Steemauto stores your passwords in raw format!

in #steemauto7 years ago (edited)

When you click "lost password" at Steemauto, It will send your password directly to your email. That means, passwords are stored raw in their database.

Screen Shot 2018-03-12 at 13.52.54.png

This is one of the sins of web application development practices. If the system can send you back your password, that means the application stores your pasword as plain text..

That's extremely dangerous. If a thief or attacker get the database somehow, they would have every users credentials as well.

Best practice


  • Salt and hash each password
  • Use good hashing functions like Bcrypt instead of md5 or sha1
  • Store SALT + HASH in the database instead of raw password

That way you can't send the password back to users but you may create unique tokens for password regeneration and deal with the recovery as an application developer.

What to do as a user?


Use a throw-away and unique password at Steemauto.

That's the general rule but I am pretty sure %90 of the users, using a generic password that they use on their daily life. If Steemauto database leaks to some bad-minded parties, your accounts will be in great danger.

Edit: @mahdiyari addressed the issue


He removed the username-password authentication and started using SteemConnect for it. Thanks for the fast response!

Sort:  

yes,
that is right.
that was because I will remove this login system and all saved passwords.
I will use steemconnect as login system.

Thank you @mahdiyari for the clarification. Looking forward to see the upcoming developments on Steemauto. 👍

Login method changed. I hope to see a new post or edited post here:)
I'm going to remove all information(passwords and emails).

Loading...

You got a 10.20% upvote from @postpromoter courtesy of @emrebeyler!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

Passwords and authentication are often not programmed well, good public service announcement.

Eline yüreğine sağlık kardeşim işllah daha çok kazanırsın.

Other than selecting "Lost Password?" there doesn't appear to be any way to manage passwords. :-(

Yeah, seens like you cannot change it.

this is very important information, thank you

Thanks for highlighting this @emrebeyler. The SteemAuto team really needs to implement a safer system.

Thank you for sharing this valuable information - I will steer clear of them until I hear of a change. On piece of advice that I have is to make sure each password is unique to each site. I use LastPass for to help manage this which removes most of the difficulty with remembering and entering strong passwords.

To listen to the audio version of this article click on the play image.

Brought to you by @tts. If you find it useful please consider upvote this reply.

Tellin' it like it is. Good man.

This would be a good time to change Steemauto passwords as well as other accounts.

Take precaution.

Wow, that's some ridiculous stuff imo. I thought literally no one stores passwords that way these days.

Coin Marketplace

STEEM 0.19
TRX 0.15
JST 0.029
BTC 63550.59
ETH 2644.53
USDT 1.00
SBD 2.81