littleoldlady
Member of DD Central
Running down all platforms due to age
Posts: 3,017
Likes: 1,835
|
Post by littleoldlady on Jun 21, 2016 10:47:39 GMT
If a hashed password cannot be recovered without the original password how can any site ever send a reminder? Many sites, if you have forgotten your pasword, give you a way of setting a new one, rather than reminding you of the old one.
|
|
|
Post by vanthel on Jun 21, 2016 13:06:45 GMT
Hi, Unfortunately we can't go into too much detail on a public forum, but I can assure all our investors we do not store passwords. All passwords are 256bit hashed and the random code to re-set passwords is also hashed. Many thanks, Gordon Hi Gordon, Could you confirm that this is a new development, introduced since the creation of this thread. And not thought to be the case since before. Many thanks
|
|
|
Post by vanthel on Jun 21, 2016 13:09:33 GMT
If a hashed password cannot be recovered without the original password how can any site ever send a reminder? Many sites, if you have forgotten your pasword, give you a way of setting a new one, rather than reminding you of the old one. Indeed it should be impossible for a service to send your password as a reminder, only reset it to a known value or provide a way to change it without the previous one. If a site ever does send you your password, any part of it, call them out on it. Not only does this make your details vulnerable to hackers but also to any member of the company with database access. A large number of leaks and hacks are in fact the likes of disgruntled employees.
|
|
n
Member of DD Central
Yet another Nick
Posts: 879
Likes: 461
|
Post by n on Jun 21, 2016 13:14:43 GMT
If a hashed password cannot be recovered without the original password how can any site ever send a reminder? Many sites, if you have forgotten your pasword, give you a way of setting a new one, rather than reminding you of the old one. Indeed it should be impossible for a service to send your password as a reminder, only reset it to a known value or provide a way to change it without the previous one. If a site ever does send you your password, any part of it, call them out on it. Not only does this make your details vulnerable to hackers but also to any member of the company with database access. A large number of leaks and hacks are in fact the likes of disgruntled employees. I 'forgot' my password just now and had an email with a temporary password and a suggestion that I change it to something I will remember (not mandatory) - so sounds like something has changed.
|
|
|
Post by Collateral Rep on Jun 21, 2016 14:51:15 GMT
Hi,
Yes we have updated this as a result of posts from this forum.
We do listen and where possible change/fix issues pointed out.
Many thanks,
Gordon
|
|
littleoldlady
Member of DD Central
Running down all platforms due to age
Posts: 3,017
Likes: 1,835
|
Post by littleoldlady on Jun 21, 2016 18:42:15 GMT
Hi, Yes we have updated this as a result of posts from this forum. We do listen and where possible change/fix issues pointed out. Many thanks, Gordon Good. You just need to change the log-in page so that it does not offer to send a reminder. Edit: And done!
|
|
jhma
Member of DD Central
Posts: 82
Likes: 53
|
Post by jhma on Sept 29, 2016 12:24:02 GMT
@mods - please take previous post down - giving instructions how to bypass security is not good form - although a valuable lesson
collateral - please act on this soonest
Mod note: post removed.
|
|
jonah
Member of DD Central
Posts: 2,031
Likes: 1,113
|
Post by jonah on Sept 29, 2016 12:49:09 GMT
I've reported the above post as whilst valid, sharing a how to bypass isn't good. Collateral Rep this does need to be fixed however as it is a keystone cops level of security. Putting in a simple bypass, sending details for client side verification which proves they aren't one way hashed as well as sharing the details is terrifying.
|
|
treeman
Member of DD Central
Posts: 1,026
Likes: 557
|
Post by treeman on Sept 29, 2016 12:52:23 GMT
@mods - please take previous post down - giving instructions how to bypass security is not good form - although a valuable lesson
collateral - please act on this soonest nudge Collateral Rep too - alarming!!! - comments? <EDIT> crossed with Jonah
|
|
|
Post by Collateral Rep on Sept 29, 2016 12:55:15 GMT
Hi,
Yes this is being fixed now.
I'll update shortly.
Gordon
|
|
|
Post by Collateral Rep on Sept 29, 2016 13:27:54 GMT
Hi,
The encryption has been put back up which is normally in place, the memorable word part of the security was taken down for 20 mins whilst the developers were solving this mornings server issue. At no point was the encrypted password taken down so the site was secure at all times.
Sorry for any concerns this may have caused.
Thanks,
Gordon
|
|
|
Post by martin44 on Sept 29, 2016 13:46:44 GMT
just logged on, all ok for me, bit slow tho.
|
|
|
Post by Collateral Rep on Sept 29, 2016 13:47:02 GMT
Hi @magenta14,
The memorable word logins are working now and I posted a few minutes ago re what happened.
The first level security was never in question, and we are also currently working on a third level opt-in security level.
We do apologies for the issues today and we do realise that this will cause concerns for our investors, but I can assure you the first level security was always in place and the second level (memorable word) was just down for a short period of time whilst we resolved a server issue.
Again sorry for this mornings issues.
Gordon
|
|
|
Post by Collateral Rep on Oct 2, 2016 10:05:27 GMT
Hi @leopardcat,
We're not experiencing any issues our end.
Thanks,
Gordon
|
|
littleoldlady
Member of DD Central
Running down all platforms due to age
Posts: 3,017
Likes: 1,835
|
Post by littleoldlady on Oct 2, 2016 10:54:25 GMT
Unable to get past the password again this morning.....security update? I just logged on with no problem. Nothing for sale apart from the property.
|
|