funsec mailing list archives

Re: Data breach at IEEE.org: 100k plaintext passwords

From: Les Bell <lesbell () lesbell com au>
Date: Wed, 26 Sep 2012 10:21:24 +1000

On 26/09/2012 2:45 AM, Jeffrey Walton wrote:

I expected better from IEEE.


So did I. They changed their user registration system earlier this year
to require an email address as an identifier. So after login, users were
required to change their password - but the form does not allow pasting
of a password from a password safe such as KeePass.

Incensed at this major usability snafu, I emailed them:

"After login, I'm presented with a form which requires me to change my
password. The form does NOT allow me to paste a password in from my
password safe program. I don't type passwords, and I won't be back until
this is fixed.

"Stupid, stupid, bad, bad usability and design!"

And, of course, got back the expected form reply:

"Thank you for your email regarding your IEEE account. Unfortunately
since the upgrade of our systems, passwords may no longer be pasted,
they must be typed. We apologize for any inconvenience.

"For your convenience, I have included a link to the IEEE Support Center
website where you can find FAQ's that other members found helpful. You
can search our knowledgebase for the answer you need and/or submit a
question and we will get back to you."

In other words, "What - are you too stupid to follow the instructions
and type your password?".

No, I'm much too smart to give in to the temptation to type an
easily-remembered password - or worse still, a password that I use to
log in to similar sites such as the ACM, etc. Now that the IEEE has
coerced the majority of their users into weakening their passwords, what
I feared would happen *has* happened. Their kind of "we know best"
patronising attitude just reeks of weak security to me.

At least *I'm* sitting pretty, with my original incredibly long and
unique high-entropy KeePass-generated password, that even I didn't know,
unchanged - until a few minutes ago, at least. However, now it's
considerably weaker. :(

Damn you, IEEE.

-- 
Best,

--- Les Bell
[+61 2 9451 1144]
[http://www.lesbell.com.au]

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Data breach at IEEE.org: 100k plaintext passwords Jeffrey Walton (Sep 25)
- Message not available
  - Re: Data breach at IEEE.org: 100k plaintext passwords Jeffrey Walton (Sep 25)
- Re: Data breach at IEEE.org: 100k plaintext passwords Les Bell (Sep 25)
  - Re: Data breach at IEEE.org: 100k plaintext passwords Ned Fleming (Sep 26)