

Tell HN: Unfuddle (svn hosting) has bad password security - geuis

I was poking at Unfuddle (http://unfuddle.com) and forgot my password. I reset it, and in the email that was sent to me was a randomly generated password along with my username for their site, which is entirely different than my email address.<p>So, I logged back in and changed the password manually. I then signed out and did the lost password request again. Another email was sent, this time containing an entirely different randomly generated password.<p>This is almost as bad as Unfuddle storing my password in plaintext (which they may be doing anyway). Under no circumstances should your service ever just generate a new password and send it in the email.<p>There's are a few ways this is really bad.<p>1) The password reset request completely wipes out your old password.<p>2) I can reset the password of <i>anyone</i> who I know has an account on Unfuddle, simply by knowing their email address.<p>3) If I gain access to their email address, I now have 1-click access to their source code repo hosted at Unfuddle.<p>4) I can easily perform a denial of service request against an account(s) by writing a script that periodically submits the reset link for a given email address. While I may not be able to get access to your account, I make it hard for you to get access to it also.<p>If you or your team use Unfuddle, I highly recommend that you stop and look for alternative hosting.
======
dcroswell
I will admit that under this functionality it would, in theory, be possible
for one to grief a user in an Unfuddle account if one knew the correct email
address. I say "in theory" because this has never happened in Unfuddle.

In any case, I am pleased to announce that this is no longer possible. In the
last two days we have completely changed the password recovery process in
Unfuddle. The process looks something like this:

1) User requests to recover his/her password by entering email address in
reset form (just like before) 2) An email is sent containing a secure link to
a password reset form 3) User clicks on link to access the form only if he/she
actually wants to reset the password 4) User enters desired password and
confirms it 5) Password is reset and never sent through email or transmitted
unencrypted.

This takes care of all your points with the exception of #3. As cheald
mentioned below, if someone gains access to your email you are in trouble
anyway. Take some responsibility and use good password sense when protecting
things which are important to you.

Finally, I want to make it clear that we do not store passwords in plain text
and never have. Please confirm such speculations with a service provider
before posting things you don't know in public.

------
cheald
Have you confirmed that performing the password reset request invalidates the
current password? The way I've seen this done is to have two password fields -
one for the normal password, one for temporary passwords. Issuing a reset
won't lock out the "normal" password until you log in and change it.

If someone gains access to your email, it's game over anyway.

------
Khao
Have you tried talking to the guys at Unfuddle about this issue? Everytime I
find something wrong with a website or a service I use I first try to discuss
it with them before going public about it. They might really love your comment
and fix this problem very quickly if their developer can do it.

