[hcs-d] Password PSA

Jeremy Cushman jscushman at gmail.com
Thu Dec 9 20:41:51 EST 2010

I spent my last section mostly on web security practices, so students in my
section should know it's bad practice :-)

Not sure if other students are aware though; the unencrypted passwords are
part of the distribution code for the stock parket pset.

On Thu, Dec 9, 2010 at 8:34 PM, Joseph Tassarotti <
tassarotti at college.harvard.edu> wrote:

>  Yes, they're creepy - but the more important thing to me is: are the
> students in the class aware that this is bad practice? I helped some people
> with the stock market assignment and, as Michael says, people stored
> passwords in plaintext for that. Maybe in the future the lectures should
> mention the use of bcrypt (or at least sha1). It doesn't really add that
> much complexity at all for students, so why not?
> I did notice that the CS50 wiki removed the bit about authenticating users
> using their FAS accounts, which is good.
> <-----Original Message----->
>    *From: Jeremy Cushman [jscushman at gmail.com]*
> Sent: 12/9/2010 8:21:16 PM
> To: sdeshpande at college.harvard.edu
> Cc: hcs-discuss at lists.hcs.harvard.edu
> Subject: Re: [hcs-d] Password PSA
> Yeah, sites that send you back your passwords in plaintext are really
> creepy.  Just noticed http://crimsonspark.com/forgotpassword.php.
>  On Thu, Dec 9, 2010 at 5:56 PM, Saagar Deshpande <
> sdeshpande at college.harvard.edu> wrote:
>> Great idea. Tony and I already discovered that crimsonspark was doing this
>> and informed Malan, so we think that this would be a nice thing for people
>> to know for tomorrow.
>>  On Thu, Dec 9, 2010 at 4:54 PM, Michael Chen <
>> michaelchen at college.harvard.edu> wrote:
>>> Hey all,
>>> So the CS50 Fair is tomorrow. I feel like we should send out a PSA
>>> warning people against foolishly putting their usual username/password
>>> combos into CS50 projects. I know it's frowned upon to use common passwords
>>> across accounts anyway, but I'm pretty sure many projects will be storing
>>> passwords in plaintext (as that's what they did for one of their psets).
>>> Thoughts?
>>> Mike
>>> _______________________________________________
>>> hcs-discuss mailing list
>>> hcs-discuss at lists.hcs.harvard.edu
>>> https://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
>> _______________________________________________
>> hcs-discuss mailing list
>> hcs-discuss at lists.hcs.harvard.edu
>> https://lists.hcs.harvard.edu/mailman/listinfo/hcs-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcs.harvard.edu/pipermail/hcs-discuss/attachments/20101209/09340463/attachment.htm 

More information about the hcs-discuss mailing list