Loading Profile...
Password-related security issues
When I created my account I received an email containing my password in plaintext. This has serious security implications. For one, it means you are sending my password across the internet in plaintext. Secondly, it means you are putting the security of your application in the hands of your users' email providers (not too many ways around this except for OpenID). Lastly, and what scares me the most, is that this implies that my password is being stored in your database in plaintext. All passwords should be salted and hashed so an attacker cannot retrieve my credentials by getting into your database.
I’m scared
1
person has this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
-
Inappropriate?Jason, we've fixed this by removing the password from our New Account emails, and replacing it with an activation link instead. We're also working on cleaning up our Mailer logs, to remove any references to passwords for emails sent with plaintext passwords.
To clarify, we were never storing passwords in the database unencrypted. Like you said, they are both salted and hashed prior to storage. Hopefully that addresses part 1 of your concern.
OpenID login is not on our radar right now, although we definitely see its usefulness. Instead, we're focusing on implementing Facebook Connect, which will allow our users the same one-click Sign Up/ Log In process that OpenID provides. Look for that with the September release.
The company and 1 other person say
this solves the problem
EMPLOYEE
