

Tuts+ Premium Account Security Compromised - Lowgain
http://notes.envato.com/general/tuts-premium-security/

======
Dexec
[http://net.tutsplus.com/tutorials/php/understanding-hash-
fun...](http://net.tutsplus.com/tutorials/php/understanding-hash-functions-
and-keeping-passwords-safe/)

~~~
pwny
Oh the sweet, sweet irony.

------
pwny
Still storing clear text passwords in 2012, how the hell do these people have
businesses? I mean, I learned about this stuff at age 12 while learning PHP on
my own, how hard can it be?

Getting hacked happens, even to the best but come on, how many times will we
have to read blog posts like this one before people wake up? How hard can it
be to hash and salt your passwords?

Glad I wasn't one of their customers (and never will be) but it's frustrating
how we can't trust anyone with anything these days.

~~~
UnoriginalGuy
In principle I agree: it is bad practice.

But let's remember that either plain text or one-way hashed they will be
broken eventually. The only thing hashing passwords buys you is a little bit
of time before the "hacker" can use those passwords to access the compromised
system.

It doesn't, for example, protect you from password re-usage issues. You also
have to reset the passwords either way.

I think getting broken into is the biggest problem here; everyone has recently
spent far too much time talking about hashes instead of asking questions about
how the real break-in occurred at these businesses.

~~~
pwny
False. Getting broken through will happen because there are so many holes to
plug, while strong and slow hashing + salting (while being extremely easy to
set up) will make it so it's not even worth it for the attacker to crack
passwords when he/she inevitably gets in.

Of course we need to plug holes in security and prevent people from getting in
(SQL injection vulnerabilities are just as important an offence) but might as
well protect the user's information when a breach happens. Especially since
it's so much easier than the other way around.

~~~
UnoriginalGuy
What is "false?"

You deeply over-estimate how much effort it takes someone to break even
correctly protected hashes. Most passwords are extremely poor and can be
broken even without a rainbow table in less than a couple of hours.

Hell I can spin up an EC2 instance right now for free (AWS Free) running Linux
and then just leave it there for 12 months at zero cost; giving me a nice
formatted list of e-mail addresses and passwords to be used on third party
sites.

At the end of the day most of these break-ins are news because the "hacker"
got into a position to crack the user's passwords at all. What they do once
they're in is not nearly as interesting from a learning perspective as how
they got in originally.

Why, for example, are user's passwords on web-facing servers at all? Why not
use several commonly available login API infrastructures to off-load that task
to a firewall-ed box that can only be managed via VPN?

It isn't that crazy. It isn't that expensive either. A lot of software suites
at minimum support a Kerberos protocol.

~~~
pwny
While I completely agree with you that the attacker getting into the database
is an issue in the first place, "what is false" is that this is an excuse to
divert the problem from blatant lack of understanding of basic principles in
security.

My way of seeing this (and you might have a different opinion, which I respect
as well. I want it to be clear my comment wasn't a personal attack) is that I
use a strong password that would not be easily crackable by dumb bruteforce or
rainbow tables. Therefore even if an attacker breaks in to a service that I
use, steals database tables containing hashed and salted passwords and gets
cracking, the likelihood that he/she breaks MY password is relatively low. Now
the minimal effort from the company providing the service went to great length
to complement MY effort of choosing a strong password.

There are a lot of problems in security. Weak passwords and password reuse are
the burden of the user. Correct storing of passwords and preventing intrusions
are the burden of the developer. Neither of those are an excuse for skipping
hashing and salting because "it can be broken easily". You mention 12 months
yourself, I'm sure my bcrypt'd/salted 16 character non-dictionary word unique
password would discourage any cracker (and take more than 12 months to crack)
and all of that was a lot easier to set up than a dedicated password storage
solution.

Point is, do whatever you can to protect data. Better safe than sorry.

------
jgrahamc
We should start a new award for web sites with crap password security. Let's
name it after Robert Morris (Senior) who essentially inventing password
hashing.

A Morris Award would be a bit like a Darwin Award for people who've failed to
learn anything about password security and in doing so have been exposed.

Recent Morris Award winners: LinkedIn, last.fm, eHarmony, Tuts+, ...

~~~
nulluk
I have talked about & mentioned something similar before but bundeling the
whole thing into a browser extension.

Every site you hit gets checked against a local list thats periodically
updated. It throws up an information bar with bad security practices
associated with the site you are browsing, everything from mailing plaintext
password to the idiotic things like above.

