clients reset their passwords more quickly, as it removes the possibility of mistypes and spelling mistakes and therefore the requirement to reenter your new password. ..... MOD HAT OFF/ Undoubtedly so. Its also a great feature to assist others to reset your password more quickly as well. So a win-win. If I was considering using proplend, this is the point at which I would be very seriously asking you to provide me with detailed bio and credentials of whoever may be in charge of your IT and security before I would do anything. What is seen on the surface usually says something about what is going on underneath. EDIT: Hint: try changing your pwd for the forum. And this is just a forum.
|
|
|
Post by proplend on Oct 25, 2016 7:53:47 GMT
Shimself and bracknellboy
Your points are taken on board. We do take security very seriously as at the end of the day we are asking our users to trust us with their money. We do not show passwords at set up or at login but did decide to use different set up during a password change/reset to ease the client experience.
Password change is a very irregular occurrence and we assumed (obviously wrongly) that users would be able to conduct this in a private situation. To date you are the only users who have highlighted this issue (the comment higher in this thread was a separate issue which was changed a long while back).
We believe that it is important to listen to our users and will change this to mask the password at change as well.
Shimself, as noted earlier, your concern is over the security of your password which you then seemed to post live onto the open forum, if you have not done so already please can you change again. Proplend Team.
|
|
shimself
Member of DD Central
Posts: 2,560
Likes: 1,169
|
Post by shimself on Oct 25, 2016 8:01:20 GMT
.... We believe that it is important to listen to our users and will change this to mask the password at change as well. Shimself, as noted earlier, your concern is over the security of your password which you then seemed to post live onto the open forum, if you have not done so already please can you change again. Proplend Team. Good decision thanks The password shown in the screenshot was VISIBLE123! was just for the sake of making the point and was never implemented thanks
|
|