

Dot.TK stores passwords in plain text [png] - lucb1e
http://lucb1e.com/rp/randomupload/dottk-paintext-pwd.png

======
dutchbrit
Well, this isn't exactly proof, and I'll tell you why.

In their signup process, they might grab the pwd you entered in the
registration form, generate the email, with password. Then send that email
directly without storing it, while at the same time, inserting your password
with an encryption into a database. Is it a good idea to send passwords by
email? Well, no, but that's a different story. I don't know the actual
implementation so you might be correct. But this isn't proof. What kind of
email do you get if you need to reset your password by the way?

~~~
bashzor
I get the password as well when resetting it:
<http://lucb1e.com/rp/randomupload/dottk-paintext-pwd2.png>

~~~
dutchbrit
Ding ding ding, now, that is proof :).

They might encrypt it with a passphrase but that's almost equally as bad. Good
job on noticing!

------
manuscreationis
Receiving a plaintext password via Email is not proof that the password is
stored in plaintext in the database.

It is proof that they are not using a non-reversible hash to store it in their
database.

They could be storing it using a reversible encryption algorithm, of which
there are many, and they are not considered "insecure".

Or, in the worst case, they could be storing it unsecured. It's definitely a
possibility.

It's poor practice, for sure, to email someone a plaintext password, as email
itself is prone to numerous attack vectors.

But given the overall lack of evidence and insight into their back end, you
don't have enough to draw either conclusion.

~~~
lucb1e
Technically correct, but since the password is readable in some way, it's in
many ways the same as storing it in plaintext. If the database got hacked,
odds are that the key is found too. Or if an admin is rogue, there is no
stopping him.

