
Stupid security things - troyhunt
https://www.troyhunt.com/reckon-youve-seen-some-stupid-security-things-here-hold-my-beer/
======
gumby
> and I know for a fact 90% of the sites I personally sign up to online also
> follow that same process.

This is a totally legit response. After all if something goes wrong they must
have followed "best practices". No reasonable person would expect them to do
more.

And it's true (if you only consider the needs of the business). This is a
solid strategy for getting lawsuits dismissed. I've seen it in physical
security too [+]. It only took one investment bank to put badge-checking
turnstiles in place and then they all had to do it. That stuck with banks only
for a while until one more conventional business did it...and now I was at
Twitch the other day and _they_ have it.

Of course who's missing here is the customer. But the customer's needs aren't
paramount: the business's are -- and more specifically the manager who has to
spend the money on security. If they have put in _just_ enough that they won't
get fired when it fucks up, and if they saved money and effort in the process:
WIN!

[+] my favorite physical security story is old, so at the end: when leaving
Intel's Santa Clara fab in the 1990s you would have to hand over your
briefcase for inspection to make sure you weren't leaving with any Intel
documents. They didn't care if you had floppy disks. Why? Because this was a
defense against shareholder lawsuits and "what else could the guards do?" This
is where I learned the explanation above: once anyone in the industry
increased plant security they all would have to, which nobody wanted. So LCD
was the name of the game.

~~~
IshKebab
> This is a totally legit response.

Apart from the fact that it is totally untrue?

~~~
gumby
Who knows if it's untrue? Although it almost certainly is. What's "legit" is
the point "lots of other people do it so why should I go to any greater
effort? And anyway I don't actually give a shit about my employer's
customers."

(I was being sarcastic about "legit" \-- it's only legit from the selfish POV
of the web admin)

~~~
jonahx
Your point is a good one. I think "unfortunate but game-theoretically
predictable" would have conveyed it with less confusion.

~~~
gumby
Sorry, I grew up in a culture in which being so explicit was rude, while being
barely-elliptically witty is the normal mode of discourse. I sometimes forget.

------
throwaway6845
This is pretty horrifying.

But almost as bad: websites that insist on over-elaborate security measures
for trivial stuff. Take a bow, HM Revenue & Customs:

> You’ve got a new message from HMRC

> Dear Fred

> You have a new message from HMRC about Self Assessment.

> To view it, sign in to your HMRC online account. For security reasons, we
> have not included a link with this email.

> Why you got this email

> You chose to get paperless notifications instead of letters by post. This
> means we send you an email to let you know you have a new message in your
> account.

> From HMRC Self Assessment

And HMRC have mandatory 2FA. So to read the spam they've sent me - and it is
pretty much spam, it says "you need to do your self-assessment before next
January", I know that already - I need to go through the rigmarole of entering
my Government Gateway number, which I don't remember but starts with a 4 or
something and hopefully that will be enough for Chrome to autofill it, then
authing with my mobile phone. Which I think I left upstairs or something. Wait
while I ring it with the landline to find where it is.

Seriously, I might just go back to getting letters by post.

Edit: No. My Government Gateway number which starts with a 4 is my company
one. My Self-Assessment login appears to be a different number.

People elsewhere in the world, whenever anyone tells you that the UK
Government Digital Service is a beacon of usability and good practice, please
don't believe them.

~~~
handelaar
People elsewhere in the world: whatever anybody tells you when they're
crapping on the UK Government Digital Service, make sure they're not using
HMRC as an example.

Famously HMRC resists everything GDS has ever tried to do, and after GDS built
a entire system for secure gov ID login which is deliberately _not_ tied to a
single vendor, HMRC refused to use it and instead is building another one,
which is locked to a single vendor in perpetuity.

Search "UK GDS HMRC" for a sample of just the most recent bit of tiresome
Whitehall infighting.

[Edit: Oh, and -- the identity system that HMRC wants is a replacement for its
nearly-20-year-old pre-existing one. This may or may not have anything to do
with the fact that it's insecure in a _massively corrupt_ way.
[http://www.bbc.com/news/technology-38979144](http://www.bbc.com/news/technology-38979144)
]

~~~
dasil003
That's so frustrating. The GDS is one of the shining beacons of government
tech done right, I was very impressed with their work and team when I lived in
London from 2011-2014.

