An issue if you’re reusing passwords. If not, every forgot my password email is also vulnerable.
A combination of bad practices could be… bad.
oleorun@real.lemmy.fan 8 months ago
Just wow, yeah. Nothing should ever send you a password in cleartext - once that’s been done, a MITM attack’s success rate just went to 100%.
It’s painless to use password resets if the person forgot the password. Never, ever should a password be in cleartext.
hunter2
Bitrot@lemmy.sdf.org 8 months ago
lowleveldata@programming.dev 8 months ago
It’s painless to use password resets
Ya and have they send you the (one-time) password in plaintext
exal@lemmy.ca 8 months ago
(one-time)
You make it sound like an irrelevant detail, but that’s kind of the key part. If implemented properly, it’s only valid once and for a short period of time, which greatly reduces risk.
lowleveldata@programming.dev 8 months ago
Sure. I just want to point out that there is valid case when passwords are sent in clear text.
oleorun@real.lemmy.fan 8 months ago
In my experience it’s always a tokenized link, no clear text required.
nous@programming.dev 8 months ago
Well, the tokenized link is essentially a clear text one time password. Not really any better than just a one time password except for the convenience that the user does not need to type it in. If someone gets hold of the link or password before you they can get access to your account.
lowleveldata@programming.dev 8 months ago
I don’t see how’s either way better or worse as long as they force you to change the password upon login
fireflash38@lemmy.world 8 months ago
And what is the token in the link?
hascat@programming.dev 8 months ago
Many years ago, I had forgotten my password to the Sprint websiteb so I could log in and pay my cellular bill. I had to call customer support to resolve this. After verifying my activity, the support agent read me my existing password one letter at a time. While this was alarming, I was amused she had to spell out a somewhat obscene phrase for me. This was maybe 20 years ago and I no longer use Sprint.
JWBananas@startrek.website 8 months ago
I no longer use Sprint
I mean, nobody else does either.
themeatbridge@lemmy.world 8 months ago
Why did you put a bunch of asterisks at the bottom of your post?
oleorun@real.lemmy.fan 8 months ago
I’m delighted you get the reference!
sekhat@lemmy.temporus.me 8 months ago
I’d be more worried if someone who uses the internet to such a degree that they use Lemmy over Reddit, on a programming forum, didn’t get the reference. This is famous hacker lore at this point.
NightAuthor@lemmy.world 8 months ago
Can you be worried for me, and fill me in?