Storing passwords in plain text.
NOTE: They use the same password on all their sites so you need to change it in one place.
This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
June 26, 2012 11:12am
Subscribe [3]#1 / Jun 26, 2012 11:12am
Storing passwords in plain text.
NOTE: They use the same password on all their sites so you need to change it in one place.
#2 / Jun 27, 2012 1:59am
Storing passwords in plain text.
NOTE: They use the same password on all their sites so you need to change it in one place.
Hits self in head! I just posted the same thing because I didn’t see your post.
#3 / Jun 27, 2012 9:22am
I love their top tutorial right now: ‘Understanding Hash Functions and Keeping Passwords Safe’.
LOL
#4 / Jun 27, 2012 10:10am
I love their top tutorial right now: ‘Understanding Hash Functions and Keeping Passwords Safe’.
LOL
That’s pretty ironical, right. I grinned as I read it this morning.
#5 / Jun 27, 2012 11:13am
I’m glad I’m not CEO or owner of Tuts+ right now. I can only imagine his anxiety over the lawsuits pouring in. If linkedIn was using SHA1 without salt and is getting sued for 5M, then what does this mean for Tuts+?
#6 / Jun 27, 2012 12:12pm
I read yesterday the some guy got taken for $120.00 out of his PayPal account because he used the same login and password on nettuts+
I got a feeling law suits are going to start flying.
#7 / Jun 27, 2012 12:31pm
I read yesterday the some guy got taken for $120.00 out of his PayPal account because he used the same login and password on nettuts+
I got a feeling law suits are going to start flying.
It might even be PayPal suing Tuts+. It kinda sucks, because although I only find about 20% of stuff on Tuts+ worth reading, I still liked to go there. I hope they dont get sued beyond recognition, although they sort of deserve it. I saw a few people’s comments about how they had told Tuts+ a year ago that there was a problem, so it’s total negligence on the part of Tuts+ for not doing something.
#8 / Jun 27, 2012 1:04pm
Yes, they should have fixed it when they knew about the problem. As far as the guy with the PayPal it’s his own fault for using the same login and password on the same sites.
I have seperate logins for like regular use and then I have very strong login and password for my PayPal bank etc, nothing like what I use for regular website browsing.
What most people do know about nettuts+ is that all of their sites use the same login and password.
So it makes you wonder how they can say that only nettuts+ was hacked.
I’ll bet that they were using the same third party plugin for all their sites because they all use the same login and password.
#9 / Jun 27, 2012 4:10pm
These two articles on that topic are very interesting
Tuts+ Premium Account Security Compromised
Update on Tuts+ Premium Security Breach
They also show, that it wasn’t directly Tuts+‘s problem that the passwords were stored in plaintext. They used a third party software/plugin which stores the data plain. I know this doesn’t change the fact, that they knew about this security issue (Tuts+ was working on a solution as article 1 states) and still used the plain passwords, but however, it also shows that you should know what the software you are incorporating into your software does and where its vulnerabilities are.
#10 / Jun 27, 2012 5:33pm
These two articles on that topic are very interesting
Tuts+ Premium Account Security Compromised
Update on Tuts+ Premium Security Breach
They also show, that it wasn’t directly Tuts+‘s problem that the passwords were stored in plaintext. They used a third party software/plugin which stores the data plain. I know this doesn’t change the fact, that they knew about this security issue (Tuts+ was working on a solution as article 1 states) and still used the plain passwords, but however, it also shows that you should know what the software you are incorporating into your software does and where its vulnerabilities are.
I guess what baffles me is that here is a website dedicated to tutorials related to what we do, but they didn’t fix something that would have been super easy to fix. Even a total noob would have known that storing the passwords as cleartext was wrong, and fixing that would have been easy.
#11 / Jun 27, 2012 9:29pm
They will probably lose a lot of customers and developers over all this when said and done.
The one question still to be asked is how they hacked into their server? Seems like they also have some security issues.
I would just like to know why these companies always wait until the last moment to fix the security issues or until they do get hacked.
#12 / Jun 28, 2012 8:05am
I hated seeing the email when I got it. There will be a huge loss of customers - if you read the comments on their blog post - a lot of customers already said they’re backing out. They blame it on the plug-in that they use for their site - but once they found out - they should have taken immediate action - mission critical status (even if it meant taking the site down and compensating those days to members. They were hoping to get around it in the background while they implemented a fix - but that obviously didn’t pan out for them.
Would be nice to know how someone got into their servers. Lesson learned I guess.