A domain parking provider NameDrive.com have been attacked and as a security precaution they asked users to change their passwords… expected. Here’s the lame part… they asked to also change passwords on any other services where you might have used the same password!
It turns out that they store passwords in fashion not secure enough – for my taste, maybe reversibly encrypted, which wouldn’t be very bad but still lame/unprofessional. Storing a password in way that enables anyone – even administrators – to know it violates user privacy and is an obvious attack vulnerability.
Any developer with even little security experience knows that password should be a secret that even administrators shouldn’t know. Any system shouldn’t keep open text password – even in in-memory variables – longer that is needed to compute irreversible digest.
Read here if you want to know more:
Shame on you Namedrive.com
PS. It also a security mistake to use the same password on more than one system, a mistake even the best of us make… me lazy-ass-short-memory included. It’s good thing I have used on Namedrive.com, a lowest-security-level-throwaway-password 😉