Etydhv

Why do Russians almost not use verbs of possession akin to "have"?

Why isn't 'chemically-strengthened glass' made with potassium carbonate to begin with?

Did this character show any indication of wanting to rule before S8E6?

Where's this lookout in Nova Scotia?

Do I need full recovery mode when I have multiple daily backup?

What is the function of the corrugations on a section of the Space Shuttle's external tank?

Is it legal to meet with potential future employers in the UK, whilst visiting from the USA

Popcorn is the only acceptable snack to consume while watching a movie

What happened to boiled-off gases from the storage tanks at Launch Complex 39?

what is the correct ownership for files in /Applications

Where have Brexit voters gone?

Have 1.5% of all nuclear reactors ever built melted down?

How to reverse input order?

My players want to grind XP but we're using milestone advancement

Why most published works in medical imaging try reducing false positives?

Python program to find Armstrong numbers in a certain range

Pirate democracy at its finest

128-bit unsigned integer

Is there a simple example that empirical evidence is misleading?

Is "cool" appropriate or offensive to use in IMs?

What was the idiom for something that we take without a doubt?

Parallel fifths in the orchestra

Make 24 using exactly three 3s

Why did the person in charge of a principality not just declare themself king?

Website returning plaintext password

Modes of Attack on Time-Bombed PasswordGeneral User Authorization SecurityForgot Password? - sends email with plaintext passwordHydra gives wrong answersHelp investigating potential website attack (URL rewriting and ROT-13 obfuscation)Is sending plain passwords over SSL as part of a password update process bad?Image file as password alternativeEncrypting data before sending to SaaS tool and decrypting on browser viewDid I miss any vulns here?How secure is this method of password generation?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

6

I have recently logged into a website. When I clicked on the "Update Profile" page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.

There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?

When going into inspect element, they actually have the values of your password, transformed into upper case like this:

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE">

I have also recently noticed that the case of your password or username is irrelevant when logging in - e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.

Is this a security hole and does this indicate they are storing passwords as plain text ?

passwords web-application account-security

share|improve this question

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  You might want to check this out: plaintextoffenders.com
  
  – Axel2D
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  With that security concept, one almost wonders why they bothered to add the type="password"attribute
  
  – Hagen von Eitzen
  8 mins ago
  

  
  
  
  

add a comment | 

6

I have recently logged into a website. When I clicked on the "Update Profile" page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.

There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?

When going into inspect element, they actually have the values of your password, transformed into upper case like this:

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE">

I have also recently noticed that the case of your password or username is irrelevant when logging in - e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.

Is this a security hole and does this indicate they are storing passwords as plain text ?

passwords web-application account-security

share|improve this question

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  You might want to check this out: plaintextoffenders.com
  
  – Axel2D
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  With that security concept, one almost wonders why they bothered to add the type="password"attribute
  
  – Hagen von Eitzen
  8 mins ago
  

  
  
  
  

add a comment | 

I have recently logged into a website. When I clicked on the "Update Profile" page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.

There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?

When going into inspect element, they actually have the values of your password, transformed into upper case like this:

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE">

I have also recently noticed that the case of your password or username is irrelevant when logging in - e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.

Is this a security hole and does this indicate they are storing passwords as plain text ?

passwords web-application account-security

share|improve this question

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE">

share|improve this question

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 9 hours ago

stzvggmdstzvggmd

333

New contributor

stzvggmd is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 9 hours ago

stzvggmdstzvggmd

333

1 Answer
1

active

oldest

votes

16

Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like session management), but more likely their password database is in clear text. Either way, it's stored and it should not be.

And it looks like they are running a upper() function on the password, which wipes out 26 characters from the potential character set that would have otherwise added some entropy.

This is very, very poor security on their part that has had no place for 2 decades.

share|improve this answer

edited 9 hours ago

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

stzvggmd is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210656%2fwebsite-returning-plaintext-password%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

16

Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like session management), but more likely their password database is in clear text. Either way, it's stored and it should not be.

And it looks like they are running a upper() function on the password, which wipes out 26 characters from the potential character set that would have otherwise added some entropy.

This is very, very poor security on their part that has had no place for 2 decades.

share|improve this answer

edited 9 hours ago

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

add a comment | 

16

Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like session management), but more likely their password database is in clear text. Either way, it's stored and it should not be.

And it looks like they are running a upper() function on the password, which wipes out 26 characters from the potential character set that would have otherwise added some entropy.

This is very, very poor security on their part that has had no place for 2 decades.

share|improve this answer

edited 9 hours ago

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

add a comment | 

Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like session management), but more likely their password database is in clear text. Either way, it's stored and it should not be.

And it looks like they are running a upper() function on the password, which wipes out 26 characters from the potential character set that would have otherwise added some entropy.

This is very, very poor security on their part that has had no place for 2 decades.

share|improve this answer

edited 9 hours ago

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

share|improve this answer

edited 9 hours ago

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

answered 9 hours ago

schroeder♦schroeder

81.7k32180220

answered 9 hours ago

schroeder♦schroeder

81.7k32180220