Login

05-16-2009, 05:47 PM

[eluser]theshiftexchange[/eluser]
[quote author="phpserver" date="1242511537"][quote author="Dam1an" date="1242510357"]WHat do you mean checking the passwords each and every day?
I'm assuming you don't intend on having a remember me option, so not sure what else it could mean :-S[/quote]

The it department wants to see the passwords of active accounts for the web based application daily.I dont have a remember me button on the app.The thing is already good with ssl i deem but they still insist.From what i know passwords dont change.[/quote]

huh??? let me see if I understand this:

The bank wants you to send a plain text file (email/printout/whatever) which will show the entire list of usernames and passwords each day, so some random guy in accounting can check to see if a password has changed?

I can think of about 200 reasons why that is unbelievable bad - but I'll list the top 3:

1. It will force you to make your passwords backword-compatiable - i..e you cant hash them, since hash is a one way process. Anything you can reverse, so can a hacker
2. Having passwords in any plain text format (printout/email/file) is just silly
3. Giving a list of passwords to any person, even the CEO of a company, is also silly - it just opens up all sorts of social-engineering issues.

I'd like to add a general comment here: there is a reason why security on 'basic' sites is such a security risk, is not for the site itself, but for other sites. It is well known that people use the same username/password combination on multiple sites. A well documented hacker's technique to steal online game passwords for World of Warcraft, EveOnline etc - is to hack a 3rd party forum site, and use those username/passwords of the forum and try them on the game. More often than not, the username/password combination of the forum is the same as the online game - giving the hacker access.

This same principle applies to the bank scenario. Giving someone a list of username/passwords is inappriopriate and wrong.