
Duolingo Emailed My Wife with Her Password in the Subject Line - MBCook
https://www.aaronm.net/duolingo-emailed-my-wife-with-her-password-in-the-subject/
======
SeanColombo
Hi there, I'm an engineer on the Schools team at Duolingo and I remember
looking into this a while back.

A couple of important things to note here:

1\. We do store all passwords hashed. We do not store plaintext passwords

2\. That spot in the subject line for the update is for the name of a
classroom in the Schools product. When we investigated we realized this was
just a case of user-error where they must have typed their password in as a
classroom name when they created a class.

3\. I'm not positive if we ever responded to the report... I'm trying to find
the thread. If we didn't respond, that's my fault and I'm very sorry. Not a
great user experience to think your password is stored in plaintext!

I'm trying to find the email thread where I first encountered this so that I
can understand more thoroughly what's going on.

UPDATE: The discussion we had internally was a slack conversation, not an
email. I verified that one of the user's classroom names appears to be
something someone would use for a password. Once we determined there wasn't a
security issue, I didn't ask for the reporter's contact info or anything like
that. I'm really sorry to Arron and his wife for the poor service & bad
customer experience.

~~~
iwritesomecode
Good to hear, and we know stuff happens and falls through the cracks.

Upon discussing it with my wife, user error did come up—should have had that
discussion again before writing the post (adding an update, now).

 _wipes egg off face_

~~~
politelemon
Yes - thoroughly researching the issue is extremely important before
accusations, even a 'refactored' one like yours has a lasting impact on
organisations.

If you go to the Duolingo Schools website or account profile, you will notice
the classroom name at the top, clearly listed - this should have quelled any
plaintext suspicions.

[https://schools.duolingo.com](https://schools.duolingo.com)

------
mehrdadn
If you think this is bad... here are the emails I got from Robinhood after I
had to contact them for my statements (since the app wasn't loading them):

> Robinhood: For security purposes, we'll need you to verify the following:
> Your username, the last 4 digits of your SSN, and your DOB.

> Me: (reluctantly sent them the info, because what else could I do)

> Robinhood: Attached is your requested document. For security purposes, we've
> encrypted it and set the password to the last 7 digits of your SSN.

 _(In case you don 't know, SSNs are only 9 digits, and the first 3 digits are
known based on the location of either where you were born, or where you got
the number -- I forget which. I recall the following 2 are also predictable,
though I forget exactly how. In other words: they are not hard to guess. And
don't forget the whole thing is 9 digits. Meaning it'd take less than a minute
[if even a second] for anyone with a copy of my statement to crack it AND
extract my SSN from it.)_

> Me: (Sends them an email lecture telling them exactly why everything so far
> has been extremely alarming.)

> Robinhood: Robinhood Financial is a member of the Financial Industry
> Regulatory Authority (FINRA) and the Securities Investor Protection
> Corporation (SIPC). We take the security of our members' private information
> very seriously. Robinhood uses bank-level security measures to protect your
> personal information. Your _password_ , _social security number_ , and
> _other sensitive data are encrypted_. Our mobile and web applications
> communicate securely using SSL and 256-bit encryption.

 _(emphasis mine)_

Oh, and to top it off, it turned out they had _forgotten to actually encrypt
the document with my SSN_ like they had claimed to. In other words they aren't
even following their own security policies. Which I'm not sure whether to
classify as a good thing or a bad thing given what their policies were.

~~~
tehlike
And dont forget, robinhood is a b$ company now...

------
sgarrity
I'm inclined to trust in the intentions and competence of the people at
Duolingo because I've worked with them before, so with that disclaimer:

Is it possible that this person accidentally mixed up the username and
password fields when editing their own account? Or, some type of browser auto-
fill mixup put the password in the username field when editing the account?

~~~
wvenable
It feels like in both places that's the location of the username. Forget
having passwords in plain text, for what reason would passwords be prominently
displayed?

------
trothamel
Question: Is it possible she simply typed her password into the wrong field
when registering for the account? It seems like all of the fields would be an
appropriate place for the name of, for example, an organization.

~~~
iwritesomecode
Yes, it is possible, the complete silence from Duolingo is as much a
frustration as anything.

------
firefoxd
I spent night and day wasting my time away trying to make sure my apps are
secure enough. I am never satisfied and it wears me down.

"I need to change my random token generator to use the one that comes with
openssl, but then I'll have to rework a huge part of my application. Eff it,
I'm doing it. "

Mean while Duolingo just saves the password in the database and gets on with
it.

~~~
Gigablah
Something new to add to your checklist: “I need extra logic that prevents
people from accidentally entering their passwords into every other profile
field, otherwise it’ll show up in emails and I’ll get accused of saving
plaintext passwords in a widely distributed blog post.”

------
viraptor
One for [http://plaintextoffenders.com/](http://plaintextoffenders.com/)

~~~
arkadiyt
I realize this site is referring to password storage but it is itself a
plaintext offender in that it doesn't support https.

~~~
drkstr
Why does everything need to be https? Are you worried someone might find out
what kinda lols your into?

~~~
RossM
Yes, everything does need to be HTTPS. If not for user privacy then for
response integrity - to be sure the response hasn't been MITMed.

You might think most sites are innocuous, but it depends on where you live. I
could see this site getting classified as "hacking/encryption-related" by
something like sonicwall's firewall (HN too). What if your government tasks
your ISP to round up all those trying to bypass state firewalls? Heck I live
in a western country where our government is misguidedly angling to ban
encryption. For the minimal effort involved, I believe all sites should be
https.

------
matt4077
Citicem journalism at its best: making false accusations and finding a way to
still blame it on the victim.

