[hcs-d] Password PSA
sdeshpande at college.harvard.edu
Thu Dec 9 20:51:07 EST 2010
There should also be something about confirmation urls for confirming your
account via email.
CrimsonSpark sent out links with that basically said id=123 so it was
possible for someone to just walk in and make random accounts.
Not sure how important that is, but it does lead to the question of how
secure the site is overall.
On Thu, Dec 9, 2010 at 8:41 PM, Jeremy Cushman <jscushman at gmail.com> wrote:
> I spent my last section mostly on web security practices, so students in my
> section should know it's bad practice :-)
> Not sure if other students are aware though; the unencrypted passwords are
> part of the distribution code for the stock parket pset.
> On Thu, Dec 9, 2010 at 8:34 PM, Joseph Tassarotti <
> tassarotti at college.harvard.edu> wrote:
>> Yes, they're creepy - but the more important thing to me is: are the
>> students in the class aware that this is bad practice? I helped some people
>> with the stock market assignment and, as Michael says, people stored
>> passwords in plaintext for that. Maybe in the future the lectures should
>> mention the use of bcrypt (or at least sha1). It doesn't really add that
>> much complexity at all for students, so why not?
>> I did notice that the CS50 wiki removed the bit about authenticating users
>> using their FAS accounts, which is good.
>> <-----Original Message----->
>> *From: Jeremy Cushman [jscushman at gmail.com]*
>> Sent: 12/9/2010 8:21:16 PM
>> To: sdeshpande at college.harvard.edu
>> Cc: hcs-discuss at lists.hcs.harvard.edu
>> Subject: Re: [hcs-d] Password PSA
>> Yeah, sites that send you back your passwords in plaintext are really
>> creepy. Just noticed http://crimsonspark.com/forgotpassword.php.
>> On Thu, Dec 9, 2010 at 5:56 PM, Saagar Deshpande <
>> sdeshpande at college.harvard.edu> wrote:
>>> Great idea. Tony and I already discovered that crimsonspark was doing
>>> this and informed Malan, so we think that this would be a nice thing for
>>> people to know for tomorrow.
>>> On Thu, Dec 9, 2010 at 4:54 PM, Michael Chen <
>>> michaelchen at college.harvard.edu> wrote:
>>>> Hey all,
>>>> So the CS50 Fair is tomorrow. I feel like we should send out a PSA
>>>> warning people against foolishly putting their usual username/password
>>>> combos into CS50 projects. I know it's frowned upon to use common passwords
>>>> across accounts anyway, but I'm pretty sure many projects will be storing
>>>> passwords in plaintext (as that's what they did for one of their psets).
>>>> hcs-discuss mailing list
>>>> hcs-discuss at lists.hcs.harvard.edu
>>> hcs-discuss mailing list
>>> hcs-discuss at lists.hcs.harvard.edu
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the hcs-discuss