Perhaps a name change is in order. How about;
Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords. In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later …
Unsalted MD5 hashes - You're joking, right?
I never cease to be stunned by the fact any business is using the password storage practices, which have been condemned for close to two decades!
Mind you, I recently inherited a home-grown application for a charity where all the passwords are stored using the first 8 characters of an unsalted MD5 hash. Which is bad enough but then someone decided to add a column in the same table which stores the whole password in clear text (apparently so that it could be included in an 'I forgot my password' email). Doh!
Thankfully it looks like it's soon to be retired as it's a liability and needs a complete rewrite to remove all the horrors of old-skool PHP (Yes: we're really talking Globals galore, unchecked user input going straight into SQL queries, badly formed html, massive (and deeply nested) flow control, etc ).
"I never cease to be stunned by the fact any business is using the password storage practices, which have been condemned for close to two decades!"
It's worse than that. These are websites/companies which didn't even *exist* when MD5 went obsolete for this use. I wonder if they give their senior management/directors a company horse and carriage instead of one of those newfangled complicated cars?
“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts."
And just how is a Business to do that?
Do I have to tell them the password for my personal e-mail account so they can check?
Biting the hand that feeds IT © 1998–2020