1
Playing Card Plethora / Re: THE BLUE CROWN - Official Topic
« on: September 24, 2014, 09:22:23 PM »sent a message through their site, but figured I'd also post here to let other people know. Just signed up for an account on TBC's website and placed an order, but I received a welcome email WITH MY PASSWORD IN PLAINTEXT. This is really bad. Like really really bad. A website that has poeple inputting their CC and personal info should never be sending out passwords in plain text. Please fix this or your site's reputation will suffer.
If I'm not mistaken, you can also use PayPal to make payments. No, it's not good to send unprotected passwords, but at least you have payment alternatives that are secure independent of the site.
There is no problem at all with the store side of the website. I've ordered two or three times from The Blue Crown website this month alone haha. There's nothing a miss with the paying side at all. Just wanted to post to make it clear, the pay side of the site works like every other one out there. Secure sale and clean emails. The Blue Crown also has prompt shipping and above average packing. I've yet to receive any damaged product. Good stuff all around.
The password thing, different ball of wax entirely. I just delete those types of emails as soon as I receive them so, didn't really bother me too much. Only happens once upon signing up and it's sent to you during confirmation really didn't go out of my way to pound the delete button. I can certainly see how it could concern someone though.
I figure that this should be my first official post, since people should know this. Fes, if you already know this, my apologies. This info might be useful for others who are wondering "What's the big deal?" though.
Here's some relative links on the errors and dangers of storing/sending passwords as plain text.
http://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure
http://security.stackexchange.com/questions/160/what-type-of-content-better-not-to-transfer-by-email?rq=1
https://stormpath.com/blog/why-you-might-want-to-store-your-passwords-in-plain-text/
It's not about what you do with the plain-text password - it's what others can do with it.
The usual way to store a password is to put it through an algorithm to produce a string that is not your password. For example, your password is "12345". You put it through the algorithm (e.g. hash function) to produce "abcde" instead. This way, it slows any hacker down because they still need to reverse-engineer the algorithm in order to get to your original password.
There have been several password leakages in history, like Yahoo, Facebook, Gmail, etc. The 3 mentioned companies most likely store their passwords using an algorithm/hash method to make it harder for people to steal & translate. If people were able to steal non-plain-text passwords from major companies, think about how easy Blue Crown is making it for them?
Here's a link on hashing passwords: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/
EDIT:
From that last link:
"A drawback of password hashing is that since you do not store the passwords themselves (but only a piece of data which is sufficient to verify a password without being able to recover it), you cannot send back their passwords to users who have forgotten them."
If Blue Crown is sending you your password in plain-text, then there could be these 2 possibilities: either their hash algo is 2-way, or they literally store their password in plain-text.
If anyone with more technical experience than I (QA guy who majored in Computing Science) would like to add or correct me, please do!