funsec mailing list archives
Re: Data breach at IEEE.org: 100k plaintext passwords
From: Les Bell <lesbell () lesbell com au>
Date: Wed, 26 Sep 2012 10:21:24 +1000
On 26/09/2012 2:45 AM, Jeffrey Walton wrote:
I expected better from IEEE.
So did I. They changed their user registration system earlier this year to require an email address as an identifier. So after login, users were required to change their password - but the form does not allow pasting of a password from a password safe such as KeePass. Incensed at this major usability snafu, I emailed them: "After login, I'm presented with a form which requires me to change my password. The form does NOT allow me to paste a password in from my password safe program. I don't type passwords, and I won't be back until this is fixed. "Stupid, stupid, bad, bad usability and design!" And, of course, got back the expected form reply: "Thank you for your email regarding your IEEE account. Unfortunately since the upgrade of our systems, passwords may no longer be pasted, they must be typed. We apologize for any inconvenience. "For your convenience, I have included a link to the IEEE Support Center website where you can find FAQ's that other members found helpful. You can search our knowledgebase for the answer you need and/or submit a question and we will get back to you." In other words, "What - are you too stupid to follow the instructions and type your password?". No, I'm much too smart to give in to the temptation to type an easily-remembered password - or worse still, a password that I use to log in to similar sites such as the ACM, etc. Now that the IEEE has coerced the majority of their users into weakening their passwords, what I feared would happen *has* happened. Their kind of "we know best" patronising attitude just reeks of weak security to me. At least *I'm* sitting pretty, with my original incredibly long and unique high-entropy KeePass-generated password, that even I didn't know, unchanged - until a few minutes ago, at least. However, now it's considerably weaker. :( Damn you, IEEE. -- Best, --- Les Bell [+61 2 9451 1144] [http://www.lesbell.com.au]
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Data breach at IEEE.org: 100k plaintext passwords Jeffrey Walton (Sep 25)
- Message not available
- Re: Data breach at IEEE.org: 100k plaintext passwords Jeffrey Walton (Sep 25)
- Message not available
- Re: Data breach at IEEE.org: 100k plaintext passwords Les Bell (Sep 25)
- Re: Data breach at IEEE.org: 100k plaintext passwords Ned Fleming (Sep 26)