Sigh. Everyone has an opinion about website registration and password storage, and most of them have never actually administered a large website.
Was your original signup https? No? Then the hypothetical attacker who is reading all the traffic on your connection already has your password. Would you happily login to your account from the WiFi at Starbucks, or from the public machine at the local library? Yes? Then the hypothetical attacker already has your password.
Emailing passwords to new users is USEFUL. It undoubtedly saves Wordpress hundreds of support requests PER DAY. That is real money saved, and it must be balanced against the insignificant risk of being "hacked" by someone reading your email on the wire.
ANY ability to reset a password via email is insecure. The email is plaintext; it must contain enough information for the recipient to get into his account; therefore, an attacker on the wire can get into the account. It doesn't matter how the password is stored or how the password reset is accomplished, it's equally insecure. There is NO SECURITY DOWNSIDE to emailing a user's password to them vs. having some multi-step reset procedure.
An attacker which can read out the passwords from your database already owns your site.
Finally, complaining about the activation key (which is a hexidecimal hash value) is insane. It's far more secure than any other passwords on the site at all.
Finally finally, I think Wordpress does store passwords as one-way hashes, so most of this guy's argument is moot anyway.
Sounds like a good reason to use HTTPS for registration and authentication, as stated in the article.
> Would you happily login to your account from the WiFi at Starbucks
Sure, as long as the site uses HTTPS.
> or from the public machine at the local library?
Never, never, never.
> Emailing passwords to new users is USEFUL [...]
Allowing anybody to login without a password would doubtless save them even more support requests, but that doesn't mean it's a good idea. Sometimes the developer's responsibility to protect a user's information outweighs a desire for lower support costs.
> ANY ability to reset a password via email is insecure. [...]
Not so; additional information, such as user-defined security questions or verification, is usually required before a user is allowed to reset their password. Furthermore, a theoretical weak reset procedure only exposes the weak site. It doesn't expose the user's password.
> An attacker which can read out the passwords from your database already owns your site.
This isn't about protecting your site, it's about protecting users. Many people, despite decades of warnings, use the same password on multiple sites. If your site stores the user's authentication information in a way that can be accessed later, then you are violating the user's security.
You really should think again about your logins especially if you are near a college campus and especially if you aren't using firefox (which will pop up with a warning on an https site when you are tunneled through someone else's computer).
Are there truly any major browsers that won't display an error page on bad (spoofed, self-signed, invalid, etc) certificates? A cursory Google search suggests that at least FF, IE, Chrome, and Opera will refuse to load such a page unless the user clicks through.
Unless the attacker obtains the private key for a root certificate, HTTPS remains secure no matter what location it's used from.
It is impossible to store passwords in a one way hash and also email it to a user and show it on a web page at some point in the future. That's the point of a one way hash, it can only be encrypted, not unencrypted. No one should ever be able to see what that original password was -- even people with access to the database.
Lots of peope use the same passwords for multiple sites. If I have access to your WP password and username and other sites you visit, I could hack those too!
I haven't looked at WP's code, but if the blog is accurate, then those passwords must be at best two-way encrypted.
The blog is not accurate. They only send you your password the first time, when you create it. They store a hash, all you can do afterwards is reset it.
Makes me feel a bit better about WP. They are still storing the passwords temporarily in 2-way, so it's less of a hacking risk for the new account, though potentially a hacking opportunity for other websites used by the same user.
I still can't say I approve of their implementation though. What if someone is looking over your shoulder when you click the link to see your new account has been created and your password is right there for someone watching?
There is NO SECURITY DOWNSIDE to emailing a user's password to them vs. having some multi-step reset procedure.
One downside is that the email can later be found and used by an attacker, whereas the multi-step procedure generally relies on information not present in the directions (such as a birthdate or secret question). An attacker who gains access to the email at a later point (not just intercepted) can gain access to the account without further effort or risk.
Another downside is that exposing the password in plaintext allows the attacker to gain access to other accounts on other systems where the user has used the same password. In contrast, the multi-step approach must be used against every site.
To say that there is 'no downside' is to say that there is no problem with storing passwords in plain text on your server, because if an attacker has gained access to your server they already have access to your accounts. Possibly true, but this ignores the irresponsible and anti-social aspects of exposing a user to further attacks.
"Would you happily login to your account from the WiFi at Starbucks, or from the public machine at the local library? Yes? Then the hypothetical attacker already has your password."
This isn't true if the website uses https (since we're talking about sniffing, not man-in-the-middle).
Ecrypted wireless connections also help. I'm always very cautious about the kind of wireless link I'm using.
You have to be conscious on the internet, that's the moral here. I have stopped using websites that sent me my password in plain text, unless I just don't care about the account. If the developers aren't savvy enough to know how to protect their users, I lose confidence in them.
Especially if (it turns out) the wifi SSID to which you are connecting does not actually belong to the starbucks (or some indie coffee shop offering wifi) but some black hat in an office in the building with the starbucks.
"There is NO SECURITY DOWNSIDE to emailing a user's password to them vs. having some multi-step reset procedure."
That may be true from a site admin's POV, but consider that many people use the same password for everything. Plain text passwords flying through the pipes and then laying about on mail servers is a security risk for the naive user.
> There is NO SECURITY DOWNSIDE to emailing a user's password to them vs. having some multi-step reset procedure.
Yet another downside is that the hacker can continue to access your account indefinitely without you knowing. If they have to reset the password then you'll find out the very next time you go to login.
Despite this I agree that the usability gains from using viewable passwords can surpass the security disadvantages.
Was your original signup https? No? Then the hypothetical attacker who is reading all the traffic on your connection already has your password. Would you happily login to your account from the WiFi at Starbucks, or from the public machine at the local library? Yes? Then the hypothetical attacker already has your password.
Emailing passwords to new users is USEFUL. It undoubtedly saves Wordpress hundreds of support requests PER DAY. That is real money saved, and it must be balanced against the insignificant risk of being "hacked" by someone reading your email on the wire.
ANY ability to reset a password via email is insecure. The email is plaintext; it must contain enough information for the recipient to get into his account; therefore, an attacker on the wire can get into the account. It doesn't matter how the password is stored or how the password reset is accomplished, it's equally insecure. There is NO SECURITY DOWNSIDE to emailing a user's password to them vs. having some multi-step reset procedure.
An attacker which can read out the passwords from your database already owns your site.
Finally, complaining about the activation key (which is a hexidecimal hash value) is insane. It's far more secure than any other passwords on the site at all.
Finally finally, I think Wordpress does store passwords as one-way hashes, so most of this guy's argument is moot anyway.