Steemauto stores your passwords in raw format!

in steemauto •  6 months ago

When you click "lost password" at Steemauto, It will send your password directly to your email. That means, passwords are stored raw in their database.

Screen Shot 2018-03-12 at 13.52.54.png

This is one of the sins of web application development practices. If the system can send you back your password, that means the application stores your pasword as plain text..

That's extremely dangerous. If a thief or attacker get the database somehow, they would have every users credentials as well.

Best practice


  • Salt and hash each password
  • Use good hashing functions like Bcrypt instead of md5 or sha1
  • Store SALT + HASH in the database instead of raw password

That way you can't send the password back to users but you may create unique tokens for password regeneration and deal with the recovery as an application developer.

What to do as a user?


Use a throw-away and unique password at Steemauto.

That's the general rule but I am pretty sure %90 of the users, using a generic password that they use on their daily life. If Steemauto database leaks to some bad-minded parties, your accounts will be in great danger.

Edit: @mahdiyari addressed the issue


He removed the username-password authentication and started using SteemConnect for it. Thanks for the fast response!

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

yes,
that is right.
that was because I will remove this login system and all saved passwords.
I will use steemconnect as login system.

·

Thank you @mahdiyari for the clarification. Looking forward to see the upcoming developments on Steemauto. 👍

·
·

Login method changed. I hope to see a new post or edited post here:)
I'm going to remove all information(passwords and emails).

Loading...

I talked to him about a week ago why an email and password is needed. SteemConnect w/ posting authority would be so much more secure and painless.

·

Too bad SC demands the active key.

·
·

Yes, but it is fairly trusted and it is only used locally and not saved.

·
·
·

So much like Bittrex or MtGox not so long ago.

You got a 10.20% upvote from @postpromoter courtesy of @emrebeyler!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

Passwords and authentication are often not programmed well, good public service announcement.

Other than selecting "Lost Password?" there doesn't appear to be any way to manage passwords. :-(

·

Yeah, seens like you cannot change it.

·
·

this is very important information, thank you

Eline yüreğine sağlık kardeşim işllah daha çok kazanırsın.

Thanks for highlighting this @emrebeyler. The SteemAuto team really needs to implement a safer system.

Thank you for sharing this valuable information - I will steer clear of them until I hear of a change. On piece of advice that I have is to make sure each password is unique to each site. I use LastPass for to help manage this which removes most of the difficulty with remembering and entering strong passwords.

Good to know that, may be a 2FA implementation could solve that. But they should not store sensitive information in plain text in the first place.

Bilgi için çok teşekkürler üstad.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvote this reply.

Wow, that's some ridiculous stuff imo. I thought literally no one stores passwords that way these days.

Great article. Good job man. This is really helpful. Resteeming it

Tellin' it like it is. Good man.

This would be a good time to change Steemauto passwords as well as other accounts.

Take precaution.

Nice blog @emrebeyler
Very big help to us

thank you my friend for clarifying this a bit, really, I needed a great article, my vote for you,

Thank you for sharing this important information @emrebeyler.
Thumbs up!!!!

Does this mean we have to keep logging in with our active key every few hours? Because I'm not doing that.

I would also add that you need a way to properly score the passwords . I usually recommend https://github.com/dropbox/zxcvbn/tree/master

Thanks for the warning! This is definitely worrying, but luckily I used a throwaway password there.

·

This has been handled by the owner after this post. He also stated that he removed the old database and switched to SteemConnect for the authentication.

·
·

Oh, that's great! I realized it that the post was a little bit old, but I didn't expect it to have been fixed yet. Thanks for the update :)

·
·
·

yeah, @mahdiyari responded fast. I appreciate him for that. :)