UKH

Did anybody else get that email from PHD? It initially looked quite convincing given that it had my name, address and phone number on it. Within a few hours 'real' PHD sent a mail saying it was spam, not from them and not to pay for postage (as requested to claim the free bag). Next day they sent a mail saying they had been hacked and to ignore the 'offer'. Then today another mail that they had been hacked and personal information, including passwords, stolen, which I knew already since it was obvious from the original false offer mail. Seems a bit slow reponse from PHD to me. Not too happy about hackers having my personal information but not a lot I can do about it I guess. A link in the 'offer' mail appears to direct you to a Russian website.

If anybody has bought anything from PHD in recent years then you might want to consider if you've used a password with them that you use elsewhere.

In reply to Dave:

I find it continually shocking that any company nowadays will keep client passwords on record at all, rather than just keeping hashed versions suitable and sufficient for comparison and authentication. A suitably hashed version will be of no use to any hacker.

Still, at least we seem to have largely moved on from the days - not long at all ago - when companies would send a confirmation email after registration, telling you in plain text what password you chose to use to login to their site!

In reply to john arran:

You mean like this? Received a few months ago from them
>>>>
Dear David

As part of the checkout process you have created an account with Peter Hutchinson Designs

Your login is: xxxx@x.com
Your password is: xxxxxxx

Creating an account with us means that, when signed in, you can benefit from:

Russian hackers ?

In reply to Dave:

Ha!
I hope that, upon receipt of said email, the first thing you did was go to the site and change the password.

But then they probably would have sent you a 'password change confirmation' email in plain text telling you what you'd changed it to!

Simply inexcusable nowadays.

In reply to john arran:

the pwds stolen are hahsed.

In reply to lithos:

in which case there 'should' be no serious risk of accessing other accounts. Unless of course they've been hashed with a terrible, outdated algorithm.

In reply to Dave:







Well if you will insist on using passwords consisting of the same letter repeated....

In reply to Dave:

Maybe I'm being naive here but why on earth does an equipment supplier require you to open an account wth a password to simply buy one of their items?

In reply to lithos:

They might be claiming that but the fact that they're sending out passwords by email makes it clear that they're not doing things properly. At some stage in the process, they're clearly storing passwords in plain text. A company that's handling passwords properly doesn't just choose not to email passwords, it should be impossible for them to do because they shouldn't actually know what your password is.

In reply to Trangia:


To be fair, it's pretty standard practice in online sales. It's becoming more common to allow "guest" checkouts but it's still far from ubiquitous.

I assume that forcing people to create an account is useful because it reduces the friction in returning to buy again in the future, making you more likely to be a repeat customer and less likely to go elsewhere. Of course, if being forced to make an account annoys people or people get offended by having their details stolen due to lax security, that might backfire!

In reply to Luke90:

no argument from me, i complained to tt hem when they sent it, but its not necessary for them to store it in plain text. Obviously at some point in the registration procedure 'they' have it in plain text, before it gets hashed and stored,
it's at that point i am guessing (no idea, not involved) that the email could be sent and the plain text version discarded.

In reply to john arran:

>in which case there 'should' be no serious risk of accessing other accounts. Unless of course they've been hashed with a terrible, outdated algorithm.

Just because a password is hashed, doesn't make it safe from disclosure, even with a modern algorithm.
It is really easy to crack hashed passwords, it just takes time.
If you don't have the time, you can use rainbow tables. You lookup the hash, and then find the word. Companies provide this as a service. There are techniques such as salting, that make hashes slightly harder to crack, but they just add to the time element.

A better solution is two factor authorisation. One example is where the website sms's you a number you need to add at login. But even then, that's not infallible.

In reply to dread-i:

Agreed. But the better hashing algorithms, while not impossible to hack, are generally regarded as unfeasibly hard, and therefore appropriate for most uses.

In reply to john arran:

>But the better hashing algorithms, while not impossible to hack, are generally regarded as unfeasibly hard, and therefore appropriate for most uses.

The thing is that you're not looking for mathematical weaknesses in an algorithm. You simply either encode your own word list (and there are word lists of many millions of passwords, available.) Or, you look up a hash on a rainbow table.

If my password is hashed with MD5 and the string is:
836c21655d829d58889e1d58d251e641

You could look it up on this site (which claims to hold 125 million MD5 hashes.)
https://md5.gromweb.com/

The password is not stored as plain text, however, you can decode it easily. (Yes, I know MD5 is old, but the same holds true for more modern hashing algorithms.)
Storing a hashed password is more secure than storing a plain text password. But, it is not bomb proof.

In reply to dread-i:

Rainbow tables and word lists are much less useful with a decent salting policy though. You even mentioned salts earlier in the thread yourself.

Nobody claimed that any store of passwords can be bombproof but decent salting and hashing policies should be able to make accessing significant numbers of them more trouble than it's worth. At the very least, you should be able to protect the people who choose somewhat strong passwords.