You are Here:
THE BLUE CROWN - Official Topic

Author (Read 1049 times)

THE BLUE CROWN - Official Topic
« on: July 17, 2014, 11:35:17 PM »
 

Don Boyer

  • VP/Dir. Club Forum/DAC Chair, 52 Plus Joker
  • Administrator
  • Forum Sentinel
  • *
  • 19,172
    Posts
  • Reputation: 415
  • Pick a card, any card...no, not THAT card!

  • Facebook:
As the official company topics grow, I've created a daughterboard of the Plethora for them to thrive in!

Please welcome the newest member and Discourse Agent - The Blue Crown!  Alex Pandrea and his company truly need no introduction - they've created dozens of decks of cards over the years, some of which are modern classics and staples of the magic world.

Keep an eye out here for the latest news from TBC!
Card Illusionist, NYC Area
Playing Card Design & Development Consultant
Deck Tailoring: Custom Alterations for Magicians and Card Mechanics
Services for Hire - http://thedecktailor.com/
Pre-Made Decks for Sale - http://donboyermagic.com/
 

Re: THE BLUE CROWN - Official Topic
« Reply #1 on: September 23, 2014, 08:42:12 PM »
 

doubledouble

  • True Member
  • *
  • 49
    Posts
  • Reputation: 3
sent a message through their site, but figured I'd also post here to let other people know. Just signed up for an account on TBC's website and placed an order, but I received a welcome email WITH MY PASSWORD IN PLAINTEXT. This is really bad. Like really really bad. A website that has poeple inputting their CC and personal info should never be sending out passwords in plain text. Please fix this or your site's reputation will suffer.
 

Re: THE BLUE CROWN - Official Topic
« Reply #2 on: September 23, 2014, 09:25:34 PM »
 

Fess

  • 52 Plus Joker Member
  • Aficionado
  • *
  • 1,444
    Posts
  • Reputation: 26
  • ;)
Just received this in an email from The Blue Crown. Pretty great free deck offer.

End of Summer - Free Decks!
We couldn't think of a better way to say goodbye to the summer season then to give away some awesome decks! For 24 hours (or while supplies last) we are going to give away a SET of our vibrant Summer NOC decks with orders over $50. That's right, place an order with a subtotal of $50 or higher and at least one shippable item and we will include TWO free decks (One Orange and One Light Blue) absolutely FREE! One of our most popular versions of the NOC series, these colors have long been sold out, so don't miss your chance to grab them!

NOTE - Summer NOC deck giveaway is open for 24 hours or while supplies last. Orders must be placed between 8PM eastern time on September 23 2014 and 8PM eastern time on September 24 2014 with a subtotal of $50 or higher and at least 1 (one) shippable item to qualify. Shipping fees do not count towards subtotal. Free gifts will be automatically added to cart if supplies are available and order qualifies. Void where prohibited.
Part of my Collection updated infrequently but occasionally, when I remember. (I haven't in months.)
 

Re: THE BLUE CROWN - Official Topic
« Reply #3 on: September 24, 2014, 02:50:21 AM »
 

Don Boyer

  • VP/Dir. Club Forum/DAC Chair, 52 Plus Joker
  • Administrator
  • Forum Sentinel
  • *
  • 19,172
    Posts
  • Reputation: 415
  • Pick a card, any card...no, not THAT card!

  • Facebook:
sent a message through their site, but figured I'd also post here to let other people know. Just signed up for an account on TBC's website and placed an order, but I received a welcome email WITH MY PASSWORD IN PLAINTEXT. This is really bad. Like really really bad. A website that has poeple inputting their CC and personal info should never be sending out passwords in plain text. Please fix this or your site's reputation will suffer.

If I'm not mistaken, you can also use PayPal to make payments.  No, it's not good to send unprotected passwords, but at least you have payment alternatives that are secure independent of the site.
Card Illusionist, NYC Area
Playing Card Design & Development Consultant
Deck Tailoring: Custom Alterations for Magicians and Card Mechanics
Services for Hire - http://thedecktailor.com/
Pre-Made Decks for Sale - http://donboyermagic.com/
 

Re: THE BLUE CROWN - Official Topic
« Reply #4 on: September 24, 2014, 09:04:43 PM »
 

Fess

  • 52 Plus Joker Member
  • Aficionado
  • *
  • 1,444
    Posts
  • Reputation: 26
  • ;)
sent a message through their site, but figured I'd also post here to let other people know. Just signed up for an account on TBC's website and placed an order, but I received a welcome email WITH MY PASSWORD IN PLAINTEXT. This is really bad. Like really really bad. A website that has poeple inputting their CC and personal info should never be sending out passwords in plain text. Please fix this or your site's reputation will suffer.

If I'm not mistaken, you can also use PayPal to make payments.  No, it's not good to send unprotected passwords, but at least you have payment alternatives that are secure independent of the site.

There is no problem at all with the store side of the website. I've ordered two or three times from The Blue Crown website this month alone haha. There's nothing a miss with the paying side at all. Just wanted to post to make it clear, the pay side of the site works like every other one out there. Secure sale and clean emails. The Blue Crown also has prompt shipping and above average packing. I've yet to receive any damaged product. Good stuff all around. :D

The password thing, different ball of wax entirely. I just delete those types of emails as soon as I receive them so, didn't really bother me too much. Only happens once upon signing up and it's sent to you during confirmation really didn't go out of my way to pound the delete button. I can certainly see how it could concern someone though. :)
Part of my Collection updated infrequently but occasionally, when I remember. (I haven't in months.)
 