I guess HMRC took one look and said "this not sufficiently bureaucratic for
our needs". In general I liked the HMRC much better than the IRS, but I was
sort of shocked to receive a paper cheque for my refund as it was the only
time I ever saw a check in the UK. They have their ways I guess.

~~~
GordonS
GDS has a great blog[1] which I recommend, and have published a lot of stuff
to GitHub too[2]. I never imagined the words 'government' and 'IT' could be
used in the same sentence without laughing before learning about this group.

Whenever I read of yet another multi-billion pound failed IT project by SAIC
or the like, I always wonder why on earth they didn't just let GDS at it.

[1][https://gdstechnology.blog.gov.uk](https://gdstechnology.blog.gov.uk)
[2][https://github.com/alphagov](https://github.com/alphagov)

------
bungie4
Programmer (not me!) manually iterates over user file (passwords plain text
natch). If he finds a matching username (format is enforced so dead easy to
guess). He sets the auth cookie. THEN he goes looking for the password. You
don't have to enter any password. At that point, just hit the back button a
couple of times and refresh and BING! You can impersonate anybody on the
system. Including the admin because guess what the admin's username is.

This guy is notorious for writing crap like this. But according to the powers
that be, he's a 'god'.

The funnier bit? This site is RSA protected.

~~~
BinaryIdiot
I used to work at a life insurance company that had a sessions page for the
developers that wasn't locked down at all. If you could get someone's id you
could go directly to this page and set your user id to that. Done.

They also had a contest for their agents and the database they used to store
all of the entries and information was an access database that happened to be
sitting in the public directory for the website to simply serve to anyone who
knew to request the database.

Seeing so much "security" makes me realize that a large majority of sites out
there are a complete shit show, especially if the companies I worked for /
with couldn't get it right and they actually had some money to their name.

~~~
cookiecaper
Yes, most medium-or-smaller sized companies, including ones in fields that
should take security seriously like insurance and lending, will have tons of
stuff like this. It shouldn't surprise anyone at this point.

~~~
BinaryIdiot
Even large companies depending on how you want to classify one as "large".
Back when Palm announced their new phone, the Palm Pre, I was given early
developer access on their developer portal. I reported to them _multiple_
security vulnerabilities including one that allowed anyone to change a simple
integer in the URL and instantly see everyone's SSN / TIN, payment
information, etc. It took them 3 months to fully resolve, too (their first fix
was simply changing a GET call to a POST, sigh). They never even disclosed it
to anyone despite my pleas (I should have but was still sorta green back then
and didn't think it through).

------
gambiting
Huh, couple years ago Santander in the UK changed their web layout. No big
deal, except that my password wouldn't work anymore - I rang them up, and they
said "did you have any special characters in your password? If yes, then they
have been removed because the new system does not support special characters.
Please use the same password as before, but without special characters".

1) This is one of the largest banks in the UK and they don't accept special
characters?

2) If you store my password encrypted(as you should be!), how could you remove
any characters from it?

I sent them an official complaint, they replied saying their security is
fantastic and there is nothing to worry about, I closed my account a week
later.

~~~
OJFord
They (as seems to be standard) ask you to enter 3 characters in positions of
their choosing, so they need plaintext to be able to do that.

It's clearly not as secure as it could be, and it's annoying to work out too -
I wish they'd just do normal 2FA. Those plastic keyfobs HSBC use are even
worse.

~~~
IshKebab
I like the plastic keyfobs. They're much more secure than using your phone as
2FA. Basically the only thing keeping HSBC/1st direct secure.

~~~
city41
How are they more secure than your phone? If by phone you mean SMS, then I
agree. But as far as I understand, TOTP (ie Google Authenticator) is pretty
secure. But I'm not a security expert.

~~~
ekimekim
This is getting into very marginal territory, but attack surface. Your phone
is an entire network-capable OS with god-knows what security vulns or
backdoors. Those dongles are an air-gapped, often tamper-resistant chip.

