Hey guys, I'm @omervk, one of the co-founders and the maintainer of PTO. Always a pleasure to be featured on the front page of HN.<p>You're welcome to ask me questions, though we've covered most on our about page (<a href="http://plaintextoffenders.com/about" rel="nofollow">http://plaintextoffenders.com/about</a>). The one we haven't is usually "Is there an API/better search/new site coming?" to which the answer is that we're both doing this in our spare time and though we really want to create something better to host this very important content, we can't spare the time. If you've got time and want to volunteer to create this new site, please let me know. :)
The case where you get your new password by mail when you just changed it does not necessarily mean it is stored in plain text. They could keep it around in memory just long enough to send it by mail.<p>Doesn't mean it is a good idea though.
Scrape all the URLs from that website. Then write a browser extension that looks up the current tab's URL and turns red if it matches one of those domains. Use PRs to manage addition/subtraction of offenders to the list. Now even grandma knows when a website doesn't save your password safely and shaming them will have more impact.
A lot of talk of passwording concentrates on threats at the technology end, and they ignore threats at the user end.<p>Emailed Passwords are a failure from a tech point of view, but they allow users to create more complex passwords without punishing them when they forget that password.<p>As it is, I have situations now when the complexity requirements of a password combined with the fact that I need to sign in to a separate mobile App and I'm given no way of seeing what the password was when I created it that I just throw my metaphorical hands in the air, and reset it to generic password "Green!12Letmein." on yet <i>another</i> account.<p>This is <i>wrong</i> of me. I know it's wrong, I'm aware of password remembering services and I'm technical but I still do it.<p>If I'm doing this, and you're doing this, then most of the world is doing it. By discounting passwords sent through email, then we may be making overall security worse instead of better.
As far as I can remember HN also ( not a long time ago ) was giving plain text passwords. I'm glad this was discontinued and proper recovery password email is sent now.<p><a href="http://i.imgur.com/sDt0DVK.png" rel="nofollow">http://i.imgur.com/sDt0DVK.png</a>
But how does one handle password resets without resorting in one form or another to sending some info in plain text to users?<p>At least one website on the current front page is there because it sent a temporary password in plain text. I assume this happened because the user forgot his password. This says nothing about how they store passwords and after all how else would you handle a password reset? Send a password reset link? That's the same thing.<p>Sending passwords in plaintext back to the user after he has set/changed his password is clearly a security risk but when it comes to temporary passwords or password resets how else would that info be sent?
We already have a fairly good solution to this problem in OAuth. However, current popular implementations of OAuth are third-party owned which is not desirable for many reasons (for example, google won't use facebook owned OAuth, and vice-versa).<p>Ideally, we should have a self-owned OAuth service implemented by browsers or operating systems. And the APIs of this service should be standardized. Also, the storage should be locally available with remote sync optionally available for backup and cross-device syncing.
Why are we still doing this? We've known how to do secure authentication without the remote end holding your secret for years via public keys. Everyone here likely does this every day with ssh. There is even a browser mechanism for generating personal certificates for web authentication. The correct long term solution to this ought to be making this solution more intelligible and accessible to users. To hell with passwords and password exchange. They are a huge bug on the internet.
Used a sportsbook a few years ago where the popup to view and update your account details, which had a hidden address bar in most browsers, contained "password=<yourpassword>" in the query string. I reported it but they assured me they were 'using encryption' and to look for the 'lock in my browser'. They were using SSL, but had no clue. The site probably handled millions of $ a week.
I say just mailman.<p>Anyone from Mozilla, EcmaScript, GnuPG and thelike here?
Don't miss your monthly "password reminder" mail...<p>P.S. Just save ONLY a salted hash. Hash functions are designed to be one-way, so no one but you can re-store your password. EVER.
I've been just thinking about this after receiving 2 such emails in one day this week. Submitted both to the archive, thanks so much for doing this!<p>Name and shame, that's the minimum to make them change.
usenetbucket.com<p>Usenet provider<p>Forgot password asks you to type a password, in which it instantly emails back to you in plaintext.<p>Doesn't mean it <i>stores</i> it in plaintext.
Should really start doing this for sites using MD5/SHA1 for password hashing too, as using them is barely above plain text in terms of security these days.