Steemauto stores your passwords in raw format!

emrebeyler (74) in steemauto • 7 years ago (edited)

When you click "lost password" at Steemauto, It will send your password directly to your email. That means, passwords are stored raw in their database.

This is one of the sins of web application development practices. If the system can send you back your password, that means the application stores your pasword as plain text..

That's extremely dangerous. If a thief or attacker get the database somehow, they would have every users credentials as well.

Best practice

Salt and hash each password
Use good hashing functions like Bcrypt instead of md5 or sha1
Store SALT + HASH in the database instead of raw password

That way you can't send the password back to users but you may create unique tokens for password regeneration and deal with the recovery as an application developer.

What to do as a user?

Use a throw-away and unique password at Steemauto.

That's the general rule but I am pretty sure %90 of the users, using a generic password that they use on their daily life. If Steemauto database leaks to some bad-minded parties, your accounts will be in great danger.

Edit: @mahdiyari addressed the issue

He removed the username-password authentication and started using SteemConnect for it. Thanks for the fast response!

steemauto steem security sndbox busy

7 years ago by emrebeyler (74)

$60.46

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!

Sort Order:

Trending

[-]

mahdiyari (67) · 7 years ago

yes,
that is right.
that was because I will remove this login system and all saved passwords.
I will use steemconnect as login system.

$0.28

3 votes

[-]

emrebeyler (74) · 7 years ago

Thank you @mahdiyari for the clarification. Looking forward to see the upcoming developments on Steemauto. 👍

$0.00

[-]

mahdiyari (67) · 7 years ago (edited)

Login method changed. I hope to see a new post or edited post here:)
I'm going to remove all information(passwords and emails).

$0.00

[-]

themarkymark (78) · 7 years ago

I talked to him about a week ago why an email and password is needed. SteemConnect w/ posting authority would be so much more secure and painless.

$0.09

2 votes

[-]

leprechaun (56) · 7 years ago

Too bad SC demands the active key.

$0.00

[-]

themarkymark (78) · 7 years ago

Yes, but it is fairly trusted and it is only used locally and not saved.

$0.00

[-]

leprechaun (56) · 7 years ago

So much like Bittrex or MtGox not so long ago.

$0.00

[-]

postpromoter (63) · 7 years ago

You got a 10.20% upvote from @postpromoter courtesy of @emrebeyler!

Want to promote your posts too? Check out the Steem Bot Tracker website for more info. If you would like to support the development of @postpromoter and the bot tracker please vote for @yabapmatt for witness!

$0.06

1 vote

[-]

synergysteem (39) · 7 years ago

Passwords and authentication are often not programmed well, good public service announcement.

$0.03

2 votes

[-]

mesutbahar (14) · 7 years ago

Eline yüreğine sağlık kardeşim işllah daha çok kazanırsın.

$0.02

1 vote

[-]

yulem (48) · 7 years ago

Other than selecting "Lost Password?" there doesn't appear to be any way to manage passwords. :-(

$0.02

1 vote

[-]

emrebeyler (74) · 7 years ago

Yeah, seens like you cannot change it.

$0.00

1 vote

[-]

fan1 (35) · 7 years ago

this is very important information, thank you

$0.00

[-]

sndbox (77) · 7 years ago

Thanks for highlighting this @emrebeyler. The SteemAuto team really needs to implement a safer system.

$0.02

1 vote

[-]

nristen (43) · 7 years ago

Thank you for sharing this valuable information - I will steer clear of them until I hear of a change. On piece of advice that I have is to make sure each password is unique to each site. I use LastPass for to help manage this which removes most of the difficulty with remembering and entering strong passwords.

$0.00

1 vote

[-]

buy-bitcoin (44) · 7 years ago (edited)

Tellin' it like it is. Good man.

This would be a good time to change Steemauto passwords as well as other accounts.

Take precaution.

$0.00

1 vote

[-]

flugschwein (60) · 7 years ago

Wow, that's some ridiculous stuff imo. I thought literally no one stores passwords that way these days.

$0.00

[-]

kilianparadise (58) · 7 years ago

Thank you for sharing this important information @emrebeyler.
Thumbs up!!!!

$0.00

[-]

dexterdev (62) · 7 years ago

Great article. Good job man. This is really helpful. Resteeming it

$0.00

[-]

fr3eze (68) · 7 years ago

Good to know that, may be a 2FA implementation could solve that. But they should not store sensitive information in plain text in the first place.

$0.00

[-]

vanessahampton (56) · 7 years ago

Oh, my

$0.00

[-]

honeylyn2330 (25) · 7 years ago

Nice blog @emrebeyler
Very big help to us

$0.00

[-]

frederichs (52) · 7 years ago

thank you my friend for clarifying this a bit, really, I needed a great article, my vote for you,

$0.00

[-]

muratti (41) · 7 years ago

Bilgi için çok teşekkürler üstad.

$0.00

[-]

jdc (52) · 7 years ago

Does this mean we have to keep logging in with our active key every few hours? Because I'm not doing that.

$0.00

[-]

cryptohazard (63) · 7 years ago

I would also add that you need a way to properly score the passwords . I usually recommend https://github.com/dropbox/zxcvbn/tree/master

$0.00

[-]

valth (68) · 7 years ago

Thanks for the warning! This is definitely worrying, but luckily I used a throwaway password there.

$0.00

[-]

emrebeyler (74) · 7 years ago

This has been handled by the owner after this post. He also stated that he removed the old database and switched to SteemConnect for the authentication.

$0.08

1 vote

[-]

valth (68) · 7 years ago

Oh, that's great! I realized it that the post was a little bit old, but I didn't expect it to have been fixed yet. Thanks for the update :)

$0.00

[-]

emrebeyler (74) · 7 years ago

yeah, @mahdiyari responded fast. I appreciate him for that. :)

$0.00