For the record, I think services should ideally offer all three options (SMS,
TOTP and physical device), since the biggest problem in security is actually
getting users to use ANYTHING at all, and something like SMS that offers 99%
of the protection in return for easier setup/ease of use is well worth it.

------
djtriptych
That "What is the name of your grandmother's dog?" security question made me
lol @ work.

This really makes me want to write a "Stupid security questions generator"
website.

~~~
OJFord
Why is that funny or bad?

If your grandmother is living and has a single dog, as 'security questions' go
that would strike me as being pretty good.

~~~
tudorconstantin
When you want to retrieve the password for an account you created 5 years ago,
but you only remember creating it between 5 and 15 years ago and you have 2
dog loving grandma's each of whom have 2-3 old doggos all the time....well,
good luck in remembering and identifying the correct name of the possible
10-15 dogs

~~~
gknoy
This is a case where you think of an _idealized_ grandma, and her perfectly
preserved dog, `Mr. Mycroft Applebottom III`, who has been sitting on her
mantlepiece since you were in gradeschool. [0]

The site doesn't have to know you're making it up.

0: Obviously, it'd be better if your idealized grandma spoke with your
password generator beforehand, and therefore named her dog something less
guessable, like `ff627f056c51b694e2e5d0bdc168c647`.

~~~
OJFord
That's a good suggestion actually: just remember that you always ignore the
question, and you've saved the actual securely generated answer as 'sitename-
sec-question' or whatever.

------
yeukhon
I feel like we need laws in place on software and hardware security. Laws to
punish crimes is good, but we also need some regulation, simple ones, to
govern how companies have the obligation to manage software and hardware
security.

I think:

* companies running a website and collects customer data must have an incident response plan laid out.

If we punish bad service providers reported by consumers, why can't we do the
same? We are talking about companies ignoring and downplaying even the most
low-hanging fruit vulnerability, and companies that don't understand web
security because the workers there have no clues what they are dealing. If we
can't raise our cyber security awareness and education domestically, then we
fail at being a top technology leader in this world. I don't expect every
company hires a security engineer, perhaps under some managed services.

~~~
cookiecaper
This is a very dicey subject. I think it's best to keep it loose as long as
possible. Introducing a regulatory body into any field is perilous, but
something as fast moving as software and security would be frightening. What
happens when the regulation is that you have to use the algorithm that was
cracked last month? Eek.

Voluntary, socially-enforced customs are better. Things like the MPAA rating
system have successfully staved off government intervention. Such standards
are much more flexible.

We already have this de-facto via TLS and the browser's angry messages if you
don't comply with their expectations, but it'd be interesting if browsers
started running a more thorough security verification program and giving
preferential treatment to sites that implemented it.

That is also scary because it centralizes more control in browser
manufacturers (which, today, means Google almost as much as it meant Microsoft
in the oughts). But still better than the government I guess, and blocking a
site in software is much more motivating than the risk of a fine for non-
compliance.

------
peterwwillis
I remember when cookies was where every site kept their cached credentials in
plaintext. It was so popular you didn't need a password manager, just a cookie
and form manager.

In case most of you didn't know/forgot: a large amount of the modern security
practices on the web are due to browsers making it easy for sites to attack
users, and making MITM trivial. The most common attack vector is literally the
browser and protocol design, not a bug in the browser.

Also, to replace passwords, all you need is TOTP. You can combine TOTP with a
2nd factor for a little boost, but TOTP is much better than passwords, and
more convenient when automated. Combine this with password reset and one-time
use codes and the majority of users would not need to remember more than one
or two passwords (the password for their e-mail or OAuth provider). You can
also password-protect the shared secret to protect data at rest (some VPNs do
this as alternative to physical tokens)

A protocol extension could define a handshake to negotiate TOTP tokens. The
browser would generate a token with a plugin and send it securely after
prompting the user to authorize it, and optionally try to verify the identity
of the site. It could be extended to rotate the shared secret after an
expiration period.

Also, it's about time we defined a better secure mail standard so we can rely
on password resets to be valid and eliminate phishing.

