They should have been fined more than a measly €20k in my opnion. As a developer I'm deeply ashamed that people are still storing user passwords in plain text. There is no reason behind this behaviour what so ever, other than pure laziness ...
When the breach was announced, they revealed that they did not store the passwords themselves in plain text, but had a second store that did, so they could prevent users from posting their passwords in chats. [0]
Still stupid, but at least the had good intentions, just bad execution.
Huh, that's actually... a decent-sounding intention.
Is there any way to do that in a secure manner? Because a hash says nothing about the length of a password (and you certainly don't want to store the length, which would make the attack space much smaller)... so if passwords are anywhere, say, from 8-64 characters, then for each chat message you'd need to hash every possible consecutive string of characters for every possible window size separately, which if the hash is even remotely computationally intensive could possibly turn into too much -- especially if being done on the server instead of the client (in order not to expose the hash and salt).
Is this just something it's not possible to protect against?
So you think that someone who's capable of building a system like this, has somehow missed the fact that you should store passwords safely? Nah, I don't buy that.
I find this kind of error the most unsettling, it implies the people writing the authentication system don't trust the underlying ORM/database sanitisation layer (if there even is one!) enough, so to 'play it safe' they manually filter out 'suspicious characters'.
It makes you wonder that if there's a team that isn't as rigorous elsewhere (or a team on which pressure has been applied to accidentally leave in some such 'mistakes') what kind of SQL injection possibilities exist.
Grumbledour|7 years ago
Still stupid, but at least the had good intentions, just bad execution.
[0] https://www.golem.de/news/datenleck-warum-knuddels-seine-pas... (in german)
crazygringo|7 years ago
Is there any way to do that in a secure manner? Because a hash says nothing about the length of a password (and you certainly don't want to store the length, which would make the attack space much smaller)... so if passwords are anywhere, say, from 8-64 characters, then for each chat message you'd need to hash every possible consecutive string of characters for every possible window size separately, which if the hash is even remotely computationally intensive could possibly turn into too much -- especially if being done on the server instead of the client (in order not to expose the hash and salt).
Is this just something it's not possible to protect against?
contravariant|7 years ago
fredley|7 years ago
da_murvel|7 years ago
moviuro|7 years ago
(My password was reset by something/someone, as it contained a '*'; when trying to set it anew, 'star' was a forbidden character...)
fredley|7 years ago
It makes you wonder that if there's a team that isn't as rigorous elsewhere (or a team on which pressure has been applied to accidentally leave in some such 'mistakes') what kind of SQL injection possibilities exist.