At 7/29/03 7:42 PM, Josh Levine wrote: >Is it worrisome to anyone else that there's now a page that you can >request to have any reseller's password emailed in plain text to the >emergency contact address with no verification required whatsoever?
I was even more worried that it indicates that the plaintext password is stored on OpenSRS's servers somewhere, which is a serious security flaw. The password should be stored in OpenSRS records as an MD5 hash, Unix crypt output, or another one-way algorithm, not plaintext. That way anyone breaking into OpenSRS's systems would not be able to obtain the passwords. If someone loses their password, OpenSRS could send a message containing either a "password reset" URL or a temporary random password that's valid for only a few hours, instead. -- Robert Mathews, Tiger Technologies "Clever things make people feel stupid, and unexpected things make them feel scared."
