Sour Grapes
Of course we're Fair and Balanced!

2013-07-25

Isn't this a security lapse?
I recently wrote to a website I use regularly:
I changed mobile phones recently. When I try to log in to <appname> Android app, I keep getting the message, "Your nickname or password is incorrect. Please try again." I use a password program to generate and store passwords for all my apps and so I copy and paste my nickname and password rather than typing it in. After getting this message several times in a row, I followed the instructions to change my password. After re-entering my nickname and password at the website I was directed to, I am still unable to log in. I never had anything like this problem before.
Before they responded, I determined that the problem was special characters that I force the inclusion of in generated passwords; one of those characters in this password was a backslash (or reverse solidus, "\"), which I suspect was interpreted as an escape character (Unix/Linux programmers will understand why I so suspect). So I changed my password to consist of only upper- and lower-case letters and numbers.  My problem disappeared.

A short while later I received the following reply in clear text:
Hello <username>,

Here is your username: <username>
Here is your password: <password>

Please note that this may be case-sensitive on some mobile devices.

Let me know if you have any further questions or problems.

Regards,
Emailing password in clear text is not secure.  Furthermore, I wouldn't have thought the site administrator had access to my password other than in its encrypted form.

Qui utitur passwords, cave!


Blog home
Blog archives
         2003
         2004
         2005
         2006
         2007
         2008
         2009
         2010
         2011
         2012
         2013