On Wednesday 02 June 2004 05:10, Emile State wrote: > I just received my hogranch.com mailing list memberships reminder (sent > monthly) for prime and was dismayed to be reminded of my password in clear. > This is an extremely bad practice, as it means that all the passwords are > stored on the hogranch.com server in clear.
Well, no, it doesn't - the password _might_ be _stored_ encrypted & decrypted when the messages are made up - the message plaintext on the server _might_ be securely destroyed once the message has been sent. But in all probability you're right. > > As any system administrator (I am not one) should know, the password should > encoded at the client's end and there should be sent to the server that > way. If someone forgets their password, they should be mailed a temporary > one which they should have to change immediately. It's preferable to use certificates rather than passwords. Most people find it much, much harder to forge a certificate signed with MD5 alone than to crack a password. > > The net is a dangerous place and this should be corrected as soon as > possible. At a minimum, stop sending out the monthly reminders starting > immediately. Sure. However: (a) afaik the password issued is not likely to be the same as the password you use for other sites (b) the _bigger_ risk is disclosure of plaintext passwords _in the message_ as messages are stored in plaintext on mail relays which large numbers of government and private agencies have access to. If you want to send any private information over the Net you should encypher the whole message using a strong cypher, a long key - certainly over 1024 bits for RSA - and a reasonably effective entropy collector for seeding random number generators. Regards Brian Beesley _______________________________________________ Prime mailing list [EMAIL PROTECTED] http://hogranch.com/mailman/listinfo/prime