~~~
ihattendorf
[https://www.w3.org/TR/webauthn/](https://www.w3.org/TR/webauthn/)

~~~
peterwwillis
It's a nice idea, but their implementation proposal is lame. They keep
depending on a phone like a phone is secure or ubiquitous (of which it is
neither) or on keyfobs or "gestures" (of which the former nobody will use, and
the latter is just a less secure password).

They rely on public key auth, which is more complicated and less reliable than
a simple TOTP token. Considering that web browsers already support public key
authentication but nobody uses it because their design is a UX garbage fire, I
don't think that scheme will work well.

Other things are problematic too, like scripts (rather than the web server)
having control of the process; this is an unnecessary attack vector. They also
depend on browser-specific technology which limits how this system can be
extended to other clients. This spec was clearly written by a JS developer,
for JS developers.

This should not be a "web standard". Service providers that need strong
authentication for HTTP don't only use web browsers. It will be more useful to
be able to support existing applications through the use of an HTTP extension,
rather than updating every single web app in the world to support this scheme.

In fact, now that I think of it, you could tack TOTP onto existing HTTP
authentication right now! Just allow "TOTP:<token>" as a password entry. I
don't know why I didn't think of that before.

------
deathanatos
If you contacted Rackspace's chat support while logged in, the representative
_sometimes_ asked the security question. To which (remember, you're logged in)
you could click "Account Settings", "Security Question" _copy_ _paste_.

A former employer of mine had internal security questions. _Five_ of them.
They were all inane questions, the "favorite movie?" type, so I came up with a
somewhat random answer and used the same answer to all of them. The one time I
had to use it, the representative asked all five questions, and I gave him the
same ridiculous answer each time. He did it all with a straight face somehow,
and looking back, I don't know why I didn't stop him at the fourth question to
ask "if I knew the first three, you really think I don't know the last two?"

------
_jal
Thank dog someone is making a cable that reduces virus noises. I just don't
know what I've done all this time without one.

~~~
jwilk
Do you mean your grandmother's dog?

~~~
_jal
Precisely.

That actually was a typo. Amazingly, a typo that has earned me a -3 downvote
so far...

People seem really freakishly touchy about word choice around here lately.
Honestly, that's likely to make me care less about their delicate
sensibilities.

~~~
OJFord
I think it's unlikely you're being downvoted for the typo - far more likely
for the jokey comment which doesn't really add value to the thread.

~~~
_jal
Fair enough. It just seemed of a piece with some other recent interactions
I've had here.

------
Neliquat
The number of webmasters who wanted me to set up ssl to 'secure' their site,
while the backend emailed cc info in the clear to the orders dept is larger
than I have digits, even the extra adolecent joke ones.

~~~
nojvek
To be honest credit cards are a terrible system in terms of security.
Everything to make a charge is on the card and people freely give it out to
different websites.

~~~
Tistron
Is this not changing though? I can't remember the last time I bought something
online without having to either use password or 2factor auth, and there are no
places here that do not require a pin code when using a cc in a store. I'm in
Sweden though (but using mastercard).

~~~
the_af
Hmmm, that's interesting. I've never been to Sweden, but pretty much no shops
in any country I've ever visited required a pin code for Visa or Amex credit
cards. Is this really changing?

~~~
gambiting
What do they require then? I've never in my entire life used my credit/debit
card without typing in the PIN number(except for contactless payments, of
course). I'm in the UK.

I think they can be used with a signature too? Maybe? I've never heard of
anyone actually signing a bill instead of using the pin, and besides, I don't
even sign my cards.

~~~
the_af
Yes, they require a signature. I'm not saying this is a safe practice, just
that I've never seen a store where they asked me for a pin code for major
credit cards such as Visa, Amex and (I'm pretty sure, but I don't have one)
MasterCard. And I'm talking not only my own country, but also the US and
several countries in Europe. When I was in the UK some years ago, they didn't
ask me for my pin code when I used my Visa credit card, either. Maybe it's the
type of card?