Re: THE BLUE CROWN - Official Topic
« Reply #5 on: September 24, 2014, 09:22:23 PM »
 

Godzillian

  • Newcomer
  • *
  • 2
    Posts
  • Reputation: 1
sent a message through their site, but figured I'd also post here to let other people know. Just signed up for an account on TBC's website and placed an order, but I received a welcome email WITH MY PASSWORD IN PLAINTEXT. This is really bad. Like really really bad. A website that has poeple inputting their CC and personal info should never be sending out passwords in plain text. Please fix this or your site's reputation will suffer.

If I'm not mistaken, you can also use PayPal to make payments.  No, it's not good to send unprotected passwords, but at least you have payment alternatives that are secure independent of the site.

There is no problem at all with the store side of the website. I've ordered two or three times from The Blue Crown website this month alone haha. There's nothing a miss with the paying side at all. Just wanted to post to make it clear, the pay side of the site works like every other one out there. Secure sale and clean emails. The Blue Crown also has prompt shipping and above average packing. I've yet to receive any damaged product. Good stuff all around. :D

The password thing, different ball of wax entirely. I just delete those types of emails as soon as I receive them so, didn't really bother me too much. Only happens once upon signing up and it's sent to you during confirmation really didn't go out of my way to pound the delete button. I can certainly see how it could concern someone though. :)

I figure that this should be my first official post, since people should know this. Fes, if you already know this, my apologies. This info might be useful for others who are wondering "What's the big deal?" though.

Here's some relative links on the errors and dangers of storing/sending passwords as plain text.
http://security.stackexchange.com/questions/17979/is-sending-password-to-user-email-secure
http://security.stackexchange.com/questions/160/what-type-of-content-better-not-to-transfer-by-email?rq=1
https://stormpath.com/blog/why-you-might-want-to-store-your-passwords-in-plain-text/

It's not about what you do with the plain-text password - it's what others can do with it.

The usual way to store a password is to put it through an algorithm to produce a string that is not your password. For example, your password is "12345". You put it through the algorithm (e.g. hash function) to produce "abcde" instead. This way, it slows any hacker down because they still need to reverse-engineer the algorithm in order to get to your original password.

There have been several password leakages in history, like Yahoo, Facebook, Gmail, etc. The 3 mentioned companies most likely store their passwords using an algorithm/hash method to make it harder for people to steal & translate. If people were able to steal non-plain-text passwords from major companies, think about how easy Blue Crown is making it for them?

Here's a link on hashing passwords: http://security.blogoverflow.com/2011/11/why-passwords-should-be-hashed/

EDIT:
From that last link:
"A drawback of password hashing is that since you do not store the passwords themselves (but only a piece of data which is sufficient to verify a password without being able to recover it), you cannot send back their passwords to users who have forgotten them."

If Blue Crown is sending you your password in plain-text, then there could be these 2 possibilities: either their hash algo is 2-way, or they literally store their password in plain-text.  :mindf-ck:

If anyone with more technical experience than I (QA guy who majored in Computing Science) would like to add or correct me, please do!
« Last Edit: September 24, 2014, 10:41:07 PM by Godzillian »
 

Re: THE BLUE CROWN - Official Topic
« Reply #6 on: September 24, 2014, 09:46:43 PM »
 

Fess

  • 52 Plus Joker Member
  • Aficionado
  • *
  • 1,444
    Posts
  • Reputation: 26
  • ;)
Wow, I had no idea. Thanks for the post, very interesting and good to know stuff in there. I do believe I'll go on a password changing spree soon.
Part of my Collection updated infrequently but occasionally, when I remember. (I haven't in months.)
 

Re: THE BLUE CROWN - Official Topic
« Reply #7 on: September 25, 2014, 01:50:44 AM »
 

bamabenz

  • 52 Plus Joker Member
  • Elite Member
  • *
  • 171
    Posts
  • Reputation: 10
There is no conceivable reason for any site to send you your password in plaintext. It doesn't matter how they are storing it, the fact that they send-out your password indicates that they don't know a lot about security. If you only use a PayPal account for checkout it probably doesn't matter that much to you, because they don't see your credit card/bank account info. However, I would never type credit card info into their site. If they follow good security practices then they should never actually store your credit card info, but emailing passwords in plain text is sort of an indicator, right?

As Godzillian said, they could be storing passwords in plain text or with two-way encryption. Two-way encryption isn't quite as safe, as that means if they get hacked, bad guys possibly could decrypt the passwords (lots of detailed factors are involved that indicate how hard this would be). Normal practice is to 'salt' and hash the password. The salt add protection from a dictionary attack if the password database is stolen.

Bottom line is better safe than sorry. I've had my credit card info stolen from what used to be my favorite goody store. Its a pain in the butt, as you're vulnerable to both the hassle of replacing your card and also identity theft, which means dealing with credit bureaus so bad guys can't go to town on your ass.

/bama