2

I would like to ask if the passwords in the database are not encrypted if during registration I am receiving plain text password with username.

Michal Koczwara
  • 1,580
  • 3
  • 15
  • 27
  • 1
    During the typical initial registration process, you've supplied them your password in plaintext. Until the full process completes (including emails), the process still has it in plaintext form (even after salting/hashing a copy of the password for placement in a user account database). If you do an online password recovery process later on, and they email you your plaintext password, then indeed you know they have stored your password in plaintext somewhere. – cybermike Apr 18 '15 at 07:25
  • So basically it is a normal procedure receiving plain text password during registration? – Michal Koczwara Apr 18 '15 at 07:29
  • 2
    @M.K No, it's not normal, and it's a sign of bad security policies. It just doesn't necessarily mean that they store your password in plaintext (but now at least your mail server does). – tim Apr 18 '15 at 07:32
  • And any intermediary on the Internet, like perhaps if you looked at this email on open WiFi without using HTTPS. Even if your email uses HTTPS, if you use Gmail or the like, you've also let Google or Yahoo or Microsoft know your password too :) Concur with @Tim, this is a poor practice. – cybermike Apr 18 '15 at 07:35
  • I just recovered my password and I am receiving a different password each time (random numbers and letters).There is no link to enter new password. It means that database is not encrypted and passwords are not hashed? – Michal Koczwara Apr 18 '15 at 07:53
  • 1
    I suspect they are issuing you a *temporary password* that once you log in with it, the system will ask you to enter a new password of your choosing. Then it will email that new password to you in the clear again :) However, some really old password recoveries are badly designed, they could just make that random numbers/letters your password, and you would likely have to change the password in a profile settings somewhere. – cybermike Apr 18 '15 at 07:56
  • @cybermike Well yes and no. Yes they provide me a temporary password but after when I log into system there is no option or link to change/update my password. I need to use that "temporary" password. – Michal Koczwara Apr 18 '15 at 08:02
  • 2
    Jeeze this is a poorly implemented site. So if this site has important information about you or is in some way valuable to you, then you do have some cause to wonder just how well this site understands modern security necessities. If this is just some random site you don't really care about and has no significant information about you, then perhaps just ignore its flaws. – cybermike Apr 18 '15 at 08:05
  • Ok great. Thanks for the information and clarification. – Michal Koczwara Apr 18 '15 at 08:07

1 Answers1

3

You don't know.

You technically don't even know whether the password is stored at all, let alone whether it's stored hashed. Them being able to email you the password immediately after you tell it to them says nothing of storage.

tylerl
  • 82,665
  • 26
  • 149
  • 230