Personal computing discussed

Moderators: Steel, notfred

 
meerkt
Graphmaster Gerbil
Topic Author
Posts: 1176
Joined: Sun Aug 25, 2013 2:55 am

Excite stored passwords as plain text?

Fri Jun 07, 2019 9:26 am

They've recently revamped their site, with a side effect that converted people's passwords to all lowercase.

Their current, new, password restrictions forbid the characters & and %. Something tells me their password handling is still not up to snuff. :)
Last edited by meerkt on Fri Jun 07, 2019 11:13 am, edited 1 time in total.
 
kvndoom
Silver subscriber
Minister of Gerbil Affairs
Posts: 2752
Joined: Sat Feb 28, 2004 11:47 pm
Location: Communistwealth of Virginia

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 9:29 am

Excite... still... exists???
A most unfortunate, Freudian, double entendre is that hotel named "Budget Inn."
 
meerkt
Graphmaster Gerbil
Topic Author
Posts: 1176
Joined: Sun Aug 25, 2013 2:55 am

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 9:32 am

Also Lycos (although their search engine can't find rare terms). Only AltaVista is dead. :(
 
just brew it!
Gold subscriber
Administrator
Posts: 52835
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 10:27 am

There's another possibility - maybe their passwords were case insensitive before, and they were internally coercing entered passwords to lowercase before computing the hash. Still not great, but less terrifying than storing plaintext.
Nostalgia isn't what it used to be.
 
meerkt
Graphmaster Gerbil
Topic Author
Posts: 1176
Joined: Sun Aug 25, 2013 2:55 am

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 10:45 am

Not impossible, but less likely. All they'd have to do to fix that is to start storing password change date, and for pre-change passwords keep on converting to lowercase.
 
K-L-Waster
Gerbil XP
Posts: 404
Joined: Thu Feb 12, 2015 8:10 pm
Location: Hmmm, I was *here* a second ago...

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 10:50 am

kvndoom wrote:
Excite... still... exists???


We can't ignore the possibility that this story was deliberately released to remind people that they have not in fact gone to the great browser history in the sky.
Main System: i7-8700K, ASUS ROG STRIX Z370-E, 16 GB DDR4 3200 RAM, MSI GTX 1080 TI, 1 TB CRUCIAL MX500, Corsair 550D

HTPC: I5-4460, ASUS H97M-E, 8 GB RAM, GTX 970, CRUCIAL 256GB MX100, SILVERSTONE GD09B
 
just brew it!
Gold subscriber
Administrator
Posts: 52835
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 10:55 am

meerkt wrote:
Not impossible, but less likely. All they'd have to do to fix that is to start storing password change date, and for pre-change passwords keep on converting to lowercase.

You're assuming the change was deliberate.
Nostalgia isn't what it used to be.
 
meerkt
Graphmaster Gerbil
Topic Author
Posts: 1176
Joined: Sun Aug 25, 2013 2:55 am

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 11:05 am

You mean that they've changed their code without realizing the implications, some people changed their passwords in the meantime, and there's an interim period with no change-date stored? Regardless of where the lowercasization happened, they could/can add auto-retry-as-lowercase on failure. The fact that they haven't suggests they haven't thought of doing dynamic case conversion.

But okay, both theories are possible.

K-L-Waster wrote:
this story was deliberately released

Was it released? :)
 
just brew it!
Gold subscriber
Administrator
Posts: 52835
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Excite stored passwords as plain text

Fri Jun 07, 2019 12:58 pm

meerkt wrote:
You mean that they've changed their code without realizing the implications, some people changed their passwords in the meantime, and there's an interim period with no change-date stored?

No, I mean they changed their code, and people had mixed-case passwords, not realizing that the passwords were previously case-insensitive. (I have no idea whether the passwords were or were not case sensitive before, this is just speculation on my part.)
Nostalgia isn't what it used to be.

Who is online

Users browsing this forum: No registered users and 3 guests