I signed up, and as makethetick pointed out, they sent me the plaintext password via email. I decided to close my account but first thought I should change the password. The change password form just spits error alerts showing the underlying html code.
I was just going to post this. I signed up, activated my account, and then immediately received my password in plaintext! What are these guys thinking? Way to subvert trust...
It's because of sites like this that I started using unique passwords for every new login. Chrome + OSX Keychain make this reasonably easy now. Looking forward to the day when the browser will just automatically generate one for me.
Of course, I'd not trust backing up my data to a site that fails so miserably at basic security.
I use pwdhash for pretty much everything. It's great, but it can be a pain for signing into services on an application or device that doesn't support automatic expansion.
I used to have LiveDrive probably 6 months ago (Whom they are reselling from), but I found the Mac client quite buggy. Breifcase didn't work and backups took ages, far longer than they should have done. I will give them credit for fantastic support and no questions asked refund, which was pretty awesome. They might have fixed the issues now, I hope they have, but still I would go directly to LiveDrive rather than a reseller, particularly since the site appears to have been thrown together. Someone probably thought they could make some quick money. I only hope when they shut down, LiveDrive are considerate enought to migrate everyones accounts.
Currently quite happily using BackBlaze for my personal computers, and working on an open source backup tool for servers </shameless>
I dropped my LiveDrive account a while ago due to poor client software. It's sad to hear their Mac client still sucks. You'd think by now they would have worked out the problems.
Because I like to work to specification, I wrote a readme before I started the project, which might show the general direction I'm trying to go with it. When I get home tonight I'll stick it on a gist and link it
I've just signed up and received my confirmation email along with my email and the PASSWORD that I defined.
WARNING: These guys use plaintext passwords!!
Edit: I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.
I've just signed up and received my confirmation email along with my email and the PASSWORD that I defined.
WARNING: These guys use plaintext passwords!!
It's not difficult to send a confirmation email that contains your password without having to store your password in plaintext anywhere.
Now, I don't know whether they store passwords in plaintext, but it's unfair to make such accusations based on the content of a registration confirmation email.
Edit: I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.
Again, there could be a less-than-ideal explanation for this, so we don't know 100% (I was hoping to see a "forgot password" link somewhere to test this with), but this does raise suspicions.
Ok for me, storing an encrypted password that is reversible is the same thing as storing a plaintext password. Means that people at least in their company can see my PW. Which means that if I used same PW as my email, they have it.
Lets take it a step further... If this is insecure, how much trust can you put that your data is secure? The goal of good online backups is that the only way to actually read data from the backup is to have the user's password. They clearly don't have that as everything is reversible.
Dropbox used to claim to be like that, not anymore. Which is why I don't trust dropbox with private data. Instead I store it using AeroFS with local replication.
I don't think he meant that the password is stored in a reversible format. He meant that the e-mail is sent out before the password is encrypted and stored.
Usually, when you receive your password after signup that does not necessarily mean it is stored in plaintext, because password can be kept in memory through the process.
I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link.
I received the login info email after I clicked the activation link in a previous email, this means the password must have been stored in a database until I clicked the activation link
That's not a good sign. The best case scenario I can think of is that the email body is generated at registration and sent out once the activation link is clicked. After this the template is deleted. But it'd be far easier just to store your password in plaintext and go from there.
Honestly, I would rather a site store my password in plain text than send it to me via email. At least if it's stored in plain text, it still requires a security breech to access it. Sending a plain text password via email is no worse than having an insecure (non HTTPS) login form.
Doesn't necessarily mean they store plain text passwords. Still a bad sign, but they could simply be sending you the email with your password before they hash it.
I tend to think that if the information I'm backing up is sensitive it should either be backed up only to services I run or should be encrypted before it gets sent to any 3rd party service. I wouldn't trust any "we can't see your data or know your credentials" assurance from a relatively unknown (or most known) 3rd parties.
I agree completely, although I do take comfort in someone claiming they cannot access my data. I wouldn't store any confidential data there in any event, but at least if they are trying to design it so that even they cannot access that data, it seems there is a slightly lower chance of it being leaked to the internet.
Dropbox already had one case where you could log in without a password. That could never happen if they actually needed the password to decrypt the data.
So, I go on the "Support" section to send them a message..:
Hi, two things:
1- The key <enter> should submit forms. (It didn't work in the signup form, the login form and some dialog box popping in).
