I just received this email, which told me what my password is! My password is stored as text?

Who is the sysadmin? They have *all your passwords*, along with potentially anyone else skillful enough to hack the database!


---------- Forwarded message ----------
From: <digitalmars-d-request@puremagic.com>
Date: 11 April 2014 00:16
Subject: confirm 9a85e83e9531356d37cfd8581573d167b99c16f8
To: turkeyman@gmail.com


Your membership in the mailing list Digitalmars-d has been disabled due to excessive bounces The last bounce received from you was dated 10-Apr-2014.  You will not get any more messages from this list until you re-enable your membership.  You will receive 3 more reminders like this before your membership in the list is deleted.

To re-enable your membership, you can simply respond to this message (leaving the Subject: line intact), or visit the confirmation page at


http://lists.puremagic.com/cgi-bin/mailman/confirm/digitalmars-d/9a85e83e9531356d37cfd8581573d167b99c16f8


You can also visit your membership page at


http://lists.puremagic.com/cgi-bin/mailman/options/digitalmars-d/turkeyman%40gmail.com


On your membership page, you can change various delivery options such as your email address and whether you get digests or not.  As a reminder, your membership password is

     [My password!!!]    WHAT!!!11!one!

If you have any questions or problems, you can contact the list owner at

    digitalmars-d-owner@puremagic.com

On 4/11/2014 3:39 AM, Manu wrote:
> I just received this email, which told me what my password is!
> My password is stored as text?
>
> Who is the sysadmin? They have *all your passwords*, along with potentially
> anyone else skillful enough to hack the database!
>

Yea, like most mailing lists, it uses GNU mailman, which does that for some insane reason. One of the reasons I don't go anywhere near mailing lists whenever possible.

On 11 April 2014 09:49, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com> wrote:
> On 4/11/2014 3:39 AM, Manu wrote:
>>
>> I just received this email, which told me what my password is! My password is stored as text?

To be fair, it does warn you about it before you subscribe to the list. Maybe it didn't always?

On 4/11/2014 3:56 AM, Matej Nanut wrote:
> On 11 April 2014 09:49, Nick Sabalausky
> <SeeWebsiteToContactMe@semitwist.com> wrote:
>> On 4/11/2014 3:39 AM, Manu wrote:
>>>
>>> I just received this email, which told me what my password is!
>>> My password is stored as text?
>
> To be fair, it does warn you about it before you subscribe to the
> list. Maybe it didn't always?
>

It might be buried in some wall of text somewhere.

I'm tempted to argue "It needs to be more prominent", but frankly it doesn't matter. The fact is, posting a big blinking sign that says "Warning! I'll punch your grandparents, glue your dog to a tree, and then rob you blind. Please enjoy doing business with me!" still doesn't make dumb pointless policies any less idiotic.

On Friday, 11 April 2014 at 07:39:12 UTC, Manu wrote:
> as your email address and whether you get digests or not.  As a
> reminder, your membership password is
>
>      [My password!!!]    WHAT!!!11!one!
>
> If you have any questions or problems, you can contact the list owner
> at
>
>     digitalmars-d-owner@puremagic.com

Funny. Plain text password stored on db. Plain text password sent over smpt. Plain text password in the wild: http://goo.gl/JykIcu

On 11 April 2014 18:19, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com
> wrote:

> On 4/11/2014 3:56 AM, Matej Nanut wrote:
>
>> On 11 April 2014 09:49, Nick Sabalausky <SeeWebsiteToContactMe@semitwist.com> wrote:
>>
>>> On 4/11/2014 3:39 AM, Manu wrote:
>>>
>>>>
>>>> I just received this email, which told me what my password is! My password is stored as text?
>>>>
>>>
>> To be fair, it does warn you about it before you subscribe to the list. Maybe it didn't always?
>>
>>
> It might be buried in some wall of text somewhere.
>
> I'm tempted to argue "It needs to be more prominent", but frankly it doesn't matter. The fact is, posting a big blinking sign that says "Warning! I'll punch your grandparents, glue your dog to a tree, and then rob you blind. Please enjoy doing business with me!" still doesn't make dumb pointless policies any less idiotic.
>

Well I missed it apparently.

I'm extremely shocked, and rather angry. This is my 'low security risk'
password, but I do share my low-security password among a few sites (I
presume this is common practise), and I'm quite unimpressed to find such a
blatant disregard for my personal security and privacy from - of all things
- a forum full of smart, talented, and experienced programmers!
Now I have to change my password everywhere, and remember to remember a
special one just for this one forum! >_<  ... at least I know it'll remind
me what it is if I forget!

On Fri, 11 Apr 2014 08:01:33 -0400, Manu <turkeyman@gmail.com> wrote:

> Well I missed it apparently.
>
> I'm extremely shocked, and rather angry. This is my 'low security risk'
> password, but I do share my low-security password among a few sites (I
> presume this is common practise), and I'm quite unimpressed to find such a
> blatant disregard for my personal security and privacy from - of all things
> - a forum full of smart, talented, and experienced programmers!
> Now I have to change my password everywhere, and remember to remember a
> special one just for this one forum! >_<  ... at least I know it'll remind
> me what it is if I forget!

If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)

Every single one of my passwords is some random horrible set of characters, that even I don't know. And I can change them at any time without any worry of forgetting.

I use lastpass premium, $1/month. I started using it when a web site that I created a user for, to comment *once* on an article, ended up having its passwords stolen (in encrypted form), and I realized I had used the same password as my bank, credit card, email, etc.

A good article on password managers:

http://www.pcmag.com/article2/0,2817,2407168,00.asp

As a bonus, I keep all kinds of info in my last pass vault, that I would normally have to write down (like safe combinations, or key codes for doors). It's really cool to have an infinite memory for infrequently used, but very important things, that only I can access :)

They just updated their "challenge" tool to scour your passwords, tell you which ones are for sites that were affected by the heartbleed bug, whether those sites are now safe or not (including whether the certificate is new or not), and whether your password predates them making their site safe (so you should go change the password).

-Steve

I swear by LastPass as well. It's a great tool.

On Friday, 11 April 2014 at 12:18:38 UTC, Steven Schveighoffer wrote:
> If, after the last year of hacking, and the heartbleed bug, people are not using password tracker/generators, you haven't learned anything :)

Remembering 15-20 different passwords is less of a burden to me than regularly verifying the code of password tracker browser extensions and infrastructure involved. And blindly using 3d-part tool for something that critical just does not make sense.

On Friday, 11 April 2014 at 15:39:35 UTC, Dicebot wrote:
> And blindly using 3d-part tool for something that critical
> just does not make sense.

The most secure password tracker for the majority of people is a plain piece of paper put away in your desk. The odds that somebody will physically break into your home/office and grab your passwords off paper is a lot lower than the odds that some random browser bug will pwn you.

The odds are a bit higher in the office so work passwords might be a different story, but still, making somebody go through the hassle of actually going there in real life is going to set the bar a LOT higher than a script kiddie with a MitM exploit or whatever collecting them en masse.


BTW also use complete sentences for passwords. A lot easier to remember in your brain, easy to vary, and hard for others to guess. You can use a pattern to easily remember them all. For example, your reddit password might be "Reddit is a steaming pile of horse crap!", your twitter password might be "160 characters
per message?! Yeah, right, what a spam haven." and your bank password would be "Capshort12" because they had the brilliant idea of truncating passwords at a certain number of characters.... blargh well it doesn't work everywhere.

But I do something like this, and if I ever forget a password, I just use the site for a minute, something about it will piss me off, and then, boom the password comes right back to my mind!