OpenWeb's Poor Security

Leo_

Well-Known Member
Joined
Oct 24, 2014
Messages
266
I did a password reset this evening (01-June-2021) on OpenWeb's website and I was met with one of the scariest emails I've seen in a long time.

Email (spoofed info): open_web_lame_security.png

Now if you do not understand why this is scary, it's because the password was emailed in plain text.
Why is it scary? OpenWeb knows all of its user's passwords and usernames!


A secure website hashes all their user's passwords (and other confidential data) and stores them in a database. A secure hashing algorithm can encrypt a password in a few seconds - but it will take years (even 100s of years with current technology) to decrypt.

Verification is done by hashing the submitted password and comparing it to the hashed password stored in the database. That way no-one knows your password but you. Even if a software engineer of that website with access to the codebase will not be able to 'crack' your password.

Let's give OpenWeb the benefit of the doubt and assume they aren't storing it as plain text in their database (but I think they are) - the fact that they can decrypt it in a few seconds means their hashing algorithm is severely flawed and they really can't be trusted.

If you do have an OpenWeb account, please ensure you're not re-using any of your other passwords (which you shouldn't be doing anyway).

Please stay away from this company.

MyBB should really investigate this - this is really poor from any company let alone a somewhat known ISP.
 

nivek

Executive Member
Joined
Mar 25, 2005
Messages
9,961
Openweb still exists?! Had to check the date on this thread, thought it might be 2010 again
 
Top