2- You sent me my password by e-mail.. which means you've got it in cleartext in the database. How can you then say it's secure..?
And, I get an infinite loop of javascript alert with "parsing error" and a bunch of html in it.
Seriously, not really professional. I mean, I can understand for other kinds of apps; but this is backup and highly confidential information.. this shouldn't happens. A little bit like you can judge a whole building based on the bathroom, a website with flaws everywhere talks a lot about the quality of the backend.
Somewhat offtopic... But does anyone know of an inexpensive backup provider that works with rsync (or at least has Linux compatible software that doesn't require inotify)? I'm looking for something that will run on my Synology DS211j NAS. Crashplan was looking great until I realized the DS211j kernel doesn't support inotify. Backblaze is the same story. I'm using S3 right now, but it costs quite a bit more than Crashplan or Backblaze.
It really is an issue that most backup providers do not offer a Linux client, I am also bound to S3 at the moment, I have been tempted to try out the windows clients in wine, but It would be great if someone would offer a good(cheap, reliable, non evil =D ) backup service with linux support, even if its just a commandline. Actually an API would be fantastic.. let the openSource community build you a client.
So, crashplan and backblaze don't work for you? The previous poster has a problem with them because he is running on an embedded Linux platform that has chosen to omit support for an useful system call from their kernel.
Tarsnap? I haven't used it personally, but the guy seems open and honest about the product. It's open-source and runs on Linux (but you have to compile).
Ok guys. This is Tarandeep from backify. First of all I want to apologize for all the errors. We just launched a day ago, and we were not expecting 10000 visitors in one hour. 99% of the errors were caused by server (written in nodejs) being restarted repeatedly, resulting in lost sessions. We have the fixed the restart issue and moved the session storage from in-memory to db, which we shud have done in first place. But again, the huge response was totally unexpected.
About the passwords, they are all hashed (md5 with salt). they were just stored temporarily in the session for the email, and the session was destroyed immediately. But we fixed this issue earlier yesterday and updated on our blog.
Rest assured we promise to provide even better support from now on. We might stop offering free accounts soon, but the ones already signed will continue to be free for atleast qn year, maybe longer.
Thanks again for the tremendous response and bringing the bugs and flaws to our notice.
That may sound stupid but all these google, dropbox and now backify services are so useless to me. Why? I sadly don't have the internet connection to upload 100+gig on these servers. So, I can use dropbox for text files.. but the second I have to backup bigger stuff I really need to be cautious into not moving that into dropbox.
Thanks for posting the warnings about plain-text passwords in the email. When I landed on their site, the design of the site didn't look trustworthy to me. I am not sure how to explain it best, but it doesn't give me a "secure" feeling.
Great. Except now the online backupmarket is going to be as cheap and reliable as consumer dsl.
Which is to say pretty cheap and mostly reliable, which is okay when you once or twice a year can't go online for a short time (clothing need to be changed anyway) it is just not good enough when your wedding pictures gets deleted.
Or worse this crazy offer banckrupts the business and you suddenly can't access it any more.
If you're going to back up sensitive information, I'd recommend spending a few extra bucks and using somebody reputable and established like Dropbox or SugarSync.
As all the comments here have covered, it's a reseller account for LiveDrive and the site itself has a number of issues, not the least of which includes sending plain text passwords via email.
Bottom line: if it sounds too good to be true, it probably is...
Is it me or this guys don't seem that legit? I'm not talking about the plaintext password. let's say that doesn't matter (in an utipic world), but the desing of the site isn't at all "professional". My advice, don't sign up! Use Dropbox or Ubuntu One. Want more? Pay for it. That means is a product that's worth it.
My crashplan subscription is still ongoing, so I have my backups covered already. However crashplan doesn't offer file sharing features, that is a plus for this.
Note that backed up files can be accessed through mobile apps, just that it could be a security risk for accessing files on the go.
I've seen good alternatives here like rsync.net but I wonder if a simple Linode wouldn't be a better option if you already need one for other purposes, because with the basic Linode you already got 20Gb, and it's only 10 cents/GB afterwards...
Seriously, have storage costs become this low already... funny that google can't find the name yet... this is the direct link: https://www.backify.com/
I signed up, and as makethetick pointed out, they sent me the plaintext password via email. I decided to close my account but first thought I should change the password. The change password form just spits error alerts showing the underlying html code.
I can't trust these guys with ANYTHING.