I signed up, and as makethetick pointed out, they sent me the plaintext password via email. I decided to close my account but first thought I should change the password. The change password form just spits error alerts showing the underlying html code.
I can't trust these guys with ANYTHING.
Of course, I'd not trust backing up my data to a site that fails so miserably at basic security.
> Looking forward to the day when the browser will just automatically generate one for me.
I looked into the exact same thing to resell to my customers (non techie, average users interested in digital preservation)
Easy for me to tell based on the "briefcase".
The reseller costs like $60 a month and has "unlimited users, unlimited space" - so you decide if it is sustainable.
White label (which I assume they are doing) is $1100/year.
I considered doing this for $5/month, the break even is very low.
Currently quite happily using BackBlaze for my personal computers, and working on an open source backup tool for servers </shameless>
Because I like to work to specification, I wrote a readme before I started the project, which might show the general direction I'm trying to go with it. When I get home tonight I'll stick it on a gist and link it
Is the readme
WARNING: These guys use plaintext passwords!!
Edit: I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.
It's not difficult to send a confirmation email that contains your password without having to store your password in plaintext anywhere.
Now, I don't know whether they store passwords in plaintext, but it's unfair to make such accusations based on the content of a registration confirmation email.
Again, there could be a less-than-ideal explanation for this, so we don't know 100% (I was hoping to see a "forgot password" link somewhere to test this with), but this does raise suspicions.
If they're sending passwords in plaintext they're incompetent and not to be trusted, especially for this kind of service. Ouch.
For one, I do. There's a world of difference between handing a http post and storing passwords in the clear in the db.
I pretty much agree, but stand by my point that sending a password in a confirmation email is the lesser of the two evils.
Lets take it a step further... If this is insecure, how much trust can you put that your data is secure? The goal of good online backups is that the only way to actually read data from the backup is to have the user's password. They clearly don't have that as everything is reversible.
Dropbox used to claim to be like that, not anymore. Which is why I don't trust dropbox with private data. Instead I store it using AeroFS with local replication.
Email should always be treated as an insecure channel, so sending passwords over it is just bad security practice.
The system should only hang onto the password for as long as it takes to hash it.
It is warning sign though, agreed.
Sorry, should of added that previously.
That's not a good sign. The best case scenario I can think of is that the email body is generated at registration and sent out once the activation link is clicked. After this the template is deleted. But it'd be far easier just to store your password in plaintext and go from there.
Like you, I'm suspicious.
> Even the employees of Backify can not access your data.
This is good news. It might be enough to make me switch from Dropbox, everything else being equal.
Dropbox already had one case where you could log in without a password. That could never happen if they actually needed the password to decrypt the data.
Hi, two things:
1- The key <enter> should submit forms. (It didn't work in the signup form, the login form and some dialog box popping in).
2- You sent me my password by e-mail.. which means you've got it in cleartext in the database. How can you then say it's secure..?
Seriously, not really professional. I mean, I can understand for other kinds of apps; but this is backup and highly confidential information.. this shouldn't happens. A little bit like you can judge a whole building based on the bathroom, a website with flaws everywhere talks a lot about the quality of the backend.
They cannot peek.
Also, my favourite feature: The client allows you to mirror the encrypted blocks to a remote FTP/SFTP target owned by you.
There's your N+1.
Talk about a zero-trust environment!
About the passwords, they are all hashed (md5 with salt). they were just stored temporarily in the session for the email, and the session was destroyed immediately. But we fixed this issue earlier yesterday and updated on our blog.
Rest assured we promise to provide even better support from now on. We might stop offering free accounts soon, but the ones already signed will continue to be free for atleast qn year, maybe longer.
Thanks again for the tremendous response and bringing the bugs and flaws to our notice.
There is no contact us/address page. Also, does this mean that the domain name is on sale by the owner? http://www.aftermarket.com/backify.com
Which is to say pretty cheap and mostly reliable, which is okay when you once or twice a year can't go online for a short time (clothing need to be changed anyway) it is just not good enough when your wedding pictures gets deleted.
Or worse this crazy offer banckrupts the business and you suddenly can't access it any more.
As all the comments here have covered, it's a reseller account for LiveDrive and the site itself has a number of issues, not the least of which includes sending plain text passwords via email.
Bottom line: if it sounds too good to be true, it probably is...
Ok, they just lost my trust.
Note that backed up files can be accessed through mobile apps, just that it could be a security risk for accessing files on the go.