A domain parking provider NameDrive.com have been attacked and as a security precaution they asked users to change their passwords… expected. Here’s the lame part… they asked to also change passwords on any other services where you might have used the same password!
It turns out that they store passwords in fashion not secure enough – for my taste, maybe reversibly encrypted, which wouldn’t be very bad but still lame/unprofessional. Storing a password in way that enables anyone – even administrators – to know it violates user privacy and is an obvious attack vulnerability.
Any developer with even little security experience knows that password should be a secret that even administrators shouldn’t know. Any system shouldn’t keep open text password – even in in-memory variables – longer that is needed to compute irreversible digest.
Read here if you want to know more:
- http://en.wikipedia.org/wiki/Password#Form_of_stored_passwords
- http://en.wikipedia.org/wiki/One-way_encryption
- http://en.wikipedia.org/wiki/Cryptographic_hash#Applications
Shame on you Namedrive.com
PS. It also a security mistake to use the same password on more than one system, a mistake even the best of us make… me lazy-ass-short-memory included. It’s good thing I have used on Namedrive.com, a lowest-security-level-throwaway-password 😉
In my private correspondence I have been assured that they are taking every precaution to secure the service. I have been asked to not publish information that have been provided. All I have written here is my sole opinion and my assumptions are based only on „password retrieval/change process” that I have used. I feel sorry for you guys, but I also feel that I need to stigmatise those who should provide professional service level, yet they don’t.