Page 1 of 1

Excite stored passwords as plain text?

Posted: Fri Jun 07, 2019 9:26 am
by meerkt
They've recently revamped their site, with a side effect that converted people's passwords to all lowercase.

Their current, new, password restrictions forbid the characters & and %. Something tells me their password handling is still not up to snuff. :)

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 9:29 am
by kvndoom
Excite... still... exists???

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 9:32 am
by meerkt
Also Lycos (although their search engine can't find rare terms). Only AltaVista is dead. :(

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 10:27 am
by just brew it!
There's another possibility - maybe their passwords were case insensitive before, and they were internally coercing entered passwords to lowercase before computing the hash. Still not great, but less terrifying than storing plaintext.

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 10:45 am
by meerkt
Not impossible, but less likely. All they'd have to do to fix that is to start storing password change date, and for pre-change passwords keep on converting to lowercase.

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 10:50 am
by K-L-Waster
kvndoom wrote:
Excite... still... exists???


We can't ignore the possibility that this story was deliberately released to remind people that they have not in fact gone to the great browser history in the sky.

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 10:55 am
by just brew it!
meerkt wrote:
Not impossible, but less likely. All they'd have to do to fix that is to start storing password change date, and for pre-change passwords keep on converting to lowercase.

You're assuming the change was deliberate.

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 11:05 am
by meerkt
You mean that they've changed their code without realizing the implications, some people changed their passwords in the meantime, and there's an interim period with no change-date stored? Regardless of where the lowercasization happened, they could/can add auto-retry-as-lowercase on failure. The fact that they haven't suggests they haven't thought of doing dynamic case conversion.

But okay, both theories are possible.

K-L-Waster wrote:
this story was deliberately released

Was it released? :)

Re: Excite stored passwords as plain text

Posted: Fri Jun 07, 2019 12:58 pm
by just brew it!
meerkt wrote:
You mean that they've changed their code without realizing the implications, some people changed their passwords in the meantime, and there's an interim period with no change-date stored?

No, I mean they changed their code, and people had mixed-case passwords, not realizing that the passwords were previously case-insensitive. (I have no idea whether the passwords were or were not case sensitive before, this is just speculation on my part.)