Getting hacked happens, even to the best but come on, how many times will we have to read blog posts like this one before people wake up? How hard can it be to hash and salt your passwords?
Glad I wasn't one of their customers (and never will be) but it's frustrating how we can't trust anyone with anything these days.
"(...) with a plan currently in progress to upgrade away from the current plugin."
Oh, it's the plugin fault. Not theirs. Blame it on the plugin.
But let's remember that either plain text or one-way hashed they will be broken eventually. The only thing hashing passwords buys you is a little bit of time before the "hacker" can use those passwords to access the compromised system.
It doesn't, for example, protect you from password re-usage issues. You also have to reset the passwords either way.
I think getting broken into is the biggest problem here; everyone has recently spent far too much time talking about hashes instead of asking questions about how the real break-in occurred at these businesses.
Of course we need to plug holes in security and prevent people from getting in (SQL injection vulnerabilities are just as important an offence) but might as well protect the user's information when a breach happens. Especially since it's so much easier than the other way around.
This is not difficult. There may even be programs that already exist for this. The only difficulty would be not getting blocked by those services after a large number of incorrect attempts, but leverage services like Tor/EC2/botnets and that becomes a null issue.
With password hashing it would at least be _some_ amount of time between accessing the leaked data and havoc. Cleartext means disaster is instantaneous.
Perhaps. But that still does not undermine the importance of storing passwords securely with encryption. The idea is not to completely avoid an attack (crackers are pretty determined ), the idea is to delay or make it harder for the bad guys. so yes, encryption matters a lot.
A Morris Award would be a bit like a Darwin Award for people who've failed to learn anything about password security and in doing so have been exposed.
Recent Morris Award winners: LinkedIn, last.fm, eHarmony, Tuts+, ...
Every site you hit gets checked against a local list thats periodically updated. It throws up an information bar with bad security practices associated with the site you are browsing, everything from mailing plaintext password to the idiotic things like above.
If it becomes trusted enough it might move some developers/organisations to actually take action, if not it will at least warn individuals of the obvious problems before they signup and not afterwards like at the moment.
Edit: Last sentence didn't make sense.
My wife loves to use Big Oven to find recipe ideas. I thought I'd also start using it so we could share those ideas more easily. When they rejected my password for having "invalid special characters" however...
Maybe also an award for most silly password policy?
"Thanks for reporting the issue of plain text passwords to us. It's how passwords are handled with the membership software we use for Tuts+ Premium, which isn't extremely well coded and something we want to rebuild from scratch. In the mean-time our dev team will be hacking the software to bring password security up to the best practices we advocate on our Tuts+ sites, like Nettuts+."
Not only was this issue brought up to them, they stated very clearly that they were working to bring their password security up to best practices. In a YEAR, they couldn't hack on a password hash or rebuild their plugin from scratch?
If anyone knows if there is a lawsuit pending that could use my email as evidence, please let me know.
That make me sad. If you use a plugin, you use it because it's a better and a proven solution , not because you are lazy. Sad day..
"-- What To Do
(1) Update passwords on ANY service you use that uses the same password as you had on Tuts+ Premium.
(2) In particular you should consider your own email account, PayPal, Moneybookers, and other payment services. These are the most sensitive targets, and if you had the same password, you should consider this an urgent priority. If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use.
(3) If you use the same password on any other Envato service such as the Envato Marketplaces, you should change your password there too."
You have to be kidding me? Do I really need to start using unique passwords on every site that I use? This just blows me away that one site messes up and then I have to spend hours of my time figuring out which passwords to change, update, etc. This just frustrates me so much. I'm also very surprised they put this in the blog post:
"As a company that teaches and preaches best practices, it’s deeply disappointing to me to not only have been the victim of a security attack, but to be running software that doesn’t follow those same best practices. This is a situation we will be working to address."
...Based on what has happened to LinkedIn and others, aren't they easily setting themselves up for a lawsuit by blatantly saying they did not follow best practices?
Ugh. I'm just very sick of this crap happening. /rant
Errr, ...yes!
Facts: 1)Most people have way too many accounts to keep track of passwords for. 2)A unique password is essential.
So, get a password manager and store them there! It's almost the only secure solution.
"If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use"
All I need is to try a handful of "important" passwords, make sure that none of them work for this compromised service, and I can go on with my day. But they figure, hey, if you can't remember our password, go change them all, not our problem.
Real brilliant way to handle it.
Tuts+ Premium is the only Envato service that operates with cleartext passwords, and it was a known internal issue for us, with a plan currently in progress to upgrade away from the current plugin.
http://www.amember.com/forum/threads/db-password-encryption-... http://www.amember.com/forum/threads/password-on-resend-sign...
You're gonna have a bad time.
I seriously can't understand how Envato found it responsible to even implement something that saves plaintext passwords. You must of known when inplementing it. If this "3rd party" plugin was so important, then implement the plugin later on when it is secure - you don't fuck around with private details. If it was important for the initial release, you shouldn't of launched until this was sorted.
You have hereby lost a customer. I now have to reset my password on a ton of forums and probably also themeforest. I will give you some other feedback. Maybe I'm blind but to login on Nettuts, don't make users have to scroll and look for a dinky login text.
On ThemeForest, seriously remove the fucking Captcha from the login form. Sorry for my French but seriously, on a contact or registration form, I could understand why. If you are afraid of brute force, there are other great ways to do so.
Fail, Sam Granger
Ps. You should read your own tutorials on security, they aren't too bad.
You should use this as an opportunity to get a password manager (Lastpass, for instance) and use unique passwords for each site.
Security in the real world is hard. I worked as a penetration tester, so I have some authority to say so.
For most startups getting users is a priority and everyone is prone to taking shortcuts (clearly including YOU - sharing passwords across forums); incidents like this are common place in the business world and the fact that Envato had the balls to own up is kudos to them.
