A Lesson in How Not to Conduct Website Security at Chris Benard

Feb

A Lesson in How Not to Conduct Website Security

By Chris 2 Comments

Categories: Personal and Programming

Louisiana Tech just sent me a “reminder” email with my full username and password in there. That information is everything necessary to logon to the school student portal and get the rest of my personal information, full school transcript, etc.

Not only do I not like them emailing my password, I don’t like that they even know my password. They should be using hashes instead. They’re doing it incorrectly.

Here is the full email (user/pass redacted):

Subject: Reminder
TO: <[my.school.email]@LaTech.edu>
Date: Thu, 11 Feb 10 12:35:23 CST
From: <Registrar@LaTech.edu>

REMINDER:

          Your BOSS PIN is: XXXXXX
          Your CWID number is: 100XXXXXX

PROTECT THESE NUMBERS!

I sure wish they’d protect these numbers for me instead of emailing them to me every quarter.

2 Responses to “A Lesson in How Not to Conduct Website Security”

Feed for this Entry Trackback Address View blog reactions

1 Brian Sullivan Feb 11th, 2010 at 11:49 pm

Ugh, no kidding! Pretty boneheaded.
2 VigRoco Feb 12th, 2010 at 9:13 pm

But programming is hard! It is soooo much easier to store passwords in plaintext!

Search

Twitter

@saratoga Yep. You just put that in your mouth and he gets the food out. in reply to saratoga 1 week ago
@saratoga Looks like these: http://bit.ly/awlc2t in reply to saratoga 1 week ago
@saratoga They make special curved ones. Ask your dentist; they should have them. in reply to saratoga 1 week ago
More updates...

Chris Benard