At 7/29/03 7:42 PM, Josh Levine wrote:
>Is it worrisome to anyone else that there's now a page that you can
>request to have any reseller's password emailed in plain text to the
>emergency contact address with no verification required whatsoever?
I was even more worried that it indicates that the plaintext password is
stored on OpenSRS's servers somewhere, which is a serious security flaw.
The password should be stored in OpenSRS records as an MD5 hash, Unix
crypt output, or another one-way algorithm, not plaintext. That way
anyone breaking into OpenSRS's systems would not be able to obtain the
passwords.
If someone loses their password, OpenSRS could send a message containing
either a "password reset" URL or a temporary random password that's valid
for only a few hours, instead.
-- Robert Mathews, Tiger Technologies"Clever things make people feel stupid, and unexpected things make them feel scared."
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:37:45 EDT