Sign up with Google
Leo_
Senior Member
- Joined
- Oct 24, 2014
- Messages
- 641
- Reaction score
- 454
I did a password reset this evening (01-June-2021) on OpenWeb's website and I was met with one of the scariest emails I've seen in a long time.
Email (spoofed info):
Now if you do not understand why this is scary, it's because the password was emailed in plain text.
Why is it scary? OpenWeb knows all of its user's passwords and usernames!
A secure website hashes all their user's passwords (and other confidential data) and stores them in a database. A secure hashing algorithm can encrypt a password in a few seconds - but it will take years (even 100s of years with current technology) to decrypt.
Verification is done by hashing the submitted password and comparing it to the hashed password stored in the database. That way no-one knows your password but you. Even if a software engineer of that website with access to the codebase will not be able to 'crack' your password.
Let's give OpenWeb the benefit of the doubt and assume they aren't storing it as plain text in their database (but I think they are) - the fact that they can decrypt it in a few seconds means their hashing algorithm is severely flawed and they really can't be trusted.
If you do have an OpenWeb account, please ensure you're not re-using any of your other passwords (which you shouldn't be doing anyway).
Please stay away from this company.
MyBB should really investigate this - this is really poor from any company let alone a somewhat known ISP.
Email (spoofed info):
Now if you do not understand why this is scary, it's because the password was emailed in plain text.
Why is it scary? OpenWeb knows all of its user's passwords and usernames!
A secure website hashes all their user's passwords (and other confidential data) and stores them in a database. A secure hashing algorithm can encrypt a password in a few seconds - but it will take years (even 100s of years with current technology) to decrypt.
Verification is done by hashing the submitted password and comparing it to the hashed password stored in the database. That way no-one knows your password but you. Even if a software engineer of that website with access to the codebase will not be able to 'crack' your password.
Let's give OpenWeb the benefit of the doubt and assume they aren't storing it as plain text in their database (but I think they are) - the fact that they can decrypt it in a few seconds means their hashing algorithm is severely flawed and they really can't be trusted.
If you do have an OpenWeb account, please ensure you're not re-using any of your other passwords (which you shouldn't be doing anyway).
Please stay away from this company.
MyBB should really investigate this - this is really poor from any company let alone a somewhat known ISP.
