Tuts+ Premium Account Security Compromised

<a href="http://net.tutsplus.com/tutorials/php/understanding-hash-functions-and-keeping-passwords-safe/" rel="nofollow">http://net.tutsplus.com/tutorials/php/understanding-hash-fun...</a>

Still storing clear text passwords in 2012, how the hell do these people have businesses? I mean, I learned about this stuff at age 12 while learning PHP on my own, how hard can it be?<p>Getting hacked happens, even to the best but come on, how many times will we have to read blog posts like this one before people wake up? How hard can it be to hash and salt your passwords?<p>Glad I wasn't one of their customers (and never will be) but it's frustrating how we can't trust anyone with anything these days.

We should start a new award for web sites with crap password security. Let's name it after Robert Morris (Senior) who essentially inventing password hashing.<p>A Morris Award would be a bit like a Darwin Award for people who've failed to learn anything about password security and in doing so have been exposed.<p>Recent Morris Award winners: LinkedIn, last.fm, eHarmony, Tuts+, ...

I alerted them to the fact that their passwords were in plaintext a YEAR AGO. I got a response email on June 29, 2011 saying:<p>"Thanks for reporting the issue of plain text passwords to us. It's how passwords are handled with the membership software we use for Tuts+ Premium, which isn't extremely well coded and something we want to rebuild from scratch. In the mean-time our dev team will be hacking the software to bring password security up to the best practices we advocate on our Tuts+ sites, like Nettuts+."<p>Not only was this issue brought up to them, they stated very clearly that they were working to bring their password security up to best practices. In a YEAR, they couldn't hack on a password hash or rebuild their plugin from scratch?<p>If anyone knows if there is a lawsuit pending that could use my email as evidence, please let me know.

"Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted)"<p>That make me sad. If you use a plugin, you use it because it's a better and a proven solution , not because you are lazy. Sad day..

This is ridiculous. In the email I received from Envato it says the following:<p>"-- What To Do<p>(1) Update passwords on ANY service you use that uses the same password as you had on Tuts+ Premium.<p>(2) In particular you should consider your own email account, PayPal, Moneybookers, and other payment services. These are the most sensitive targets, and if you had the same password, you should consider this an urgent priority. If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use.<p>(3) If you use the same password on any other Envato service such as the Envato Marketplaces, you should change your password there too."<p>You have to be kidding me? Do I really need to start using unique passwords on every site that I use? This just blows me away that one site messes up and then I have to spend hours of my time figuring out which passwords to change, update, etc. This just frustrates me so much. I'm also very surprised they put this in the blog post:<p>"As a company that teaches and preaches best practices, it’s deeply disappointing to me to not only have been the victim of a security attack, but to be running software that doesn’t follow those same best practices. This is a situation we will be working to address."<p>...Based on what has happened to LinkedIn and others, aren't they easily setting themselves up for a lawsuit by blatantly saying they did not follow best practices?<p>Ugh. I'm just very sick of this crap happening. /rant

What is really absurd is they've gone offline and given people no way to confirm their password. Their suggestion:<p>"If you can’t remember what your Tuts+ Premium password was, we encourage you to change passwords on all services you use"<p>All I need is to try a handful of "important" passwords, make sure that none of them work for this compromised service, and I can go on with my day. But they figure, hey, if you can't remember our password, go change them all, not our problem.<p>Real brilliant way to handle it.

As a regular author for Tuts+ I am absolutely FUMING with them.

I'll never visit an envato site again, let alone pay for any of their services. I can understand everyone gets hacked, but cleartext! wtf.

Cleartext? Are you kidding me? I actually have an account there, sorry Envato but you just lost a customer.

According to some comments the plugin in question is "amember" but there are several (old) posts on their forums say they don't use plaintext. I'd be surprised if it was, but then again ...<p><a href="http://www.amember.com/forum/threads/db-password-encryption-w-vbulletin.14466/" rel="nofollow">http://www.amember.com/forum/threads/db-password-encryption-...</a> <a href="http://www.amember.com/forum/threads/password-on-resend-sign-up-info-is-encrypted.14218/" rel="nofollow">http://www.amember.com/forum/threads/password-on-resend-sign...</a>

What really irks me are the weak excuses in that blog entry. I don't care that it was a 3rd party plugin or that you wanted to encrypt the passwords. You screwed up and endangered your users.

I like how they blamed it on a "3rd party plugin".

Plain text? Are you KIDDING me?!

Cleartext!

If you're going to store passwords in clear text...<p>You're gonna have a bad time.

It is high time a site's registration form/process has a confirmation box confirming that they do not store passwords unencrypted <i>before</i> the user clicks "sign me up". This is getting ridiculous. I unfortunately used another site recently that sent me my password back in clear text over email.

My email to Envato:<p>I seriously can't understand how Envato found it responsible to even implement something that saves plaintext passwords. You must of known when inplementing it. If this "3rd party" plugin was so important, then implement the plugin later on when it is secure - you don't fuck around with private details. If it was important for the initial release, you shouldn't of launched until this was sorted.<p>You have hereby lost a customer. I now have to reset my password on a ton of forums and probably also themeforest. I will give you some other feedback. Maybe I'm blind but to login on Nettuts, don't make users have to scroll and look for a dinky login text.<p>On ThemeForest, seriously remove the fucking Captcha from the login form. Sorry for my French but seriously, on a contact or registration form, I could understand why. If you are afraid of brute force, there are other great ways to do so.<p>Fail, Sam Granger<p>Ps. You should read your own tutorials on security, they aren't too bad.