I'm talking about credit cards, mind you. Debit cards are different, and while
in my country Visa Electron doesn't require anything but a signature, it's
entirely possible if I tried to use it abroad they'd ask for a pin code. Not
sure.

~~~
gambiting
I have both British and Polish debit and credit cards, Visa and
Mastercard(Visa Classic credit cards), I've used them in Spain, Germany,
Netherlands, France, Spain and Portugal, and literally never had to sign for
them, be it in shops or restaurants.

I'm not saying there aren't cards that need signing,but I've literally never
seen any.

~~~
the_af
My experience is the opposite: I've never used a PIN.

I've done some reading and now I believe it depends on the country which
issued the card (as opposed to the country where you're using the card). So if
you have a card issued in the US and Latin America, you probably won't asked
for a PIN -- because you don't have one -- and instead you'll be asked for id
and your signature. If you have a card issued in Europe, you'll be asked for a
PIN.

Interesting. A PIN seems safer than a signature to me, or possibly the
combination of chip + PIN, but it simply doesn't get used where I live.

------
krupan
Why do we still use passwords? When I connect to Amazon.com I don't ask them
for a username and password to verify they really are Amazon. I verify their
certificate. Why can't I authentic with a certificate too?

~~~
tomjen3
You can. Client side SSL is a thing, and it totally prevents phishing - pretty
much any browser has supported it for ten years.

It is also a UX nightmare. The browser you are reading this with almost
certainly support it, but try to see if you can find the menu option to
install one.

~~~
spc476
I've actually played around with that. Yes, the browser side UX is a
nightmare. It was real fun (for extremely small values of "fun") installing
the client certificate on Firefox and Safari (on the Mac, on the iPad and on
the iPhone). I was rather surprised by the number of different browsers (and
number of computers) it needed to be installed on.

------
sphinx65
Wow, that might be the worst I've ever seen.

Does anyone here buy from auction sites often? Those are a nightmare, they let
the sellers do pretty much anything and very few accept paypal (they're THAT
stingy) - sellers on liveauction.com routinely ask buyers to provide credit
card info over email. It looks like a lot of sellers are flocking to these
because ebay is too strict, wait, I mean "sane".

~~~
pmtarantino
Recently I won an auction at Galabid.com. They use Stripe and after putting my
credit card, it was denied (I think because it was a large payment and I have
no limits). Unfortunately, the Stripe JS popup didn't let me change the card.
I don't know why - I tried incognito, diff browsers, but it was helpless. I
had to send another Card number and all its data through email or the items
were going to be auctioned again if I didn't pay in 24hs.

~~~
emmelaich
Our tollway providers site

    
    
        * inactivates your account if your account is negative.
        * one reason for negative account is the credit card is expired.
        * you cannot update your credit card if the account is inactive.

------
CM30
Another example of possible poor security (which seems to be depressingly
common with UK banks) is to ask for certain characters from your password.
Like say, the 1st, 3rd and 5th characters in the word.

However, if the password was encrypted, they shouldn't really have this
information should they? So by asking for it, they're basically admitting
everything's stored in either plain text (very bad) or a reversable form of
encryption (also quite bad).

There are other complaints about this too (like accidentally encouraging
people to write the passwords down so they can figure out which character is
the 3rd one or what not):

[https://security.stackexchange.com/questions/64589/is-it-
bad...](https://security.stackexchange.com/questions/64589/is-it-bad-practice-
to-ask-only-for-individual-characters-of-a-password)

And it also doesn't seem much like a good deterrent against keyloggers. But
yeah, quite a few banking sites do this, which is a tad worrying.

------
gry
…and more. [https://twitter.com/PWTooStrong](https://twitter.com/PWTooStrong)

------
draw_down
I can't believe people still inform and try to counsel these tone-deaf
corporations. The upside is so small and the downside is potentially quite
large. Catch some moron CEO in a bad mood and they've got plenty of resources
to make your life hell even if they don't have a legal case.

~~~
yeukhon
So what is your suggestion here?

------
zanny
> And before we all lose out minds going "the password must die", nobody has
> yet figured out how to make that happen!

If I were designing a new product today, I would never consider having
usernames and passwords. While it is a shame Mozilla killed Persona before it
could even have a chance, it is still way, way more reasonable to use third
party signin buttons than to try to do it on your own. Again. Brokenly. For
the thousandth time per person.

It is a shame that one button alone does not work, but just OpenID connect
includes Google, MS, and Amazon (so one login backend and three click buttons
and you are covering probably 99% of people, who will have one of those three
accounts).

