"forgot password"

[DrPizza]

I'm not 100% up to date on security of passwords, but let's say I forgot my password for a website. In this day and age, if I supply my email, should they be able to give my password via email? Or, (and this is what I thought the state of security was), shouldn't a website at best be only capable of resetting a password.

In other words, if they can give me my existing password via email, doesn't that mean that it's stored on their servers in a manner that anyone getting in to their servers would have access to everyone's passwords?

And, in case I'm correct, which I may not be, for how many years has it been "standard" to encrypt passwords in such a way that those who run the website/server should not be able to figure out what my password is?

 

[lxskllr]

Dunno about the timeline, but if a website sends you a pass in plain text, you can be sure the security is crap. A decent site will send a temporary password you login with and change it to something of your choice.

 

[Scarinx]

Yes if a website sends out your pass without verifying that it is actually you it is really crap. Thats why most <secure> websites use your email security questions and date of birth to verify its you then they give you a new one not the same as the previous password
Note: The security questions could probably be guessed by doxing their facebook/twitter

 

[Aldon]

Yes and no. Technically, they have access to your account, but not access to your password. If that particular website uses up-to-date password hashes or encryptions (there is a difference), then depending on how their password resets work (whether they're manually done or automatically), a random string consisting of letters and numbers (usually) is generated and encrypted or hashed, which is impossible to decode, 95% of the time.

However, if that website uses weak hashes/encryptions such as sha1 or md5, there are so called rainbow tables, which are basically large databases of encrypted/hashed strings. These tables usually find simple strings commonly used by any repetition of sha1 or md5.

 

[John Connor]

I have usually ran into a website asking a security question. And since my answer doesn't match the question I'm good to go. Like a security question might be what was you first friends name? My answer would be Green.

Sometimes I have ran into password resets where the whole password is reset temporally and you have to create a new password.

On forums it's a hash and no one knows your password.

 

[PrincessFrosty]

If a website has a request password feature that simply sends your current password in plain text it means the server is storing it in plain text (or in a way which can be reversed into plain text easily) which by today's standards is VERY bad security practice.

If you come across anyone doing this - inform them of the issue and then make sure to report them to http://plaintextoffenders.com/ which will name and shame them until they correct their ways.

There's no real strict "standards" for this to my knowledge, most GOOD developers consider this best practice for security today, however it does still occur mostly by bad developers who lack good security knowledge and who are making bespoke websites or web services. (most prepackaged CMS style web solutions use hashed and salted passwords)

Any web developers out there with hashed passwords also need to be using salts on their databases, randomly generated for each user (no static or repeated salts, and not based on the username) this defeats rainbow tables.

Between rainbowtables and GPU cracking you can break all combinations of US95 charset up to length 8 MD5 and SHA256 passwords with relative ease.

 

[VirtualLarry]

I have usually ran into a website asking a security question. And since my answer doesn't match the question I'm good to go. Like a security question might be what was you first friends name? My answer would be Green.

Sometimes I have ran into password resets where the whole password is reset temporally and you have to create a new password.

On forums it's a hash and no one knows your password.

I ran into a problem doing that with SW:TOR. I answered some of my security questions with one-word answers. Well, one of the security questions was, "favorite author".

And when they asked me the question, the asked me for the "last name" of that favorite author. Since I had only entered a one-word answer to that question, I was literally unable to give the "last name", and subsequently got locked out of my account for failing to answer the security question correctly.

Oh well, their game is as crap as their online security.

(Previously, I also had an issue logging in to their website and game, because my password was too many characters. Apparently, they had an invisible limit of 8 chars that could be recognized, but you could change your password to be more, but you just couldn't log in. Strange but true.)

 

[John Connor]

Yeah, I have ran into sites where the password was limited to about 8 chars and the rest didn't input. I caught it right away, but I was like, " what kind of stupid site only allows 8 chars?"

Never had a problem with my security question though. It's actually three words.

One thing I can never remember is my Origin password. Now I have to have them send it to my E-mail because I forgot the stupid thing. EA should have never messed around with Origin. Bad enough that you have to have an Internet connection just to play single player in BF2. No Internet no playing. It's not like that for Sim City for Gods sake.