Ofcom Do Security
Adrian Hayter
adrianhayter at gmail.com
Thu Aug 5 16:07:29 BST 2010
Usually you will find that the password that was emailed to you isn't actually stored on the server in plaintext, but is stored as a variable in the registration process, and then that variable is used in the confirmation email and scrapped afterwards. The password is still stored as a hash on the server. Of course, emailing it as plaintext is a stupid thing to do, but I've come across several websites recently which send me emails every few days with my password in them, showing that the server performs no one-way hash function at all on this information.
-Adrian
On 5 Aug 2010, at 10:39, Ian Batten wrote:
> When you register on the Ofcom site, you are forced to choose a complex password: mixed case, 7--12 characters, must contain digits.
>
> Which is then mailed to you as plaintext for confirmation.
>
> Hmm.
>
> ian
>
>
More information about the ukcrypto
mailing list