The marketplace for Premium Themes — & — Templates

2,206,254 People using Mojo
353,568 Downloaded items
2115 Marketplace items
2 Green Monsters

Mojo Themes saving Password as plain text (Note: we don't do it!)

Forums General Mojo Themes saving Password as plain text (Note: we don't do it!)

This topic contains 2 replies, has 3 voices, and was last updated by  israelshirk 7 years, 8 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #1069351

    I don’t know how many times this was mentioned in the Internet. Maybe a million times.

    Saving passwords as plain text is a serious security flaw, and worse you are sending the password with emails.

    Please fix this serious issue. It’s making the accounts/earnings of all users at risk.

     

     

     

     

    • This topic was modified 7 years, 8 months ago by  israelshirk.
    #1070351

    frey
    Member

    If that’s true, this is stupidest thing to do.

    #1072441

    israelshirk
    Member

    Hey guys, sorry for the long response – I’ve been knee deep in a super-spiffy Mojo API that will do all sorts of amazing things – it’ll even make you coffee in the morning! We’re just entering an internal beta phase right now and are looking at a public release before April.

    First, yes, it is stated a million times (if that few), all over the web. Last fall, one of our competitors made an excellent public example of why this is a bad idea, and the fallout in their user base was pretty impressive. That said, we do not (nor have we ever) store them in plaintext; the e-mail just used the value present from the signup form to send the e-mail; the password isn’t saved in plaintext on our side. To authenticate users, we just use a simple one-way hash with a unique salt. That said, we no longer send passwords out in e-mails – just a link to the password recovery link.

    So security is something we take seriously from a business point of view, in addition to the fact that it’s just a bad practice.

    We have also implemented a wide variety of methods to prevent the theft of accounts, from tracking user behavior to screening withdrawals to identifying and blocking bots, brute force password crackers and password-guessing algorithms, and hacked/broken external services.

    On that topic, we’re also looking at a couple other options to further protect Mojo users: One Time Password using Google Authenticator, notifications of logins, requiring e-mail approval to login from a new geographic location, along with some more that we aren’t allowed to mention ;)

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.