So I am dealing with a website concern, I am a intermediate level programmer and I was shopping on a website that I have heard other friends use. When I signed up for my account, they sent me my password back in plain text to my email. I always thought that in a html form, if you hashed a password and sent it to the server, there would be no way of sending a password back in plain text. I am assuming the website I made the account is hashing the password, but I have no way of knowing. I'm not a security expert or anything, but I am pretty sure they aren't hashing the password and probably storing my data in plain text on their servers. Is my conclusion correct?
Asked
Active
Viewed 1,624 times
0
-
1typically passwords are sent unhashed over a TLS connection and then hashed at the server using a password hashing algorithm. – President James K. Polk Sep 22 '18 at 12:54
-
Is TLS close to being consider like https, or where you send over a secure port? – Joe Meyer Sep 22 '18 at 17:51
-
https is just http over TLS, I meant to write https. – President James K. Polk Sep 22 '18 at 18:41
3 Answers
3
If your password is sent to you during the registration process, it can be that it's sent right when the server receives it and still has it plaintext, and then it gets hashed and stored properly.
This would still not be the best practice though, cleartext passwords should not be sent over insecure channels, like in email.
Of course in this case it's not possible for them to send it again in another request. If that happens, that really means they are not storing it hashed.
Gabor Lengyel
- 14,129
- 4
- 32
- 59
-
1Thank you, im conversing with the company right now, I still don't want to see my password in plain text. I am just hoping they're hashing it, but probably not. – Joe Meyer Sep 22 '18 at 17:47
0
If it's properly hashed and secure they should not be able to see it in plaintext. If they could access it easily then so could hackers.
MDCCCLV
- 1
- 1
-
So essentially its not hashed as I thought. The system sent it back to me in plain text. – Joe Meyer Sep 22 '18 at 03:38
0
There is another way to store the passwords, encryption. In this way, the application server stores an encryption key to encrypt users' passwords and store them on the database.
When users try to login, they encrypt the new incoming password of the login attempt to see that it is matching.
In case of lost of the passwords, they can send users' password back to them by decrypting it using the key on the application server.
If the application server is compromised, the attackers can access all passwords as the same way the application server does.
By no means, they should send back to users, their passwords. If users don't remember, they have to force users generate into a new one.
For more discussion see Difference between Hashing a Password and Encrypting it
kelalaka
- 5,064
- 5
- 27
- 44
-
I heard encrypting isnt the same as hashing and is considered a bad practice. I am still new on the subject but I was told it goes like this 'plaint text < encrypting < hashing'. Any clarification would be amazing! – Joe Meyer Sep 22 '18 at 17:49