If it becomes trusted enough it might move some developers/organisations to
actually take action, if not it will at least warn individuals of the obvious
problems before they signup and not afterwards like at the moment.

Edit: Last sentence didn't make sense.

~~~
yock
Another criteria, perhaps...

My wife loves to use Big Oven to find recipe ideas. I thought I'd also start
using it so we could share those ideas more easily. When they rejected my
password for having "invalid special characters" however...

------
matdes
I alerted them to the fact that their passwords were in plaintext a YEAR AGO.
I got a response email on June 29, 2011 saying:

"Thanks for reporting the issue of plain text passwords to us. It's how
passwords are handled with the membership software we use for Tuts+ Premium,
which isn't extremely well coded and something we want to rebuild from
scratch. In the mean-time our dev team will be hacking the software to bring
password security up to the best practices we advocate on our Tuts+ sites,
like Nettuts+."

Not only was this issue brought up to them, they stated very clearly that they
were working to bring their password security up to best practices. In a YEAR,
they couldn't hack on a password hash or rebuild their plugin from scratch?

If anyone knows if there is a lawsuit pending that could use my email as
evidence, please let me know.

------
vitomd
"Our current Tuts+ Premium app makes use of a third party plugin that
unfortunately stores passwords in cleartext (i.e. unencrypted)"

That make me sad. If you use a plugin, you use it because it's a better and a
proven solution , not because you are lazy. Sad day..

------
bluetidepro
This is ridiculous. In the email I received from Envato it says the following:

"-- What To Do

(1) Update passwords on ANY service you use that uses the same password as you
had on Tuts+ Premium.

(2) In particular you should consider your own email account, PayPal,
Moneybookers, and other payment services. These are the most sensitive
targets, and if you had the same password, you should consider this an urgent
priority. If you can’t remember what your Tuts+ Premium password was, we
encourage you to change passwords on all services you use.

(3) If you use the same password on any other Envato service such as the
Envato Marketplaces, you should change your password there too."

You have to be kidding me? Do I really need to start using unique passwords on
every site that I use? This just blows me away that one site messes up and
then I have to spend hours of my time figuring out which passwords to change,
update, etc. This just frustrates me so much. I'm also very surprised they put
this in the blog post:

"As a company that teaches and preaches best practices, it’s deeply
disappointing to me to not only have been the victim of a security attack, but
to be running software that doesn’t follow those same best practices. This is
a situation we will be working to address."

...Based on what has happened to LinkedIn and others, aren't they easily
setting themselves up for a lawsuit by blatantly saying they did not follow
best practices?

Ugh. I'm just very sick of this crap happening. /rant

~~~
anons2011
>You have to be kidding me? Do I really need to start using unique passwords
on every site that I use?

Errr, ...yes!

~~~
bluetidepro
I already do to an extent but come on, you can't tell me you use a completely
unique password for EACH of the HUNDREDS of sites that use passwords? That
just seems ridiculous, or maybe it's just me...

~~~
kristofferR
Get LastPass (it's free and totally safe since it's client-side encrypted),
but if you don't want that you can just use SuperGenPass.

<http://lastpass.com/> <http://supergenpass.com/>

------
beezee
What is really absurd is they've gone offline and given people no way to
confirm their password. Their suggestion:

"If you can’t remember what your Tuts+ Premium password was, we encourage you
to change passwords on all services you use"

All I need is to try a handful of "important" passwords, make sure that none
of them work for this compromised service, and I can go on with my day. But
they figure, hey, if you can't remember our password, go change them all, not
our problem.

Real brilliant way to handle it.

------
highpixels
As a regular author for Tuts+ I am absolutely FUMING with them.

------
blissofbeing
I'll never visit an envato site again, let alone pay for any of their
services. I can understand everyone gets hacked, but cleartext! wtf.

~~~
charliesome
From the article:

 _Tuts+ Premium is the only Envato service that operates with cleartext
passwords, and it was a known internal issue for us, with a plan currently in
progress to upgrade away from the current plugin._

~~~
whichdan
The sad thing is, it's completely trivial and non-disruptive to switch to from
a cleartext database to a hashed+salted one.

~~~
Xylakant
Not if you depend on a software that requires plaintext passwords (as they
obviously do). Whether it's a wise choice using such a software is open to
discussion though.

