

Bad Security at Evite - ardell
http://fnord1.blog.ca/2008/06/30/bad-security-at-evite-4382575/

======
fallentimes
Use Anyvite.

<http://anyvite.com>

------
swombat
Didn't we have this discussion about password hashing already a few weeks ago?

If someone's snooping on your email, I think you've got bigger problems than a
lost password, tbh.

As for hashing, again, if someone can get on the server and download the whole
database, you've got bigger problems than password hashing.

I'm not saying this is a good practice, but I just don't think it's as big a
problem as this guy is making it out.

Also, there's a balance between security and usability. For some kinds of
users, not being able to tell them their password is actually a problem. Sites
that are able to do that will have a competitive edge in getting those users.
So the question is one of balance between usability and security, not just one
of security.

~~~
drm237
I disagree that not being able to tell someone their password is a usability
problem. Having a password reset system is just as usable and significantly
more secure than having to store passwords in plain text.

And both of your arguments about having bigger problems are fundamentally
flawed. Sure, if someone does get your db, you have a big problem, but that
doesn't mean you shouldn't take precautions so that if it somehow happens they
can't read it like a book. It's kind of like you're saying cars shouldn't have
airbags because it's harder to honk the horn and if you do get in an accident,
you've got bigger problems.

And someone snooping on your email is as easy as you accessing your webmail on
an unencrypted wifi connection. Do you think everyone in the world makes sure
they use the ssl version of their webmail in public? Because if not, sniffing
packets is trivially easy.

My point is that the situations you mentioned only become bigger problems when
you make no effort to protect these things.

~~~
wallflower
> Do you think everyone in the world makes sure they use the ssl version of
> their webmail in public?

I know techies who don't use GMail who don't bother to explicitly using
<https://mail.google.com> \- I don't know why.

~~~
paulgb
I didn't realize until recently, but GMail now has an option to automatically
use https. It is under <https://mail.google.com/mail/#settings> at the bottom,
and is turned off by default.

~~~
timf
And there was an automated tool released last year to mess with those who
don't do that:

[http://www.google.com/search?hl=en&q=https+gmail+cookie+...](http://www.google.com/search?hl=en&q=https+gmail+cookie+hijacking)

------
lacker
Evite is willing to sacrifice security for usability. Which makes sense,
because it doesn't really matter if someone hacks your Evite account.

~~~
carpo
I don't think hacking the evite account is the problem. With many people using
the same password across multiple accounts, getting their evite password may
also be giving the password to countless other systems. So they are
essentially sacrificing the security of their users, not just their own
application.

~~~
paulgb
I agree that people do that, and that ideally a website would would not email
someone their password for the simple reason that people do recycle passwords.

But, the onus here should really be on the user. If they are careless enough
to use the same password for everything, they are indicating that they are
willing to trade some security for convenience. In my opinion, emailing users
their password is just another security/convenience trade-off. I'd be upset to
get my password sent in plantext from my bank, but not an invite website.

------
staunch
Sending your password after signup doesn't necessarily mean they're storing it
permanently.

~~~
ardell
You're absolutely correct, but in evite's case they are storing them
permanently. That's actually the reason I posted this was that I forgot my
password and requested a reset (~5 years after signup) and they sent it to me
in plain text.

------
seiji
Progressive postal-mailed me a letter with password on it when they sent my
first insurance cards.

I think some health insurance sites do the same thing.

