Hacker News new | comments | show | ask | jobs | submit login
Instagram sends passwords in plain text
56 points by Juliuso 2533 days ago | hide | past | web | 15 comments | favorite

Makes you wonder how secure mobile apps are in general as the user can't determine the connection state, unlike a browser window by looking at the URL or seeing the padlock in the corner.

I don't want to alarm anyone but so does this site. If your not using unique passwords for every site you use then you really should consider doing it. Tools such as 1Password make it ridiculously easy, there really is no excuse.

Yeah. There's a Firesheep handler for news.yc too:


This website should really be migrated to https.

Heaven forbid someone in a coffee shop posts something on your HN account…

:) Yeah, not the end of the world... but many, many people use the same password (or one with slight variation) on many sites. Sure, they "shouldn't", but, still...

or editing your yc application.

It's not just that. Some countries inspect web traffic. Some of them disapprove of conversations on some topics.

Another way is to hash a "salt" password with the domain (or something site specific). So if my salt was "assword" and I put the last 4 characters from the domain name interspersed at the end of my password it would look like this: asswaotrodr. Giving you a unique and complicated password for every site.

"Salting" it in that way doesn't increase your security by much? If they looked at your password, once they obtained it, how long would it take them to figure out what you were doing, and thereby be able to derive all your other passwords?

True, if someone were able to get your username and password for a site they may be able to figure out your hashing scheme. But what if someone compromises an entire database? They would use a bot to go out and see what they can access with the given usernames and passwords as is.

The suggested password strategy helps to protect against the later case.

Millions of passwords are moving around in plain text at any given moment in time. Most websites do not have an SSL certificate. Heck, those websites are primarily built by people sending the files containing plain text database passwords to FTP servers with plain text login credentials. Why is this so surprising all of a sudden that these notices keep popping up on HN?

Maybe this is one of those things that "Google couldn't do."


At goodpassword.com you have several password generators to the create random passwords having in mind features to easily remember them. Its an inexpensive subscription service and includes a free trial. Give it a try. Thanks David J.

What about OpenID? HN supports it and is way more secure than using plain text password over the wire...

I believe textPlus sends passwords in plain text as well

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact