February 2nd, 2008


Embarrassing Security

I like to keep people guessing. I don’t believe in privacy. And, yet, I think it’s embarrassing when I receive e-mails like this:

From: webmaster@codeproject.com
Sent: Wednesday, January 30, 2008 4:26 PM
To: Scott Robinson
Subject: [CodeProject] Member information Update

Dear Code Project Member

Apologies for the interuption but we’ve found a small problem:

You may have noticed that you have been unable to sign into
www.codeproject.com. After our recent upgrade we found a few of our members had
passwords that were getting corrupted by our new encryption system. All
passwords are stored in our database in encrypted form to protect your privacy,
but unfortunately your password was in a form that caused problems when

To fix this we’ve issued you with a new password and ask that you log in and
change your password as soon as possible.

Your details are as follows:

Login email : drrobins@microsoft.com
Password    : EINMBONG

To log on to The Code Project visit the homepage (http://www.codeproject.com)
and enter your email address and password in the login area at the top right of
the homepage.

If you have not signed out of CodeProject since signing up you may not have
exerpienced any problems. However, we have still, unfortunately, had to reset
your password and ask that you change it to something different ASAP.

We apologise for the inconvenience and want to reassure you that your private
information has not been compromised in any way. (In fact no one could get to
it, not even you!)

If you’re at all concerned by the legitimacy of this email feel free to contact
me at chris@codeproject.com

Chris Maunder


From: Scott Robinson Sent: Wednesday, January 30, 2008 7:38 PM To: Chris Maunder Subject: RE: [CodeProject] Member information Update Unencrypted? How can a hashed password be unencrypted?
From: Chris Maunder To: Scott Robinson Subject: RE: [CodeProject] Member information Update We enrypt, not hash, since this allows our members to recover their password instead of being forced to choose a new one. Most members we talked to preferred this method.

Or, you know, the hot-spot for predators:

From: Welcome to MySpace
To: scott_myspiz@quadhome.com
Subject: MySpace Account Confirmation

Hi Scott -- Thanks for joining MySpace!

Here’s your account info for logging in:

E-mail: scott_myspiz@quadhome.com
Password: abc123

Keep it secret. Keep it safe.