Password security

Sorry about the security post in this forum but this is the one I read and I didn't find a better one.

I became a registered user of cakewalk forums and provided a login name and password.

Then cakewalk forums emailed to me my login name and password. Oh no! I was shocked.

The password of your trusting members should never reside on your computers or anywhere in cyber space, unencrypted and plain text readable. That is a security weakness. Cakewalk should know better.

Upon receiving that email I know that cakewalk plus some web based email server has that information stored in readable form just waiting for a hacker to retrieve.

There is no need to do what you did. When I send my password it should first go through a one way encryption algorithm and the output of that unlocks my privileges. Never, ever, store the password itself!

It doesn't take a PhD in computer sciences or human behavior to grasp the breadth of the risk.

Sorry for the harsh rhetoric and I look forward to the responses.

I think the point is that if they do that with forum passwords, what do they do with user account passwords?

The OP has a point there, but every single forum I've signed in uses the same procedure.

The actual risk might rise from the fact that people tend to use the same password for many purposes, like  managing their energy bills on the power-companys site or other money-related traffic.

How many have the same, or almost the same password for Paypal and some forum?

Kalle Ranta-aho indeed understands the breadth of the risk.

Below is a snip of email from celemony. I like their approach to security.

Welcome to celemony_ forums

Please keep this e-mail for your records. Your account information is as follows:

... snip ...

Your password has been securely stored in our database and cannot be retrieved. In the event that it is forgotten, you will be able to reset it using the email address associated with your account.

Thank you for registering.

Your forum password is not stored in plain text in the database, this is only sent out when you create a new login or change your password.  This is not unlike other forum software.

Some companies have one login for their forums and store, we don't.  The Cakewalk store has it's own set of user databases and everything is encrypted in addition to using https.  The forum and Cakewalk store do not 'talk' to each other or share information.

As a general guideline you should probably never use the same password for forums as anything that is even remotely close to your personal or financial information.  Even if we disabled emailing the password there are thousands of sites that use the same forum software and even more that are using things like phpBB or vBulletin.  If someone with ill intentions did manage to hack into a web server running any of the popular forum software all they would have to do is download a trial version to wrap their heads around the database schema.

I do hear you loud and clear though just don't totally agree, after all its a forum not a financial institution.  If the general consensus though is please don't do that we can disable the emailing of passwords, but I can't guarantee we'll keep it off if a flood of new users call or email about losing their forum password.

Hey Willy... where do you keep the launch codes for the ICBM's? I'm having a hard time finding them on this site.

I thought ALL the websites I've had to sign up & in on did the same thing... cause I ALWAYS get an email with the log in and PW.....  and me, being the security conscious person that I am..... I write them down on a piece of paper that I keep laying on my desk right beside the computer. I tend to delete or otherwise loose the emails and what in the world happens when the log in email address is no longer valid and I have forgotten the log in & PW and have to use "retrieve log in/PW?

 If you want to minimize risk change your password right away...FYI also remove photo tags if you don't want them known. I did report one incident. I'm not loosing any sleep over it but it caused me to go on alert............At least they didn't get to those launch codes.

  Some of you use open servers. for pics.....a person can go on there and look around.....not that I have mind you.

I’m not sure I understand what the problem is, if there is one at all? Registration takes only a few mins. It takes even less time, once you press enter, for your details to be logged on the system and an E-mail confirming your details to be sent to you. Once you have validated your account it’s a simple matter to go in and CHANGE YOUR PASSWORD! The whole process, including registration, can be done in about three mins. However, assuming that someone is able to hack your account, what’s the worst they can do – get your E-mail address? WOW!

I can't get hackers to use my passwords.  They don't want to be associated with me.  They also said I didn't have anything they wanted.  Anymore.

Just to be safe, I've changed all my passwords to "********" - it's just better that way.

Meffy


Despite his nick being very like my name reversed, geoffemm is not someone who has hacked into my account to seize my user name (passwords are sooo passé). Just sayin'.

So nice to meet you Mmeffoeg.