~~~
16s
Sometimes business/marketing managers and IT security managers disagree. Looks
as though the business guys trumped the security guys on this one. That
happens a lot in the real world.

~~~
Xylakant
Since there's no such thing as absolute security, all security effort is a
balance between an assumed threat and the havoc it could create and costs. So
it's always business vs. security. I'm a bit on the fence here and I guess I'd
have taken another route but well, if the product was not viable without the
plugin... Who knows.

Given that: My remark was directed at the blank statement that it's always
easy to switch. It obviously is not in that case, the change was on the agenda
[1], so it's a bit tough that this happened in the meantime.

[1] At least according to the official statement. I don't have any reason to
believe otherwise.

------
dutchbrit
Cleartext? Are you kidding me? I actually have an account there, sorry Envato
but you just lost a customer.

------
stef25
According to some comments the plugin in question is "amember" but there are
several (old) posts on their forums say they don't use plaintext. I'd be
surprised if it was, but then again ...

[http://www.amember.com/forum/threads/db-password-
encryption-...](http://www.amember.com/forum/threads/db-password-encryption-w-
vbulletin.14466/) [http://www.amember.com/forum/threads/password-on-resend-
sign...](http://www.amember.com/forum/threads/password-on-resend-sign-up-info-
is-encrypted.14218/)

~~~
Xylakant
Posts are from spring this year, so it's not "old". The first post also
references an upgrade from version 3 to version 4, so I guess they still use
version 3 and didn't get around to updating to v4 yet, and now they pay the
price.

------
727374
What really irks me are the weak excuses in that blog entry. I don't care that
it was a 3rd party plugin or that you wanted to encrypt the passwords. You
screwed up and endangered your users.

------
statictype
I like how they blamed it on a "3rd party plugin".

------
mschalle
Plain text? Are you KIDDING me?!

------
krambs
Cleartext!

~~~
veeti
A good indication that you probably shouldn't be using their tutorials.

~~~
ojr
their tutorials are good

~~~
teresko
actually they are filled with bad practices and mistakes

------
polysaturate
If you're going to store passwords in clear text...

You're gonna have a bad time.

------
yashchandra
It is high time a site's registration form/process has a confirmation box
confirming that they do not store passwords unencrypted _before_ the user
clicks "sign me up". This is getting ridiculous. I unfortunately used another
site recently that sent me my password back in clear text over email.

------
dutchbrit
My email to Envato:

I seriously can't understand how Envato found it responsible to even implement
something that saves plaintext passwords. You must of known when inplementing
it. If this "3rd party" plugin was so important, then implement the plugin
later on when it is secure - you don't fuck around with private details. If it
was important for the initial release, you shouldn't of launched until this
was sorted.

You have hereby lost a customer. I now have to reset my password on a ton of
forums and probably also themeforest. I will give you some other feedback.
Maybe I'm blind but to login on Nettuts, don't make users have to scroll and
look for a dinky login text.

On ThemeForest, seriously remove the fucking Captcha from the login form.
Sorry for my French but seriously, on a contact or registration form, I could
understand why. If you are afraid of brute force, there are other great ways
to do so.

Fail, Sam Granger

Ps. You should read your own tutorials on security, they aren't too bad.

~~~
tedivm
Why would you have to change your password on "a ton of forums" if you
yourself have been using password best practices? Envato was responsible in
their disclosure- you think those "tons" of forums are all going to do the
same? For all you know your password has been in the wild for years.

You should use this as an opportunity to get a password manager (Lastpass, for
instance) and use _unique_ passwords for each site.

~~~
dutchbrit
I agree that it's my fault not having a unique password for Envato, I do have
unique passwords for most important things, but to have unique weird passwords
for everything is too much for me, especially since I'm switching computers
all the time, it'd be quite a hassle each time. Especially since I log into a
lot of less important sites with this password. If it was a salted and
encrypted, I wouldn't bother changing them. But seriously, plaintext. It's the
biggest cockup I can imagine. Some may argue, but you can also keep passwords
on your phone or online, you're correct, but what if my pass phrase gets
hacked to all my unique passwords? How do I know that these services are
waterproof? It's not the most secure way of storing passwords either to be
honest, but they don't have any other way. It has to be decryptable. In the
end, nothing is waterproof.

~~~
tedivm
Sure, nothing is water proof. However, some solutions are better than others-
and as a lastpass user I know I don't have to change my password on "a ton of
forums".