~~~
unethical_ban
I would not funnel users into one of several privacy-sucking walled gardens to
use my site.

If there were a true, privacy-oriented product whose sole job was identity,
perhaps.

Usernames and passwords are not hard. It's just that a lot of people are
stupid.

------
CM30
Some of this stuff is absolutely terrifying. I mean, using the last four
digits of a mobile number as a password? Damn, it's a site where a leaked
username list is literally a major data breach.

LOL at 'reducing virus noises' too.

------
makecheck
If there’s one thing that needs to go away ASAP, it’s “security” questions.
They are _so_ time-consuming, they increase the amount of information shared
with 3rd parties, and the quotes I used are intentional because the questions
provide no security whatsoever. Quite the opposite: these questions simply
force people to share more information than they should be _required_ to
share, and (for most people who don’t think to lie) it increases the chance
that sensitive secrets will be revealed and used to impersonate people.

It’s even worse when these “security” questions are coupled with the “Monday-
Friday, 9-5 ET” phone numbers. I once had a mobile login “lock out my account”
on a Friday night and I was informed that I could _not_ unlock it without
calling one of those numbers and answering my “security” questions. So instead
of having access as a customer, I had over two full days of nothing, followed
by the obligation to find time to call these people, followed by the awkward
process of wondering if I would even remember the damned questions or answers.
Every last bit of that process is broken, wrong, unnecessary, adds no
security, and disrespects customers.

And in case you think account-lockouts are any better, consider that it is
_TRIVIAL_ to use this as an attack. Someone you don’t like? Odds are you can
find their E-mail log-in. “Guess” their password 3 times, and they can’t
access their account at all for some extremely-inconvenient length of time.
Ever-increasing delays between log-in attempts work just fine as an
alternative to lockouts.

------
saulrh
I've seen the "Express <Form with Personal Data>" vuln before, but with
people's SSNs, DOBs, and bank account numbers, _plus_ sequential numeric user
IDs instead of emails. It's fixed now, thankfully, but, uh, yeah.

------
schwede
That was a very entertaining, but very sad read...

------
chrisper
This reminds me of AT&To Gophone website. Your username is your phone number
and your password is a 4 digit PIN. The same pin you can use to transfer out
your number.

~~~
marme
this is exactly why 2FA with SMS is not secure at all. If someone really wants
to get into your account all you have done is added one extra step where they
need to steal your phone account and then they steal your other account. It
has been shown how easy it is to steal someones phone account and transfer the
number to a cheap burner phone or online service. This also kills your cell
service so unless you have another phone to use you cant even call to secure
your accounts so the attacker has plenty of time to break in to all your other
accounts

~~~
ekimekim
> is not secure at all

Absolutes are the wrong language. It adds a significant burden (steal the
user's phone account), which if nothing else requires individual attention,
which drastically changes the economics of an attack vs, say, mass automated
attacks using leaked passwords checking for re-use. Sure, you and I might have
unique randomly generated passwords for our accounts, but not everyone is so
careful, and SMS verification can and does save many an account.

------
The_Magistrate
Thanks, I needed this laugh (and cry) on a Friday.

------
smnscu
One of my pet peeves is that 1password doesn't seem to support security
questions out of the box, so I have to manually generate random passwords with
it, fields for Q1, A1, etc., then set those fields to type "password".

------
bArray
@troyhunt: Have you seen the latest leak by Atlassian?

I got an email on 4th April, 2017 that reads as follows:

    
    
        Hello,
        
        This weekend, our Security Intelligence Team detected an incident
        affecting HipChat.com that may have resulted in unauthorized
        access to user account information (including name, email address
        and hashed password). Atlassian ID is used to manage access to
        your HipChat.com account and other Atlassian services you use.
        The password is encryprted using bcrypt with a random salt. In
        our security investigation, we found no evidence of unauthorized
        access to financial and/or credit card information. We can also
        confirm that we have found no evidence of other Atlassian systems
        or products being affected.
        
