I just did a password reset and was a bit shocked to see that it sent me an email with my current password. I won’t go into the reasons why this is a huge security issue, but this is probably something your tech team should address.
@TwentyPhantomVine - Thank you for your feedback on this. We will take this into account.
I reported this back on April 21st… it’s quite troubling this has not been fixed. Hashing and salting the passwords is a 20 minute fix.
http://www.codinghorror.com/blog/2007/09/youre-probably-storing-passwords-incorrectly.html
Even if it isn’t fixed, at least warn users when creating an account and setting a password that it will be sent in future as plain text.
This is concerning as our credit card information is stored here too.
Why do you all think that the password is STORED as plain text on LingQ’s servers? Even it is sent to you as plain text, it is not necessarily unencrypted on LingQ’s servers.
If it is really stored as plain text, then this should be fixed ASAP, of course. The password should also not sent via insecure email.
Passwords are encrypted using hash functions which are one-way. There is no easy way to get the original password back if you only have the hash.
It’s not a NEW password they send you. It is your old password so they MUST be storing in plaintext
1 Like
As someone who knows little of computer hacking, I have a naive question. Why must it be that they are storing the passwords as plaintext?
If the passwords were encrypted then they would only store the hash of the password, not the password itself, and there is no way for them to get the password back from the hash. They send out emails that have your current password, so they must be storing the passwords themselves rather than storing hashes.
Ah ok. Interesting.
At the very least, members who use the same password for LingQ that they use for one or more sensitive sites (bank, credit card and so on) should change their LingQ password immediately.
This change is all the more urgent if LingQ does store the password as plain text, because now the secret is out.
@keke_eo - I want to clarify that credit card information is not stored anywhere on LingQ’s servers. This information is all stored securely through our payment provider and they only tell us the last 4 digits of your card for customer convenience.
We do recognize this as an issue and we are looking to address it. Unfortunately, this is nowhere near a “20 minute fix” as it involves significant changes to our registration and password recovery systems. In the meantime, all passwords and user data is encrypted on our servers. We do not store any payment information on our servers.
1 Like
Thanks for the clarifications Alex and Mark.
I hope you guys are wrapping up this fix today
Nope
@spatterson - This is high up on our list and will be something we look into once we’ve smoothed out the issues from this new update.
Just adding my voice to the list of concern here.
Unencrypted (or two way encrypted) passwords are the bane of the internet.
As a developer, I understand that this doesn’t necessarily take 20 minutes, with the knock on updates, but this is a serious security concern and shouldn’t have been still left unaddressed after 8 months of being reported.
1 Like
@Opto - Thanks for your feedback on this. Our development team has been working on some exciting projects for the past few months and much of our time has been spent continuing development of current projects and resolving issues related to our major site update back in December. The password issue is something that is still high on our list and we aim to have this issue resolved soon.
Any update on this issue? I too was shocked to see that my password (for a paid service!) was sent back to me in plain text. Guys, this is a serious security issue. After an email has left your smtp-server, you have no control over its route, and it will land on (and be stored at) many unencrypted smtp-servers on its way.
Further more, since you really are sending the password in plain text, I cannot imagine that you actually encrypt it on your server. It simply wouldn’t make sense to encrypt it, and then send it in plain text.
A password-reset procedure MUST be implemented. This thread is almost a year old, come on!