DZone.com and Password security

I have forgotten my password for my DZone.com account, but lucky me most of this web-sites have a “Forgot password?” link as DZone has. So I clicked the link, entered my username and a second later I got a mail from DZone.

But the content really surprised me. Nowadays you would expect and especially from such big Web 2.0 web sites that password security is one of there top security priorities.

But look at he mail I got:

You or someone on dzone.com has requested a mail containing your password.

Username: xxxx
Password: here_is_my_password_in_clear_text

You can login to dzone.com at:

http://www.dzone.com/login.html

If you did not request this password email, please disregard it.

They are sending you the current password in clear text!!!

So what does that mean? It has to be stored in clear text or in a reversible crypted version on there system too! Have they every heard that you never ever store a password that way?!?! You always store it with a non-reversible crypto algorithm, so that if the data gets stolen or if somebody brakes into there system, he is not able to get the clear text passwords of there users.

Because with that information and the e-mail address, it’s most time quite easy to hack a lot of other accounts of that user! Most people don’t use different passwords for there different accounts.

I’m really surprised that such a big web-site has such a security flaw…

So you should really consider what password you are using on DZone.com…

8 thoughts on “DZone.com and Password security

  1. Patrick

    if they do not store the password in cleartext, how they can send it back to you anyway? in ciphertext?

    I believe they can do much better (I can tell them several ways to do this ;) (here is the rant – as everyone else who practe IT Audit) but DZone is not the only web site with similar “functionality”

    Peter

  2. Most of the forums has the feature to store the passwords in a cryptic form, and when you lost the password they’ll send you a link to reset it.

  3. @DZone is not the only web site with similar “functionality”

    And? While I “could” understand being sent my password by a site who’s niche isn’t technology. It is pretty poor when it’s a site that I read a lot of “better development practice” articles.

  4. Wow. Cleartext. One more reason to skip using this site. The other is that when clicking into a DZone link via iPhone you have to scroll past 8 (yes 8) screens of Ads to get to the article link.

  5. It’s always better to use one common password to use in sites which carries non confidential sites. Because at the time of registration you don’t know what type of mechanism they will use to store/retrive your password.

    I agree that dzone could do something better. (But haven’t tried this by clicking on ‘Forgot password?’ link)

    Anyway, if you use a single password for both dzone as well as your email account, then the problem is with you. Be more smart on choosing your passwords.

  6. Shame on you Dzone!

    Get an OpenID and use that for logging in instead. Then Dzone doesn’t have to know your passwords at all.

  7. Peter,

    instead of sending a CURRENT password (what means that you now the password) – you generate the new one, send it by email and ask the user to change it immediately (so you don`t need to know the password).

    Jan

Comments are closed.