        As an added precaution, we have reset your Atlassian ID which is
        used to access all Atlassian services, including HipChat. Please
        go to https://id.atlassian.com/login/resetpassword and enter your
        email address to trigger a password reset email for your Atlassian
        ID account. If you have been using your Atlassian ID password on
        other sites, services or online accounts, we recommend that you
        immediately change those passwords as well.
        
        Please refer to the HipChat Blog at http://blog.hipchat.com for
        additional information about this incident. We regret any
        disruption this may have caused and appreciate your immediate
        attention. If you have questions, please do not hesitate to
        contact HipChat Support via our support portal or by sending email
        directly to support@hipchat.com.
        
        – Ganesh Krishnan, Chief Security Officer
    

Nice of them to provide links to reset your password - anyone quick on their
feet and with access to that database could have got people's passwords.

I think if you tweeted at them they would release an email list to you for
updating the [https://haveibeenpwned.com/](https://haveibeenpwned.com/)
website. I imagine there's still a lot of people that are unaware that their
details are out there and that their accounts are vulnerable.

~~~
AndrewDucker
No, they couldn't have gotten people's passwords. They could have their
passwords _encrypted with a random salt_. Which is, frankly, useless.

~~~
bArray
They have their email and their ID, added with the knowledge they are
compromised. That's enough to build a spoof password reset email and get them
to type in an old/new email.

~~~
MertsA
Oh no! someone could send me an email confirming that I want to reset my
password! Just like every other site out there that has a forgot password
link.

~~~
bArray
They know their email and ID - so it's targeted. Without this information it
is generic and easily spotted. Quoting your repository is a lot more personal
and believable.

Additionally you can use the previous warning emails to really target somebody
as one of the few that need "further recovery/security" steps. This _is_ a
security issue.

------
dionidium
" _No really, I 've seen some very stupid security stuff out there the likes
of which make the above example not just believable, but likely. Don't believe
me? Here, hold my beer..._"

The "Here, hold my beer..." line is totally played out at this point, anyway,
but the usage here doesn't even make sense. The implication is that you're
about to do something stupid, not that you're about to tell us about some
stupid things other people have done.

Why would I need to hold your beer while you tell me a story?

------
robk
Sadly British and other Commonwealth countries like Australia seem way too
overrepresented in crap like this. Something about British culture leads to
atrocious ignorance of security.

------
srum
test@strawberrynet.com

test test test, Burdur, Eastern, Hong Kong , Hong Kong

Daytime Contact Number: 1234567890 ; Mobile: 55555555

------
systems
this is a bit hard to read with all the screenshots/images, headings , sub-
section

i think the author is knowledgeable, but .. please make it more readable

------
noelwelsh
I'd much rather read a post detailing secure best practices on all these
issues than "look at all these stupid people, lulz".

~~~
jamiesonbecker
Where would you guess that security best practices are derived from?

And which will you remember better... a crazy story that you would _never_ do,
or a dry 10-point list, half of which may not be applicable to you?

------
city41
This is a huge problem and has been for a long time. We allow pretty much
anyone to code up a website. It'd be similar to allowing anybody to start
practicing medicine.

I've lost count of how many websites I've used that were blatantly insecure.
Sometimes you have no choice but to do it, like when I had to apply for a
Brazil travel visa. Their SSL certificate has expired, and has been expired
for years now.

~~~
soared
So you'd rather the government hand out certifications and only allow those
certified people to create websites? That sounds better.

~~~
MertsA
There would be benefits to licensing web dev. I wouldn't suggest that a
license should be required for any web development but if the website is used
to safeguard PII or secure financial transactions then I don't think it would
be too unreasonable to do so to get rid of these clowns. I used to work in an
SMB web development shop and the incompetence that I'd see daily from our
competition really changed my perspective on the field.

I used to feel almost like an imposter when I first started but I've seen so
many "experts" who have been selling their services for decades yet they don't
understand even the fundamentals of their profession. We already require
licensing professionals for many things which are arguably less important than
a lot of websites. I think a fair balance could be struck here to make sure
that large businesses like Betfair can't get away with this crap yet not
stifle hobbyists or businesses whose websites don't pose any appreciable risk.

