Storing passwords in plain text.

Hacked

NOTE: They use the same password on all their sites so you need to change it in one place.

InsiteFX - 26 June 2012 11:12 AM

Storing passwords in plain text.

Hacked

NOTE: They use the same password on all their sites so you need to change it in one place.

Hits self in head! I just posted the same thing because I didn’t see your post.

I love their top tutorial right now:  ‘Understanding Hash Functions and Keeping Passwords Safe’.

LOL

BigBad - 27 June 2012 09:22 AM

I love their top tutorial right now:  ‘Understanding Hash Functions and Keeping Passwords Safe’.

LOL

That’s pretty ironical, right. I grinned as I read it this morning.

I’m glad I’m not CEO or owner of Tuts+ right now. I can only imagine his anxiety over the lawsuits pouring in. If linkedIn was using SHA1 without salt and is getting sued for 5M, then what does this mean for Tuts+?

I read yesterday the some guy got taken for $120.00 out of his PayPal account because he used the same login and password on nettuts+

I got a feeling law suits are going to start flying.

InsiteFX - 27 June 2012 12:12 PM

I read yesterday the some guy got taken for $120.00 out of his PayPal account because he used the same login and password on nettuts+

I got a feeling law suits are going to start flying.

It might even be PayPal suing Tuts+. It kinda sucks, because although I only find about 20% of stuff on Tuts+ worth reading, I still liked to go there. I hope they dont get sued beyond recognition, although they sort of deserve it. I saw a few people’s comments about how they had told Tuts+ a year ago that there was a problem, so it’s total negligence on the part of Tuts+ for not doing something.

Yes, they should have fixed it when they knew about the problem. As far as the guy with the PayPal it’s his own fault for using the same login and password on the same sites.

I have seperate logins for like regular use and then I have very strong login and password for my PayPal bank etc, nothing like what I use for regular website browsing.

What most people do know about nettuts+ is that all of their sites use the same login and password.

So it makes you wonder how they can say that only nettuts+ was hacked.

I’ll bet that they were using the same third party plugin for all their sites because they all use the same login and password.

These two articles on that topic are very interesting

Tuts+ Premium Account Security Compromised

Update on Tuts+ Premium Security Breach

They also show, that it wasn’t directly Tuts+‘s problem that the passwords were stored in plaintext. They used a third party software/plugin which stores the data plain. I know this doesn’t change the fact, that they knew about this security issue (Tuts+ was working on a solution as article 1 states) and still used the plain passwords, but however, it also shows that you should know what the software you are incorporating into your software does and where its vulnerabilities are.

PhilTem - 27 June 2012 04:10 PM

These two articles on that topic are very interesting

Tuts+ Premium Account Security Compromised

Update on Tuts+ Premium Security Breach

They also show, that it wasn’t directly Tuts+‘s problem that the passwords were stored in plaintext. They used a third party software/plugin which stores the data plain. I know this doesn’t change the fact, that they knew about this security issue (Tuts+ was working on a solution as article 1 states) and still used the plain passwords, but however, it also shows that you should know what the software you are incorporating into your software does and where its vulnerabilities are.

I guess what baffles me is that here is a website dedicated to tutorials related to what we do, but they didn’t fix something that would have been super easy to fix. Even a total noob would have known that storing the passwords as cleartext was wrong, and fixing that would have been easy.

They will probably lose a lot of customers and developers over all this when said and done.

The one question still to be asked is how they hacked into their server? Seems like they also have some security issues.

I would just like to know why these companies always wait until the last moment to fix the security issues or until they do get hacked.

I hated seeing the email when I got it. There will be a huge loss of customers - if you read the comments on their blog post - a lot of customers already said they’re backing out. They blame it on the plug-in that they use for their site - but once they found out - they should have taken immediate action - mission critical status (even if it meant taking the site down and compensating those days to members. They were hoping to get around it in the background while they implemented a fix - but that obviously didn’t pan out for them.

Would be nice to know how someone got into their servers. Lesson learned I guess.